Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    CypherX

    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page: http://dev.bukkit.org/server-mods/xauth/

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel (irc.rizon.net #LoveDespite) or toss me a message at http://love-despite.com/forum. Until we meet again, stay gold. Bang.

    ------------------------------------------------------------------​

    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.


    Features
    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
     
  2. Offline

    CypherX

    MySQL is more advanced (in terms of manipulation through querying), doesn't require an outside library (included in craftbukkit), and makes my life a hell of a lot easier.

    See my first answer to Hydrosis.
     
  3. Offline

    LlmDl

    CypherX I love the H2, if you haven't completely made up your mind, please consider leaving it in as an option!
     
  4. Offline

    raidmax21

    I must agree with LImDI.

    My server has had its MSQL reset 3 or more times and its a massive server, I could not afford to have Xauth hooked into it with this amount of players.

    I would like yo ask you to keep an offline DB that is not hooked into MSQL. If you do decided on this, could i please request a convert from Authme to your new database?
     
  5. Offline

    robxu9

    As long as xAuth still has AuthURL, I'm set. ;D
     
  6. Offline

    Mille

    can you make so people who have the real minecraft launcher dont have to login and register but people with cracked client have to register and they cant use the name of a existing player who is using real launcher
     
    kernet and Anthony13 like this.
  7. Offline

    vasil7112

    There is also a bug with the enchantments..
    Please check that also..
    Don't forget we are waiting you for the new versions!
     
    Anthony13 likes this.
  8. Offline

    CypherX

    Discussed before, not possible unless Craftbukkit is directly modified or I require players to specify their actual Minecraft password, which isn't going to happen.
     
  9. Offline

    kremington

    Hmm, I would like it if h2 is still supported, but if I guess I could switch to mySQL.
     
  10. Offline

    moparisthebest

    I was just going to ask this, will you keep authURL support? It seems quite a few people besides me use it, and further up in this thread someone even contributed a script for phpBB support.
     
  11. Offline

    CypherX

    Of course. I was thinking of adding a better implementation of it or working directly with you (if you were still around).
     
    robxu9 likes this.
  12. Offline

    moparisthebest

    Right now the second line is supposed to be displayed in the entirety if it is an error, and is the 'forum name' if it is successful. I think instead the second line should just be displayed in its entirety every time, so the messages are 100% customizable in the server-side script, which needs to be written/modified by whoever is implementing it anyway.

    Other than that, I don't see much to anything that needs changed, but what did you have in mind? Perhaps adding an option to hash the pass with a certain algorithm before sending it might be nice, but it would have to be customizable. :)

    I am still around though, you can contact me on here or through github, I'm watching your github repo for updates, so I'll see an issue if you post it or something.
     
  13. Offline

    Marcus101RR

    Enchant ments get removed from this
     
  14. Offline

    Jade

    CypherX Why is this under re-development? and ETA? D:
     
  15. Offline

    CypherX

    Because I haven't been here for ~5 months and it's a buggy clusterf*ck. And I already answered about an ETA.
     
    robxu9 likes this.
  16. Offline

    Jade

    Odd, never saw it. xAuth as always worked for me (Since EARLY 1.0)
     
  17. Offline

    _Robert


    Don't worry, i didn't make any big changes, i just followed your lines and added a column in the inventory table for store the enchant information of the items, also the code it's available if you want to see the workaround (i tried to do a pull request but i got losted in the way, im pretty new in java develop and git =/).

    Also i maded a quite more modifications of your plugin and i think they are nice additions! I added an option to hide the login and logout messages of the players, and i extended the AuthURL mode to be possible to use /register to get registerd in the forums from the game! I achived this adding more parameters to the AuthURL function, the email and the "mode", also they are sent in the post request when you call the page ( i did a bridge for phpBB too, if you want i can post it ).

    Hope you can add those opts too, they are quite easy and nice :D.

    Cheers!
     
  18. Offline

    columb

    What about CraftBukkit addon? Like it was with early anti-xray version.
     
  19. Offline

    CypherX

    It's been quite a while but I think it involved exposing some kind of session ID so that it can be passed to minecraft.net to check it's validity.
     
  20. Offline

    ArtBorax

    How to upgrade from version 1.25 to 3. if the hash without salt auths.txt?
     
  21. Offline

    Anthony13

    when is this plugin going to be out? i was updating alot of my plugins, mustve came here late for u to remove the download, been checkn back since the 17 ithink
     
  22. Offline

    lfrst05

    The did some reserach about detecting if a player is using an minecraft.net account or not. My conclusion: It would be possible but only if:
    • The username/password is stored on the server or
    • The user installs a client mod.
    Login process on an online server (the user has already logged in to minecraft.net):
    1. [Client -> Server] Handshake. Send Username.
    2. [Server -> Client] Handshake. Server sends a randomly generated server ID (different for every user)
    3. [Client -> minecraft.net] Send "Join Server" requset. Data sent: Username, ServerID, minecraft.net session ID. If minecraft.net does not answer with "ok" (=valid minecraft account) the login process will be aborted.
    4. [Client -> Server] Login request. Send username
    5. [Server -> minecraft.net] Check for successful "Join Server" request. Send Username and ServerID. If minecraft.net does not respond with "yes" the connection is dropped.
    6. Login OK - Check Black-/Whitelist, Player count,...
    Login process on an offline server:
    1. [Client -> Server] Handshake. Send Username.
    2. [Server -> Client] Handshake. Server sends the string "-"
    3. [Client -> Server] Login request. Send username
    4. Login OK - Check Black-/Whitelist, Player count,...
    The problem is that there are only two server modes:
    Online: "Server and Client are connecting to minecraft.net to check if the "join Server" request is OK - If this check is not successfull the connection is dropped"
    Offline: "Accept any connection"

    To add a "/register only for offline player"-feature to xAuth, a new operation mode wold be required: "Connect to minecraft.net - try the "Join Server" request - if it fails switch to offline mode for this user.

    I can see only two ways to achieve this:
    • Fake the whole "Join Server" request server-side. You need to store the clear-text password for every user with an minecraft.net account.
    • Modify the client and the Server (Client: Mod; Server: Mod or Plugin (using Reflection and/or java.lang.instrument)
    Conclusion: Possible but solution is not realy acceptable.​
     
    Anthony13 likes this.
  23. Offline

    CypherX

    I already stated that I'm not going to give an ETA.
     
  24. Offline

    Anthony13

    oh sry, didnt no, wasnt gonna read posts of 55 pages if u already said it. :) ..cant post one of ur old erlier versions or anything like that? :)
     
  25. Offline

    CypherX

    The latest version is five months old and bugged, you don't want it.
     
  26. Offline

    Anthony13

    ok, thanx to save my time lookn back into my bkup plugins and of my old world :D
     
  27. Offline

    CypherX

    What's the most popular/widely used Permissions plugin these days?
     
  28. Offline

    goodoletom

    So do I need a mysql for this?
     
  29. Offline

    PinguinAman

    I would say PEX and bPermissions.

    Everything working with these 2 plugins should work with everything else, too.
     
    Anthony13 likes this.
  30. Offline

    MissPicket

    Hello!

    I started getting this error message in my console yesterday; I'm not sure why, because I didn't change anything...

    Any thoughts?


    Code:
    24.02 00:08:30 [Server] INFO [xAuth] MissPicket has logged in
    24.02 00:08:25 [Server] INFO Please contact one of the authors of plugin 'xAuth': CypherX
    24.02 00:08:25 [Server] INFO This error is logged only once: it could have occurred multiple times by now.
    24.02 00:08:25 [Server] INFOat org.bukkit.craftbukkit.scheduler.CraftWorker.run(CraftWorker.java:34)
    24.02 00:08:25 [Server] INFOat com.cypherx.xauth.xAuth$2.run(xAuth.java:302)
    24.02 00:08:25 [Server] INFOat org.bukkit.craftbukkit.entity.CraftEntity.teleport(CraftEntity.java:157)
    24.02 00:08:25 [Server] INFOat org.bukkit.craftbukkit.entity.CraftPlayer.teleport(CraftPlayer.java:299)
    24.02 00:08:25 [Server] INFOat org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:460)
    24.02 00:08:25 [Server] INFOat org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:61)
    24.02 00:08:25 [Server] INFOat org.bukkit.plugin.java.JavaPluginLoader$103.execute(JavaPluginLoader.java:1024)
    24.02 00:08:25 [Server] INFOat java.lang.reflect.Method.invoke(Method.java:601)
    24.02 00:08:25 [Server] INFOat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    24.02 00:08:25 [Server] INFOat sun.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
    24.02 00:08:25 [Server] INFOat org.bukkit.event.Listener.onPlayerTeleport(Listener:0)
    24.02 00:08:25 [Server] INFO java.lang.IllegalAccessError: Synchronized code got accessed from another thread: com.cypherx.xauth.xAuth$2
    24.02 00:08:25 [Server] WARNING Could not properly handle event PLAYER_TELEPORT:
    24.02 00:08:25 [Server] INFO [SuperSpawn] Player teleported to previous location.
    24.02 00:08:25 [Server] INFO [SuperSpawn] Player found
     
  31. Offline

    Amsek

    Hello all! There is a very big bug in this plugins, i think all admins knows it: anyone can become OP if he know only admin's nickname. Please, fix it.
     
Thread Status:
Not open for further replies.

Share This Page