Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    CypherX

    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page: http://dev.bukkit.org/server-mods/xauth/

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel (irc.rizon.net #LoveDespite) or toss me a message at http://love-despite.com/forum. Until we meet again, stay gold. Bang.

    ------------------------------------------------------------------​

    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.


    Features
    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
     
  2. Offline

    PinguinAman

    Alright thank you,
    it seems it was DefaultCommands. Didn't know it stores the inventory too. Any idea if you could make it compatible?
    Also posted in DefaultCommands Thread... I would hate to get red of one of these 2 plugins. :[
     
  3. Offline

    CypherX

    Works fine for me.

    I've been working on a research paper for most of the weekend and haven't had time until now. During testing, I experienced the same issue you described and have no idea why it's happening, or how to fix it. I looked through the AdminCmd source to see how it handles custom spawn points and it's basically the same as other plugins that do the same and work correctly with xAuth. The only solution I see for this would be to have the developer of AdminCmd (and any other plugins that control spawning) hook into xAuth and set the players saved location to the spawn point. This currently isn't possible but will be in Beta 5.

    Sure it's possible. Will it be implemented? Maybe. This can be spoofed by setting the session length to a high number in the configuration.

    Opened the wrong database? Opened it incorrectly? I don't know, it could be any number of things.

    Discussed before, not possible.

    @Subrosa20 - Check out the troubleshooting guide, link is in the first post.

    I'll look into it when I get a chance.
     
  4. Offline

    STiChad

    Thanks mate, I look forward to Beta 5 then.
     
  5. Offline

    trash0

    Hi CypherX!
    I want to download latest sources from GitHub, but there is no latest version of sources, only binary files! Where can i get the sources of v2.0b4.3 ? I want to change the language of some hardcoded messages and rebuild it
     
  6. Offline

    Subrosa20

    @CypherX Thanks. Works fine for me. :)
     
  7. Offline

    XtenD

    ow , i found a problem ,its permissionsEx, this option does not works with it..
    Migrated to bPermissions -> Problem has gone :D
     
  8. Offline

    CypherX

    [​IMG]

    Interesting.. Thanks for pointing that out.
     
  9. Offline

    iama

  10. Offline

    trash0

    scr1.png scr2.png
    scr3.png

    I'm looking for current (2.0b4.3) version of sources!
     
  11. Offline

    CypherX

    @trash0 - Oh, I screwed up my Git installation and haven't been bothered to fix it. That's why I haven't made any commits. Give me a few and I'll try to get it working.
     
  12. Offline

    trash0

    Okay, thanks in advance! I am really looking forward to this.
     
  13. Offline

    CypherX

    Alright, it's fixed and the source should be up to date now.
     
  14. Offline

    XtenD

    oh, its not a PermissionsEx , its Admincmd permissions , you can join to this people account with his permissions nodes. ex: i can join as admin , and a real admin will be kicked, but i cannot join as a default user...
     
  15. Offline

    Nolam

    Is there any way I can make it so that it encrypts to MD5 instead of whirlpool? I have my entire website set up with MD5 and It's been a pain trying to convert it to whirlpool (and I can't even get it working)...
     
  16. Offline

    CypherX

    Write a script for the AuthURL feature that connects to the website database. There's an example here that's for the SMF forum software.
     
  17. Offline

    Nolam

    Hmm...perhaps it would be easier just to convert it.
    This is my current conversion script:


    PHP:
      // if password OK (after confirm and strength checks), encrypt it
      
    if ($pwdOK) {
          
    $_POST['userPassword'] = md5($_POST['userPassword']);
      }
      
    I'm trying to integrate the code:
    PHP:
    function encryptPassword($password) {
        
    $salt substr(hash('whirlpool'uniqid(rand(), true)), 012);
        
    $hash hash('whirlpool'$salt $password);
        
    $saltPos = (strlen($password) >= strlen($hash) ? strlen($hash) : strlen($password));
        return 
    substr($hash0$saltPos) . $salt substr($hash$saltPos);
    }
    I can't seem to get it to work. (I'm really, really new to this). Would someone be able to show me?

    (If you don't want to show me on here and make this go further off-topic I don't blame you, I just don't know where else to look.

    other contact info:
    [email protected])
     
  18. Offline

    CypherX

    @Nolam - It would be easier to use AuthURL (as this is exactly what it's designed for), but if you still want to convert them, your script should do this:

    1. Fetch a user's password hash from the database when they attempt to log in.
    2. Determine if the hash is a MD5 hash (length will be 32) or a xAuth hash.

    MD5 Hash
    3. Hash the password the user supplied and compare them.
    4. If they match, update the hash in the database using the encryptPassword() function I provided.

    xAuth Hash
    3. Use the checkPassword() function I provided to see if the passwords match.
     
  19. Offline

    XtenD

    up, it was - 'admincmd.*' :(
     
  20. Offline

    Ticksy

    How important tables "tele_locations" and "inventory"? What will be lost when deleting their contents?
     
  21. Offline

    Grifhell

    Um, I beg forgiveness for the rough translation, try to understand my question. Can I plug in a way that would have allowed the player to register on the server, but it got more and account for the forum server.

    I know how to do so would be to register on the forum, the player receives the ACC to the server. But I want to know how to do exactly the same but in reverse. Whatever he could register on the forum and on the server and the database was one.

    Registered on the forum -> can play on the server
    AND
    Registered on the server -> can go and write on the forum

    I saw the function of a plugin, that would provide players e-mail address when registering on the server, it can be like something to do?
     
  22. Offline

    Rocky447744

    Hi, i want to know where are the passwords stored, becauce i will control other players on my Server.
    I think its in xAuth.h2 but i can´t even read my password. There are only weird signs and numbers ...
    Help me out please :/
     
  23. Offline

    resaclan62

    I dont really understand how to set it up so it asks for a password every time they log in. Please help me, I really need this plugin for my server!
     
  24. Offline

    EX3MP

    I found a bug.
    If you have gamemode 1 and you login (without enter the password) you can throw items out of you invetory.
    i hope you fix it
     
  25. Offline

    Numex

    Hey dudes. I have a big problem. When i start up my server i become following error:
    Code:
    2011-10-12 02:48:58 [INFO] [xAuth] 'Permissions' v2.7.7 support enabled!
    2011-10-12 02:48:58 [INFO] [xAuth] Connection to database established!
    2011-10-12 02:48:58 [INFO] [xAuth] Accounts: 1, Sessions: 0
    2011-10-12 02:48:58 [INFO] [xAuth] v2.0b4.3 Enabled!
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.register' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.register is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.*' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.* is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.register' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.register is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.changepw' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.changepw is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.logout' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.logout is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.unregister' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.unregister is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.strike' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.strike is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.location' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.location is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.config' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.config is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-12 02:48:58 [WARNING] Plugin xAuth v2.0b4.3 tried to register permission 'xauth.admin.reload' but it's already registered
    java.lang.IllegalArgumentException: The permission xauth.admin.reload is already defined!
        at org.bukkit.plugin.SimplePluginManager.addPermission(SimplePluginManager.java:424)
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(CraftServer.java:180)
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(CraftServer.java:157)
        at net.minecraft.server.MinecraftServer.e(MinecraftServer.java:297)
        at net.minecraft.server.MinecraftServer.a(MinecraftServer.java:284)
        at net.minecraft.server.MinecraftServer.init(MinecraftServer.java:152)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:348)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    Whats the Problem?
    I use PermissionsEX (PEX) on Build #1240
    Heres is my config:
    Code:
    main:
        # How should xAuth store data (Accounts, sessions, etc.)?
        # Possible values: h2, mysql
        datasource: default
        # If set to true, xAuth will disable itself if the server is in online-mode
        auto-disable: true
        # If set to true, all required library files will be automatically downloaded
        download-libraries: true
        # When set to true, if a player connects with the same name as someone who is
        # already online, the player connecting will be kicked instead of the online player
        reverse-enforce-single-session: true
    
    authurl:
        # Send user/pass data to authURL for authentication instead of the database
        # This option disables registration and password changes
        enabled: false
        # The URL to send user/pass data to, look at the example auth.php for an
        # example that works with SMF forums.
        url: http://127.0.0.1/auth.php?field=minecra
    
    mysql:
        # Location of the MySQL server. Can be either a host name or IP address
        host: localhost
        # Port used by MySQL. Default is 3306
        port: 3306
        # User name used to connect to the MySQL server
        username:
        # Password used to connect to the MySQL server
        password:
        # Name of the database that will be used by xAuth
        database:
        # Names of the tables xAuth will use to store data
        tables:
            account: accounts
            session: sessions
            strike: strikes
            location: tele_locations
            inventory: inventory
    
    registration:
        # Enable/disable new registrations
        enabled: true
        # If set to true, everyone must register
        forced: true
        # Setting this to true requires a player to enter an email address when they register
        require-email: false
        # If set to true, a valid email address is required
        validate-email: true
        # How many accounts per IP address will be allowed. Set as 0 for unlimited
        account-limit: 0
        # Used with web registrations that require account activation
        activation: false
    
    login:
        strikes:
            # Amount of times a player can enter an incorrect password before action is taken
            # Set as 0 to disable
            amount: 5
            # What action to take when the strike threshold is reached
            # Possible values: kick, lockout
            action: kick
            # Length of time, in seconds, that a strike will remain in the database
            strike-length: 3600
            # Length of time, in seconds, that a player will remain locked out
            lockout-length: 900
    
    password:
        # Minimum length a password may be
        min-length: 6
        # Enable/disable password changes
        allow-change: true
        # Require at least one of the character types below that are set to true
        complexity:
            lowercase: false
            uppercase: false
            number: false
            symbol: false
    
    guest:
        # Amount of time, in seconds, that a player has to log in before they are kicked
        # Set as 0 to disable
        timeout: 300
        # Amount of time, in seconds, between "You must be logged in.." messages
        notify-cooldown: 5
        # Commands that players who are not registered or logged in may execute
        allowed-commands: [register, login, l]
        # Turn on/off location protection
        protect-location: true
    
    session:
        # Amount of time, in seconds, that a session will remain valid
        length: 3600
        # Verify a player's IP address when resuming a session
        verifyip: true
        # Length of time, in seconds, that a player will have godmode upon logging in
        # set as 0 to disable
        godmode-length: 5
    
    filter:
        # Minimum length a players name can be
        min-length: 2
        # Characters that may be present in a players name. Use an asterisk (*) to allow all
        allowed: '*'
        # If set to false, players with blank names can connect
        blankname: true
    
    # INTERNAL USE ONLY! DO NOT TOUCH!
    version: 5
     
  26. Offline

    CypherX

    The tele_locations table stores locations set with /xauth location set. The inventory table stores a players inventory while they aren't authenticated. What possible reason would you have to want to delete the data stored in these tables? If it wasn't necessary, why would it be persisted?

    Come back when you learn some English.

    Passwords are hashed for security and to prevent snooping server managers from viewing a players password. If you still want to try, you have to use the H2 web console or a SQL editor such as RazerSQL to open the .h2 file.

    What's there to not understand? You download it, extract it to the plugins directory, and configure it. If you're asking why a player doesn't have to log in every time they join the server, then the answer is something called a session.

    Update xAuth, that was fixed in beta 4.2.

    @Numex - Looks like you have two copies of xAuth in your plugins folder.
     
  27. Offline

    Kaikz

    When converting from H2 to MySQL, should I just use the exact same command as you would for iConomy? I tried with iConomy and MySQL wouldn't take it for some reason. I don't know what to edit to make it work. Also, do I need to do anything with auths.txt when converting? I thought the logins were stored in the H2 database.
     
  28. Offline

    CypherX

    Remove the password parameter from the command and change the path. You have to edit the .SQL file it outputs to work with MySQL, someone posted a guide for it on one of the last few pages. You can remove auths.txt, it's not used anymore.
     
  29. Offline

    Grifhell

    Oh, it's rough, man ( ;

    I'm sure this is understandable
    Pictures do not have language barriers, but do not make me draw my question xD
     
  30. Offline

    CypherX

  31. Offline

    iama

    i try again report a big (i think) bug, which have xauth

    xAuth version: 2.0b4.3
    CraftBukkit build: 1185
    Description of error/bug: server freeze when all of players logout at night. server.log have many: 2011-09-30 09:48:18 [INFO] Read timed out
    Error log: server.log http://pastebin.com/vMjRFJ56 , interesting thread dump with debuger visualvm http://pastebin.com/pB1tcGn6
    Other information: this bug happens every day, at night or morning
     
Thread Status:
Not open for further replies.

Share This Page