Checking Minecraft.net authentication

Hallo there.

Is it possible somehow to check if a player has authenticated at minecraft.net (seeing if its original)?

If is, possibility to apply whitelist to only those who arent authenticated ?

I would apreciate any help.

 

what so people who arnt using a legit minecraft cant log on. i would use that on my server

 

in the server properties file you can set online-mode=true which will authenticate minecraft account for you. a whitelist applies to everyone.

 

-- EDIT --
READ MY LATEST POST, I DISCOVERED SOMETHING. THE METHOD I PROPOSED IN MY FIRST POSTS IS MOST LIKELY IMPOSSIBLE
_________________
http://forums.bukkit.org/threads/plugin-for-offline-servers-exempting-from-auth.27456/
I discovered a way. You need to read through. I'm not a Java Programmer, but I know what needs to be done.
TL;DR It uses a URL From Minecraft.net I put in my posts, I posted several posts on how it would work.
All it needs to do is find the ServerID of the Server (it changes, I don't know how to find it, but MineShafter finds it), and it takes the Playername and the Server ID, and plugs it into the URL, and the page determines if the account is premium or not by displaying "YES", or "NO". If it says "YES" It allows Premium Users in. If it says "NO" It kicks them out. There is also a List that should be in the Plugin that will allow usernames on the list not to be checked, and they are allowed in without the URL checking.
Here is the URL - http://www.minecraft.net/game/checkserver.jsp?user=(Insert User Here)&serverId=(Insert ID Here) The ServerID and Playername go in the () things.
If you want to understand this in a better explanation, please read the first post I wrote, and then the longer one, the fourth post I made in that thread.

Aha, Found it. Someone else figured it out too.
http://mc.kev009.com/Authentication
Not the plugin, but he figured out the Auth....

Hmm, Might be impossible after all. Bukkit sends the Hash to the Client, in Online Mode. The Hash is sent to the URL or something...
Maybe a plugin could override what is sent? So that it sends the normal hash to people not on the list, and they get checked automatically, BUT, the people on the list recieve the '-' hash, which allows them into the server without any checking?
If it can't be done as a Plugin, Bukkit is Open-Source.... Which I believe means you can mess with it.
_________________
And if the Hash can't be overridden, then think about this. It authenticates off of the Minecraft Server using that URL. Well, is there a way to rewrite the route of the URL of the people who are on the list so that it will always say "YES". Mineshafter does something with a Proxy. It is in its Jar.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

I was thinking on running this on offline-mode, and the verification could be made in a Plugin. onPlayerJoin, verifyes that URL with player name if hes valid or not. The only problem i think is where im gonna get that server ID from.

Else, if it needs to be online, i belive its something i would have to play inside bukkit´s sourcecode (no prob).
Where should i start at ?

 

I don't think its possible with online-mode off, according to NetLoginHandler :

Code:

        if (this.server.onlineMode) {
            this.i = Long.toHexString(d.nextLong());
            this.networkManager.queue(new Packet2Handshake(this.i));
        } else {
            this.networkManager.queue(new Packet2Handshake("-"));
        }

The server hash isn't generated and it skips the login request packet(1)

 

It needs to be online because during Offline mode, it doesn't generate a Server Hash ID. Instead, it uses the '-', rather than the Hash, and it goes through no verification. It has to be online.
Just like Crash said before me. I am not a Java Developer, but I understand some things. That's why I don't develop it myself. I do not know where to start at, but... I'd suggest trying to Proxify the Route it goes to and it intercepts. Instead of heading directly to it, it goes to the proxy first after generating the hash. After the Hash is generated, it will see if the Player is on the List or not. If not, he will be redirected to the URL I listed above. If the person is on the list, it will re-route it to something that will always declare "YES".
If the Proxify thing won't work (Or is too Advanced) you could try to Override the Hash. When it generates the Hash, it will look at the list. If the person is on the list it will give the Hash '-' which indicates no Verification and lets the person in. And everyone else will get a normal Hash.

 

Oh well, lez start playng on bukkit's code then

Ill disable the auth, while still making the auth and somehow saving it. Ill try using a simple sqlite for that matter, saving authenticated original players.

Im not really used to proxyes so it would be hard for me to use them. Would this be creating a intermediate receptor, that works that packet before sending ? Like a separate executable that scans net traffic for that packet and works it out ? Seems a lot of work to me.

Couldnt i create a 'fake' packet on a plugin , that would contain a server ID that could be used to verify that ?

I apreciate all your helps ! I think this is a very intresting point, so we could create intermediate servers, not the 'only original' ones and 'free for all ones', we could make Mojang a HUGE, IMENSE favor !

 

I'm not sure honestly, I apologize. And I'm not sure if the Fake Packet Idea will work. I think Hash Data is also Generated while interacting with Minecraft.net, I'm really not sure what would work, all I can think of are interceptors that either intercept Hash Data for people on the List, or Intercept the Route of the URL the Listed Users go to.

 

Well, now, taking a deep analysis of mc servers code.

Code:

private static Random d = new Random();
private String i = "";

public void a(Packet2Handshake packet2handshake) {
    if (this.server.onlineMode) {
      this.i = Long.toHexString(d.nextLong());
      this.networkManager.queue(new Packet2Handshake(this.i));
    } else {
      this.networkManager.queue(new Packet2Handshake("-"));
    }
  }

Is that hash random ? it seems to me !!

Im not really used to sockets , so im kinda lost on this. How do i get the return value of that package ?

Im taking a look at networkManager class, and its not really pointing me anything. Heres the code to make life easyer:

http://pastebin.com/rkizsMpa

If i knew how to get the response from that packet, since that String being passed on is just randomly generated, so i could call inside a plugin , a fake package sent, grab response, plugin threats fake users making theyr life harder.

The idea is to create a 'trial' game on my server for who didnt bought minecraft.

Edit: Something just intresting ive found at LoginHandler

Code:

public void a(Packet1Login packet1login) {
    this.g = packet1login.name;
    if (packet1login.a != 14) {
      if (packet1login.a > 14)
        disconnect("Outdated server!");
      else {
        disconnect("Outdated client!");
      }
    }
    else if (!this.server.onlineMode)
      b(packet1login);
    else
      new ThreadLoginVerifier(this, packet1login, this.server.server).start();
  }

Starting to get confusing, but im starting to get things going. Im going to check that ThreadLoginVerification since i belive thats wheres the secret it. Aint it ?

This is getting pretty intresting

 

Well, i got myself stuck. Cant actually know what i could do.

I belive i could disable offline mode by the own bukkit code, as told above. Then, somehow in a plugin, i could start a
new ThreadLoginVerifier(this, packet1login, this.server.server).start(); with a fake packet login ?


Im still kinda lost. I Belive this information would be usefull to servers that are willing to support Mojang, still having offline-mode ON. I have 100+ players with offline mode , and 15 players with online mode, all i want to do is give original minecraft users advantages.
Would really apreciate any help. I think this could turn out to be a simple plugin API for other plugins to do so.

 

I've been looking into this as well, recently.

Unlike you (Ziden) I am not quite as versed in Java (I'm more of a C++ guy), but I'm very experienced with raw sockets and network connections.

This is what needs to happen:

The server needs to generate the hash, as well as send it to every client like normal.
The response from the client then needs to be ignored (in effect turning all server-side online-mode security off, but still making potential players authenticate with the minecraft.net servers!).
Now, it is easy for a plugin to complete the authentication manually (I have already written an edit to an existing auth plugin that does this - very easy to do) and thus verify if a player is premium or not. Non-premium players can then be renamed to "player_3749274" (could be a random number - I use entity ID right now) and asked for name/pass in-game, after which they gain the name/account that they logged in as - providing offline-mode style login. Premium players would then not need to login and the server would still be secure. Alternatively it would be easy to give non-premium players only a few minutes of play time or something similar, as long as the server ignores the "LoginVerifier" check.

My Java knowledge is not enough to get this to happen, but I have the plugin that checks the premium status already done. Perhaps you can do the part I can't? So, in short:
- Generate hash even in offline mode
- Send hash even in offline mode
- Do not check hash in offline mode, do check in online mode.
- "getServerId()" needs to be set (with generated hash) for plugins to read and complete authentication manually.

That's it. The rest is already done, waiting for this little part...

Edit:
Nevermind. I got it figured out. This can be done completely without altering the server, fully in a plugin. I'm on it. Expect something to be released that can do exactly this in a few days

 

Thulinma I know it's been some time since you posted this, but I could use this plugin, or even better, it's source
if you have a link to it, that would be awesome. thanks!

 

EvilWitchdoctor
Very nice, bump a 3 year old thread!