[ADMN/SEC/FIX] MixedModeAuth 2.4 - Secure mixed offline/online mode servers [1337]/[1597]

Discussion in 'Inactive/Unsupported Plugins' started by Thulinma, Sep 10, 2011.

Thread Status:
Not open for further replies.
  1. This project is a fork from AuthPlayer by Arcalyth. He created a plugin that allows you to spoof names server-side for use in a LAN - I upgraded the code with full support for secure online/offline mixed mode servers through a simple PHP script or a modded CraftBukkit build.

    • Supports a mix between premium and non-premium users, or only premium users with support for logins when the main minecraft.net login is down.
    • No logging in needed if minecraft.net servers are up!
    • Secure! Protection against name spoofing!
    • Supports regular whitelisting, permissions and all other access control methods without needing to change the setup.
    • Prevents players kicking each other off (auto-renames "player" to a temporary name on connect)
    • Prevents players that are not logged in from doing anything besides walking around. No doors, no switches, no damage, no items. Really, nothing except walking around.


    Source, bug reports, feature requests, etc here! I also read this topic, of course...

    Downloads Removed - SwearWord

    Changelog:
    Version 2.4:
    - New default config file - will be written if no config file is found (tip: delete your config and reload plugin to reset to defaults / see explanation text).
    - Localization support (all messages to players are now in the config file and can be edited).
    - Kick timer (kicks people out if they do not login within set-able timeout).
    - Possibly fixed Spout support (untested, please test and report back if you are using Spout!).
    - Added option to not block interactions when not logged in.
    - Added option to kick users that are trying to connect using a name that is already in use (reverses normal behaviour of kicking the logged-in user).
    - General performance improvements and small bugfixes.

    Version 2.3:
    - Passwords are now saved encrypted.
    - Server mod updated to report version number correctly (fixes issues with some plugins / server managers)
    - Added support for not-renaming guests

    Version 2.2:
    - Updated to new Configuration API
    - Added check for server mod, will automatically switch to legacy mode if mod is not detected.

    Version 2.1.1:
    - Fixed the error about wrongly installed script being displayed even when legacy mode is not enabled. No other changes - you can safely keep using 2.1.0 instead of this version.

    Version 2.1.0:
    - Switched to BukkitPermissions - should now work with all modern permissions plugins.
    - Re-added support for hosts file editing, no longer requires modded CraftBukkit build.
    - Modded CraftBukkit build still preferred method, though!
    - Now displays more info in the server console.
    - Hopefully fixed permissions problems (player kept permissions of original username, even if auth was done afterwards).

    Version 2.0.1:
    - Major rewrite.
    - No longer requires hosts file editing or PHP script.
    - Now requires modded CraftBukkit build (included in download, source for mod available on my github!)
    - Don't want to or cannot run a modded CraftBukkit build? Use version 1.0.2 - it still works as before, but requires the PHP script and hosts file to be set up (see more information page below).
    - Fixed display issues for 1.8.
    - Fixed names not showing up correctly sometimes.
    - Added config file with insecure mode option (not recommended to use insecure mode for right now - quite experimental still).

    Version 1.0.2:
    - First public release

    How does it work?
    You run the server in online mode. The requests from the server that go to minecraft.net to verify the account are monitored through a small CraftBukkit mod or routed through a PHP script by used of a hosts file edit. Source for the server mod is available in my github, you can compile it yourself if you don't trust my build.
    If the account is minecraft.net verified, the user is automatically identified as themselves (and will be asked to set a password if they do not have one already). If it is not, the user is renamed to "player_[NUMBER]" to prevent people from kicking each other off, and then asked for their name and password to play, after which they will be renamed to their real username.

    For more detailed information, permissions, etc look here!

    Todo list: (mirror of this page)
      • Kick players if no login within X seconds
      • Custom messages
      • .....?
     
    re4397 and CoolOppo like this.
  2. Offline

    Tsusai

    EDIT: I may have to retract my bug statements. I think I got it to work. Mental Note, don't run multiple instances based on the same appdata at 2 am in the morning.

    I got the script working with php with lighttpd on my mineos+ box with the following corrections:

    <? to <?php
    Added missing ?> at the end

    However this is where I seem to be getting stuck now.:
    My premium account logs in fine. I know the script is working in this part when I edit
    Code:
      if ($log[$_REQUEST['premium']] == "YES"){echo "PREMIUM";}else{echo "NOTPREMIUM";}
    to
    Code:
      if ($log[$_REQUEST['premium']] == "YES"){echo "NOTPREMIUM";}else{echo "NOTPREMIUM";}
    as it will go "Tsusai entered the game, please authenticate".

    Now, if I login on my 2nd account, a non premium one. I login. Minecraft goes "User not Premium". I hit Play Offline. Mojang Logo, Multiplayer, and then it slaps me with a User Not Premium. I had hoped that it would still log me in and ask me to /auth username password like it does when I turn online mode off.

    This looks like a great minimalist plugin to let me resume playing when minecraft.net goes down in a seizure fit, plus allowing 1 or 2 close friends in who haven't acquired premium.

    Thank you for your time.
     
  3. Ah, yes. There is a slight problem in that the client itself still checks with minecraft.net too if it is allowed to join the server or not. I wrote some scripts for this case that will fake a positive response to the client, but of course then you need to edit the hosts file on the client as well, which is quite annoying and breaks a lot of things (the MC website as well as the update checker, among others...).

    When minecraft.net is offline it doesn't tell the client it is not allowed to join the server, so this issue shouldn't happen in that case. If you want to let people without valid minecraft.net accounts play on your server, I suggest one of the many "cracked" clients. All of them should work just fine with my plugin/script, asking the nonpremium user to login when they connect to the server.

    I'm still working on something that will allow play when mc.net servers are not fully down... but there are a lot of minor technicalities involved (such as password security - I do not want server admins to be able to collect all their users passwords!) and I don't know if such a solution will be possible at all.

    About the PHP script: Ah, yes, I guess I should support more restrictive PHP configs as well :) I'll edit the file in the next release (which should be coming in a few days). Thanks for your feedback!

    EDIT: I plan on creating both an (optional) server mod and an (optional) client mod that will get this stuff fully working.
    The server mod will eliminate the need to change the hosts file, and thus the need for root access on the server. All it does is reroute the check to a different URL.
    The client mod will permit you to continue logging onto a server if the MC server does not respond or says you are not allowed, basically enabling playing in offline mode as well as enabling playing when MC servers are either slow or down. Both client and server mods will be released shortly after all the 1.8 stuff has settled down some :) Of course this plugin can always be used in "vanilla" mode as well, no problem. It will just be slightly less effective.
     
  4. Offline

    Tsusai

    I understand.
    Stuff I'm just throwing out there:
    1) it works great as a means of running an offline mode server. If you're concerned about passwords, can't you MD5 them and store, and then compare hashes when the client authenticates?

    2) Out of curiosity, how does the client go about being told "This here is a Premium Server"? Although I presume there is no means to modify packet data as a plugin...idk.

    Just thoughts that might be helpful :)
     
  5. 1) Yes. I plan to do this eventually, just haven't gotten around to it yet. Working software first, then polish and all that...

    2) The server sends a packet that lets they client know if they need to be premium or not. This can easily be turned off (which is basically running in offline mode) but then there's no way to detect if somebody is premium or not anymore - this information is only sent in online mode. The modded client would basically ignore the "this is a premium server" bit and continue to sign on anyway.

    Update on progress of new version:
    - I have a craftbukkit build that allows my plugin to check if users are premium or not, and a new plugin build that uses this method to do so. I'll upload them later after some more testing, just to be sure.
    - I added an insecure mode option, as well as a config file.
    - I fixed the issues with names not displaying correctly.
    - I fixed the issue in 1.8 of names appearing double.

    Coming soon... :)

    EDIT:
    Ah, screw it. Here's a testing version.
    This download contains craftbukkit 1118 1121 1123 1149, with a few lines of sourcecode changed so my new version of the mod works, as well as my new version of the mod. No support for this one though, not until it's an official release... New version of mod will *only* work on this build of craftbukkit, for right now. That means 1.8-only, for now!
     
  6. Offline

    mdcollins05

    Hi,
    Just wanted to say I love the idea of the plugin, but there are a few bugs with it.

    The first bug is when the server is unable to authenticate you with the minecraft.net server and it changes your name, you go to spawn, but it's too exact. It placed me at exactly x,y,z 0,64,0 which in my case was inside a block. Not a big deal, I fixed it by modding the terrain around spawn.

    The second bug is again when the server is unable to authenticate you with the minecraft.net server. After your name changes you still have access to the commands of the account you tried to log into. So someone could try to login as someone with op powers and could run any of their commands.

    Hopefully the bugs can be worked out, as I'd love to use this.
    Thanks!
     
  7. I think I fixed both of those bugs in the dev build (see github), the version that works for 1.8. If you can, please verify!
    As soon as a RB comes out for 1.8, I'll update the non-dev build to match :)
     
  8. Offline

    jase240

    Does anyone have a host for the checkserver.php I can use, I cant add it to my hosts because its a directory of my website. Example gothicfury.info/checkserver.php I cant put that in my hosts file :(
     
  9. Offline

    mdcollins05

    @jase240 - is your website also accessible by ip address? If so, that is what you would use in the hosts file.

    For example, in mine:
    Code:
    some.ip.in.here   minecraft.net
    some.ip.in.here   www.minecraft.net
    Hope that helps.
     
  10. Offline

    jase240

    I tried putting the checkserver.php in my website directory, but it never worked, i could access it in my browser by going to gothicfury.info/checkserver.php but my server wouldnt authenticate, and www.minecraft.net only went to my website index page

    EDIT- i have both minecraft.net and www.minecraft.net in my hosts file pointing to my website IP and it loads my main page for the site only, i have the script at gothicfury.info/checkserver.php

    the server still wont authenticate, I dont know what to do... :(

    -EDIT again, I switched to online mode O_O and it would authenticate premium accounts, however would not auth non premium instead giving them the normal "Bad Login" message
     
  11. Offline

    mdcollins05

    You'd need to login as a premium account first then create a password. After that you can log in as a non-premium user and authenticate.
     
  12. Offline

    jase240

    oh i see.... thanks
     
  13. Since the RB is out.... I updated this plugin to 2.0.1.
    Enjoy!
    Be sure to check the more info page referenced in the topic for all the details you need as well as a client mod that works along with this for the full experience.

    I'm sure there's still some bugs in 2.0.1 - please report them if you find any!

    If you do not want to run a modded CraftBukkit (or are not able to), the 1.0.2 version still works. The login server changed to session.minecraft.net though, so update your hosts file to match. If there are requests, I can update the 1.0.2 version to also include the 2.0.1 fixes - but I think most people would prefer running the much easier to setup 2.0.1+mod... Or am I horribly mistaken?
     
  14. Offline

    mdcollins05

    I'd love a plugin only option. Are the changes to CraftBukkit necessary for the full function of the plugin? If so, I wonder if the CraftBukkit team would accept any patches for future versions.
     
  15. Offline

    jase240

    okay when i try to login to test in offline mode, it says Bad login still requires only premium verified accounts to login..
     
  16. You'll have to supply some more information if you want assistance:
    - Are you using the 1.X or 2.X builds of the plugin?
    - If 2.X: Did you install the CraftBukkit mod and restart the server after mod install?
    - If 1.X: Did you make the hosts file changes and install the PHP script?
    - If 2.X: What config are you using for the plugin?
    - What mode is the server in (online/offline)?
    - Do you get any output on the server console? If so, what do you see?

    Edit: Reading back what you posted before, it looks like you didn't install the PHP script correctly. If you open http://www.minecraft.net/game/checkserver.jsp on the machine with the hosts changes (remember, this needs to be the server!) it should open the checkserver.php script. If this does not open, the script was not installed correctly. See also the instructions in the checkserver.php file itself, it might be a more clear explanation.

    Ok, I'll see what I can do.
    The changes to CraftBukkit allow the plugin to detect account premium/non-premium state and override the online-mode protection. Basically the same thing the hosts file edits do for the first version I released, but more elegant and less error-prone. The plugin will work without the modded server, but it will not be able to tell the difference between premium and non-premium accounts.
    I already submitted my changes as a patch to the CraftBukkit team, but they will not allow any code that can let non-premium players into online-mode servers so it was not added to the official build. :-( I argued that it is not any more or less secure than what is already there (after all, you can always use offline mode with any auth plugin to do all this already) but it's a matter of principle and it will not be added to the official builds.


    I'll see if I can make the plugin work in several "modes", one of them being hosts file another being modded server, etc. Also, if anyone thinks something is missing from this plugin, feel free to make suggestions! :)
     
  17. Offline

    mdcollins05

    Is it possible to have the plugin check for a premium player when the server is set to offline mode? If that works, then the plugin can check each player as they join and if there's an issue checking ask for a username and/or password to authenticate.
     
  18. Unfortunately the minecraft client does not sent any information at all about the players premium status if the server is in offline mode, so unfortunately that approach will not work. I'm looking into other methods though... there are a few alternatives I have not tried yet.
     
  19. Offline

    astinax

    @Thulinma Can you make the moded craftbukkit spout compatible and maybe talk to the spoutdev team to implement the client mod patch in spoutcraft
     
  20. This modded craftbukkit build is just as compatible with spout as the real craftbukkit build.
    As for the client patch... do spout devs accept those kind of patches? I can at least point out what to change to make it work (or they can just copy the patch I uploaded to my github).
     
  21. Offline

    astinax

    Yeah that would be awesome because for the time being spout doesn't accept any client mods. Is the modded Craftbukkit compatible with mcmyadmin ?
     
  22. The modded Craftbukkit build only differs very very slightly from the official build.
    It should not break compatibility with anything. :)
     
  23. Offline

    Robert Pendell

    Can we add support for PermissionsBukkit? It's not being detected by the plugin or being provided as a fallback.
     
  24. Offline

    astinax

    It doesnt work with mcmyadmin everytime I try something it says bukkit sad bukkit want you to access command but bukkit cannot let you bukkit will drop tears and a whole bunch of errors in the log.
     
  25. Shouldn't be too hard. I'll look into it.

    Does it work with the regular, unpatched, 1085? Really, I didn't change anything even remotely related to permissions, it would surprise me if this was caused by the patch. Perhaps your permissions plugin needs to be updated? I remember having similar issues until I updated my permissions plugin after switching to 1.8.
     
  26. Offline

    astinax

     
  27. If it really doesn't work with mcmyadmin, the mcmyadmin developers are doing something seriously wrong. Contact them :)

    The only changes the modded version has can be seen here:
    https://github.com/Thulinma/CraftBukkit/commit/b38c27fc4d0af19f54123b5fb45e0d8124859dad
    Obviously this should not break mcmyadmin... unless, like I stated above, they are doing something very very wrong, somewhere.

    Version 2.1.0 is now out!
    Changelog in the topic.

    Important to note:
    - Now uses BukkitPerms, so should work with alll permissions plugins now.
    - No longer requires the server mod (but server mod is still the best way to use it!) The server mod was not updated, no need to reinstall it.

    That means, you can now run this plugin in 3 different ways:

    Secure, modded:
    - Default config, requires modded CraftBukkit.

    Secure, legacy mode:
    - set "legacymode: true" in the plugin's config.yml file
    - checkserver.php script was updated to work with 1.8 (new session check URL)
    - Hosts file now needs to re-route session.minecraft.net to the server hosting the checkserver script.
    - No modded CraftBukkit required.

    "Insecure" mode:
    - Requires no mods or hosts edits - but does not recognize premium accounts.
    - Everyone will have to login to a local account.
    - Plugin basically works as a very simple and basic "normal" auth plugin.
    - To activate this mode, run server in offline mode OR set "securemode: false" in the plugin's config.yml file.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 19, 2016
  28. Offline

    astinax

    How can you make people with cracked minecraft to login ?
     
  29. To do that, use any of the plugin modes and give out the "multimodeauth.create" permission to everyone. This will allow all (so also non-premium) users to make a (local) account for playing. Note that there is nothing stopping one person from making multiple accounts this way. More secure would be to have an op make the accounts on request.
     
  30. Offline

    astinax

    Yes but when the person with the cracked minecraft tries to connect it says user not premium
     
Thread Status:
Not open for further replies.

Share This Page