[SEC] AuthMC - Global Authentication

Discussion in 'Inactive/Unsupported Plugins' started by XENGS, Jun 23, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    XENGS

    [​IMG]
    As AuthMC is almost finished (currently debugging), we thought about lunching a Pre-Register period, so members can register their accounts, and server owners can try the plugin on their server. You can register an account by visiting the website, and download the plugin using the link below. If you wish, you can have a look at this graphical presentation of the plugin (ONLY the register link works, for downloads use the GitHub link).
    Features:
    = Server owners and hackers are unable to obtain your information!
    We designed a custom communication method through php's GET, which doesn't leave database credentials exposed or the ability of a password change by any server owner, or hacker.
    = Practical use of global plugins like McBans on offline mode servers.
    = No safety difference than online mode authentication.
    = Eliminates griefers, even with no integrated anti-griefing tools.
    = Basic and sufficient anti-bot protection.

    Dowload:
    https://github.com/kezz101/AuthMC/downloads

    Changelog:

    PRP 3.1
    = Fixed reload bugs
    PRP 3
    = Made sure the Listeners check if the Entity is Human
    = Removed the denial of onPlayerInventoryClick due to crashes during clicking
    = Removed the incorrect password limit. It needs tweaking.
    PRP 2
    = Fixed a bug when a user had entered an incorrect password
    PRP 1
    = First Release

    We are working on something on the server, you might experience some errors.
    If you do, just wait for a couple of seconds and retry.
    Sorry for any inconvenience.
    Regards,
    XENGS.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 26, 2016
  2. Offline

    Slymansyman

    Looks Good.
     
  3. Offline

    XENGS

    Thank you :)
    EDIT: Server changes still going on.

    Hello,
    We have finally done everything we needed.
    You no longer have to send premium password reset requests to me,
    but you can now submit a ticket over our helpdesk!

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 26, 2016
  4. Offline

    kezz101

    You can now download and try out the early stages of AuthMC! Downloads are available here, you can find the changelog here too!
     
  5. Offline

    Tim619

    Finally, this should be the best plugin for offline mode.
     
  6. Offline

    XENGS

    PRP 3.1 is almost ready to be released, that will be fixing several bugs.
    Kezz has been working on PRP4, and after that comes Beta!
    I've also been working on some (super secret :O) website updates!
    Stay tuned!
     
  7. Offline

    ZachBora

    XENGS just wondering why you're using a Map of player if you're only adding/removing it? You could put a String, player name instead? There's just so much talk about it being bad to put the player object inside collections that I thought if you don't really need it, why do it?
     
  8. Offline

    XENGS

    I'm not sure what you're talking about.
    If you're talking about the jar, you need to ask Kezz.

    edit: Forgot to mention PRP3.1 is released. Go grab that one, it fixes an important bug.
     
  9. Offline

    kezz101

    What would be the difference in using string, playername over player, boolean? Plus the talk about it being bad is only if a player leaves and there data is left in the Map, however AuthMC will remove them from the Map when they leave and when the server crashes, stops, starts, restarts ect.

    Oh and nice logo XENGS :)

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 26, 2016
  10. Offline

    ZachBora

    It also takes more memory.
     
  11. Offline

    kezz101

    Fair enough! Thanks for the advice, I'll put that into the next update.
     
  12. Offline

    ZachBora

    I was wondering if maybe it had to do with having 2 users online with the same name. What happens if it happens?
     
  13. Offline

    XENGS

    The record on the server (authentication one) is one. As long as one of the users, or even both know the right password, there should be no problem.
    Although Minecraft itself doesn't let someone join when the same nickname is already playing.
     
  14. Offline

    XENGS

    PRP 3.2 is almost ready to be released! Keep in touch!
    Once beta is out, there should be a site update with profile pages!
    (Fancy, huh? ^.^)
     
  15. Offline

    ZachBora

    So someone could be stalking. Say someone pretends to be me on a server, he doesn't know the password but he's preventing me from getting on.
     
  16. Offline

    Coelho

    The security in this is flawed. Any rogue server can steal the passwords given in login requests and take the account for itself.

    Also, doesn't this encourage pirating of the Minecraft game?
     
  17. Offline

    XENGS

    There is no difference on what you're saying, than any, ANY other authentication plugin out there.

    That is not possible.
     
  18. Offline

    Coelho

    You seem to have a misunderstanding about how Minecraft's authentication system works that is corrupting the logic behind yours. This is not secure at all, and thus can not be marked as a "security" plugin.

    Fix the security holes, otherwise no one will use this.

    PS: You don't even use HTTPS for the login requests.
     
  19. Offline

    ZachBora

    Oh it is very possible. I have a plugin that logs every command typed by players. If I install this plugin and someone comes on, types his credential and then I know his password.
     
  20. Offline

    XENGS

    Well, you got a point there. An SSL certificate as well as a TLD domain are planned once beta is out (that's the reason we got a VPS with a dedicated IP too).

    That's a good point too, I'll talk to Kezz about modding the client to accept passwords and removing the need of /login password when someone joins the server...

    I'm still working on improving the website as well as securing everything as much as possible, and we might be getting a second server in a different location for better uptime, as i've noticed our VPS gets down many times (but short length, 1-2 minutes. That's still bad for a plugin many servers depend on, though).
     
  21. Offline

    Coelho

    So what's the real purpose of this plugin? Give servers an alternative method for logging into Minecraft without the need of buying the game?

    Yeah. No.
     
  22. Offline

    XENGS

    I got a better idea before the post of your comment, but forgot to post it.
    We might be able to get things sent encrypted (With protected source, of course).
    About the command logging plugin, we will get a solution to that too (Maybe using
    the Book writing feature in the upcoming Minecraft version(s), or placing a sign.
    I'm pretty sure there are other easier things Kezz could do! Anyways, there will be
    a way to prevent that). Thank you for all your suggestions! :)
     
  23. Offline

    ZachBora

    Maybe something with command preprocessing.
     
  24. Offline

    kezz101

    Brilliant idea Zach, that way no other plugin can read the actual command. Very clever! I was thinking of just typing the password into the chat instead of a command...

    No! It's designed as a further level of protection. For example: me and my 3 year old brother both play Minecraft on my computer. Instead of buying 2 accounts and getting him toblear the username and password, I let him use mine. If he was to log on to the server I love playing on and smash everything up an I get banned, I cannot give any proof of it being him. With AuthMC I can go on servers with the joy of feeling secured :)

    Although it could be used as Offline mode authentication an we cannot stop that.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 26, 2016
  25. Offline

    ZachBora

    The plugin I use logs everything typed in chat, not just commands, so just typing in chat wouldn't be enough.
     
  26. Offline

    Coelho

    What if the server in question just modifies your plugin? I mean you DO make it open source...
     
  27. Offline

    kezz101

    AuthMC gets the command before it is technically registered as a command. So no logging plugin could get at it.

    Even if it was not open source people would still be able to modify the plugin. That's why soon I will be adding a feature that checks the code and disabled the plugin if it has been modified.
     
    Omnitv likes this.
  28. Offline

    ZachBora

    That's exactly what the logger does.
     
  29. Offline

    kezz101

    Right. I have tried this out with all the major logging plugins. AuthMC will take the information from the command BEFORE any other plugin has a chance to touch it. Then it will cancel the command, leaving no trace whatsoever.
     
  30. Offline

    ZachBora

    Can you share how you do it?
     
Thread Status:
Not open for further replies.

Share This Page