[ADMN/SEC/FIX] MixedModeAuth 2.4 - Secure mixed offline/online mode servers [1337]/[1597]

Discussion in 'Inactive/Unsupported Plugins' started by Thulinma, Sep 10, 2011.

Thread Status:
Not open for further replies.
  1. This project is a fork from AuthPlayer by Arcalyth. He created a plugin that allows you to spoof names server-side for use in a LAN - I upgraded the code with full support for secure online/offline mixed mode servers through a simple PHP script or a modded CraftBukkit build.

    • Supports a mix between premium and non-premium users, or only premium users with support for logins when the main minecraft.net login is down.
    • No logging in needed if minecraft.net servers are up!
    • Secure! Protection against name spoofing!
    • Supports regular whitelisting, permissions and all other access control methods without needing to change the setup.
    • Prevents players kicking each other off (auto-renames "player" to a temporary name on connect)
    • Prevents players that are not logged in from doing anything besides walking around. No doors, no switches, no damage, no items. Really, nothing except walking around.


    Source, bug reports, feature requests, etc here! I also read this topic, of course...

    Downloads Removed - SwearWord

    Changelog:
    Version 2.4:
    - New default config file - will be written if no config file is found (tip: delete your config and reload plugin to reset to defaults / see explanation text).
    - Localization support (all messages to players are now in the config file and can be edited).
    - Kick timer (kicks people out if they do not login within set-able timeout).
    - Possibly fixed Spout support (untested, please test and report back if you are using Spout!).
    - Added option to not block interactions when not logged in.
    - Added option to kick users that are trying to connect using a name that is already in use (reverses normal behaviour of kicking the logged-in user).
    - General performance improvements and small bugfixes.

    Version 2.3:
    - Passwords are now saved encrypted.
    - Server mod updated to report version number correctly (fixes issues with some plugins / server managers)
    - Added support for not-renaming guests

    Version 2.2:
    - Updated to new Configuration API
    - Added check for server mod, will automatically switch to legacy mode if mod is not detected.

    Version 2.1.1:
    - Fixed the error about wrongly installed script being displayed even when legacy mode is not enabled. No other changes - you can safely keep using 2.1.0 instead of this version.

    Version 2.1.0:
    - Switched to BukkitPermissions - should now work with all modern permissions plugins.
    - Re-added support for hosts file editing, no longer requires modded CraftBukkit build.
    - Modded CraftBukkit build still preferred method, though!
    - Now displays more info in the server console.
    - Hopefully fixed permissions problems (player kept permissions of original username, even if auth was done afterwards).

    Version 2.0.1:
    - Major rewrite.
    - No longer requires hosts file editing or PHP script.
    - Now requires modded CraftBukkit build (included in download, source for mod available on my github!)
    - Don't want to or cannot run a modded CraftBukkit build? Use version 1.0.2 - it still works as before, but requires the PHP script and hosts file to be set up (see more information page below).
    - Fixed display issues for 1.8.
    - Fixed names not showing up correctly sometimes.
    - Added config file with insecure mode option (not recommended to use insecure mode for right now - quite experimental still).

    Version 1.0.2:
    - First public release

    How does it work?
    You run the server in online mode. The requests from the server that go to minecraft.net to verify the account are monitored through a small CraftBukkit mod or routed through a PHP script by used of a hosts file edit. Source for the server mod is available in my github, you can compile it yourself if you don't trust my build.
    If the account is minecraft.net verified, the user is automatically identified as themselves (and will be asked to set a password if they do not have one already). If it is not, the user is renamed to "player_[NUMBER]" to prevent people from kicking each other off, and then asked for their name and password to play, after which they will be renamed to their real username.

    For more detailed information, permissions, etc look here!

    Todo list: (mirror of this page)
      • Kick players if no login within X seconds
      • Custom messages
      • .....?
     
    re4397 and CoolOppo like this.
  2. Then you didn't follow the setup instructions correctly :)
    During plugin load, the plugin also tries to tell you if it finds any possible issues that may cause it not to work. It would help if you posted all messages that start with "[MixedModeAuth]" during server (re)load.
     
  3. Offline

    astinax

    this is what the log says :
    Code:
    2011-10-02 04:03:07 [WARNING] [MixedModeAuth] You do not appear to have properly set up the latest checkserver script and host forward. Legacy mode disabled.
    2011-10-02 04:03:07 [INFO] [MixedModeAuth] 2.1.0 enabled in modded secure mode.
    
     
  4. Do this plugin works with CB 1240 ?
     
  5. Yes. I'll also upload a new build of the modded craftbukkit that is based on RB #1240, in a few minutes. Should be in the main post by the time you read this.

    In that case, you do not have the modded craftbukkit installed. For running the pluggin in modded mode, you need the modded craftbukkit version. Unfortunately because the mod is so similar to the real build, it is not possible for the plugin to detect if you have the mod installed or not. I'll try to include some kind of detection for this in a future version, if possible...
     
  6. Offline

    astinax

    I am using the moded craftbukkit
     
  7. Ah, in that case, the client is not a "cracked" client. The "user not premium" message is not generated by the server, but by the client application before it even tries to get in the server.
    I'd suggest also using my client mod that will ignore these errors, you can find instructions here.
     
  8. Offline

    astinax

    With the client mod it says failed to verify username
     
  9. Correct. Then do "play offline", choose multiplayer, and connect to the server - it should work.

    Unless you already tried that, in which case you really must not have installed the server mod+plugin properly.
    To sum it up:
    - The client mod will allow you to attempt to connect to all servers, always.
    - The server mod + plugin will allow all users in, but prevent them from doing anything without a valid account.
    So, if both are used it will not reject a new player joining the server, in all cases. That means if it does reject a player, something must not be installed correctly. :)
     
  10. Offline

    CoolOppo

    Let's say I have a moderator named pooo on my server. He never registers his specific name, because he is always verified, but then minecraft.net goes down, and he tries to log in, and he makes a password, etc. Does he get to have all of his regular permissions? Now let's say we have the same scenario, but somebody else tries to log in using his name. Do they get his permissions? Now imagine that minecraft.net is up, and somebody tries to log in and register his name in the offline user database because he hasn't had to yet. Do they get his permissions?

    Sorry, lots of questions...
     
  11. Offline

    astinax

    I don't know why but now everything is working ! I think it's because I updated -_-"
     
  12. Offline

    JohnPulse

    Just to let you know Thulinma, this is just what I was looking for!
    Thank you so much for your work!
    Regards,
    John
     
  13. I'm glad you're enjoying the plugin! If you have any feature suggestions (that are not already on the todo list), let me know.

    Good to hear that your problems are solved!

    The plugin forces everyone to have an "offline account" registered before they can play. So, your first question, where "pooo" never registers his name, is not possible. His name will be registered with an offline account if he played at least once, even if he is a verified player.
    Yes, when logging in if minecraft.net servers are down, this person will get all their normal permissions (I have tested PermissionsEX myself - but it *should* work with all permissions systems... If not, let me know and I'll fix it!).
    Unverified players are not able to make accounts by default. My advice would be not to change this and give the server ops the permissions needed to create accounts for others. This means you can never steal somebodies name (and get their permissions, if any) in the default config.
    Verified players always instantly login to their offline account, if it exists (and will be asked to make one upon login if it doesn't). This means that if an operator creates the account "bob" for somebody and then later the verified player bob (somebody else, who really owns the name "bob" on minecraft.net) comes online, this new "real bob" will instantly receive the account created for the earlier "fake bob".
    Hopefully that answers all your questions :)
     
    CoolOppo likes this.
  14. Offline

    CoolOppo

    Thanks so much! That explained a lot! :D
     
  15. Offline

    JohnPulse

    The only request I have is for custom messages. :)
    The rest is all good for now.

    Edit:
    I don't know if this is possible, but to the clients not to have the client mod would be a plus to this plugin.
    Maybe by using the server offline, and then be your plugin doing the authentications?

    Regards,
    John
     
  16. Offline

    Ghoul

    Same situation("Bad Login") while i tried to use the plugin.

    Server log says that client lost every time connection! I used the modded server version 1240 and plugin version 2.1.1 .
     
  17. Offline

    yoyococo56

    is this plugin so people with a free account can go on your server yes or no
     
  18. I'll see what I can do about some custom messages.
    As for clients without the plugin - unfortunately the second I sent the "are you premium?"-command to a unmodded client that does not have a valid premium account, it disconnects from the server without responding. I'm afraid the only way to do this without a client mod is to ask people for their MC.net name and password, then try to login as them, which is something I am not comfortable doing :) (And a big hassle every login!)

    Are you 100% sure it is loading the modded server? I'll see if I can throw some kind of info message in the next build to make this easier to check... It should never say "bad login" when using both modded client and server.

    Yes. But, you need to change the configuration of this plugin for that to work. The wiki page has more information about this.
     
  19. Offline

    JohnPulse

    Nevertheless, a great plugin.
    Will use it and I thank you for your hard work.
    Regards,
    John
     
  20. Offline

    Ghoul

    Thanks alot for reply didn't figure out that i have to use the client mod, now everything is working fine.
     
  21. Offline

    rudolfs001

    I'm really thankful for this plugin. Is there anyway you could write in an option to make it so that a player has to log in with the same username as they logged into the minecraft client?
     
  22. Offline

    heroanth2345

    Okay, I've got a problem, I didn't understand verywell how to intall it, what do I do with checkserver.php?
    When I log in my name changes to Player_XY , And it does that to everyone, premium users and cracked ones.
    I've looked at the wiki and the instructions aren't quite enough for me...
    I would love some help please :)
    Because this is the plugin I want
     
  23. Offline

    rudolfs001

  24. I can, but it would not be secure. The name entered in the client can very easily be faked. If this is not a problem... then yes, I can add that feature.


    Also @rudolfs001 - Is the server running in online mode? In offline mode this is what it does, since in offline mode nobody is considered a premium user. checkserver.php is only needed if you are not using the server mod. The server mod works a lot better and I recommend using it, if possible. Hopefully this information fixes your problems already, if not let me know.


    In other news: I'm aware of RB 1317 and will release an update shortly along with some other changes I have been working on!
     
  25. Offline

    rudolfs001

    That's alright, the feature would help all the same :)


    I am running in online mode, but non-premium players can't get on. If I run in offline mode I get the situation describe above, by @heroanth2345. Ideally I'd like it for premium and non-premium users to log on, but have the premium users be automatically logged in (such as what happens in online mode). The only reason I'm not running in offline mode is because it makes non-premium users have to manually log in, which they find rather annoying.

    Also, I do have the server mod installed, and am not using the checkserver.php.
     
  26. Offline

    Ghoul

    The non-premium user have to use the modded client, then it is working (while server is in online mode)
     
  27. Offline

    rudolfs001

    Ahhh I see, thank you very much.

    Would there be any way to have this functionality without having to have a modded client?
     
  28. Offline

    heroanth2345

    ok Thx a lot!
     
  29. Offline

    laptopfreek0

    Any way to get this to work with simpleserver? When I put it in online mode Premium users are not recognized automatically. (At first it wouldn't go into online mode since Simpleserver overwrites the server.properties, but I chowned it to root to prevent remodifing the file once I changed it). Since it is a server wrapper I am assuming that the plugin ties the bukkit instance, but I can't figure out why it cannot authenticate premium users. Also If I run the bukkit mod without the server wrapper it works fine.

    **Edit oh I also noticed that when attempting to use the warp command or home command for simpleserver it logs in a new user then logs him out without warping the player to the home location.

    **Edit 2: Recompiled simpleserver to exclude the home command and installed a home plugin, but still have authentification issues with premium users.
     
  30. Offline

    Tsusai

    Dropping in to say thanks again. Its working nicely for my small small server.
     
  31. Offline

    foxsick

    Hello!
    I tried to install your plugin in modded version on clean server. Also I added mixedmodeauth.create permission in my permission plugin. I have no errors in my craftbukkit server log when I start it. When I go through my premium account your plugin works just fine. But when I try to go on my server with pirate launcher, I have this message: Your account isn't premium. Is the any idea why it wont work?
    Also I tried to configure the server in legacy mode. There is Wamp Server on my machine (this program launch LogBlock plugin on my server. I put checkserver.php into www folder of my machine and named it index.php. When I go to localhost address in my browser I see errors. Is it right??? After it I added legacymode:true into config.yml of your plugin.
    Then I went to host file of my Windows and added these strings:
    localhost minecraft.net
    localhost www.minecraft.net
    Was it right? Did I need to add my server ip, not my wamp ip????
    Then I restarted my computer but nothing worked. (I couldnt go with pirate account)

    I think your plugin is amazing, so can you explain how to set it in legacymode through any servermachine (but I prefer wamp) through YouTube. Use feaps program to record the video.
    I will very grateful if you do it because I tried to set up your plugin all these two days but it wont work(((
    P.S. Thank you!
     
Thread Status:
Not open for further replies.

Share This Page