[ADMN/SEC/FIX] MixedModeAuth 2.4 - Secure mixed offline/online mode servers [1337]/[1597]

Discussion in 'Inactive/Unsupported Plugins' started by Thulinma, Sep 10, 2011.

Thread Status:
Not open for further replies.
  1. This project is a fork from AuthPlayer by Arcalyth. He created a plugin that allows you to spoof names server-side for use in a LAN - I upgraded the code with full support for secure online/offline mixed mode servers through a simple PHP script or a modded CraftBukkit build.

    • Supports a mix between premium and non-premium users, or only premium users with support for logins when the main minecraft.net login is down.
    • No logging in needed if minecraft.net servers are up!
    • Secure! Protection against name spoofing!
    • Supports regular whitelisting, permissions and all other access control methods without needing to change the setup.
    • Prevents players kicking each other off (auto-renames "player" to a temporary name on connect)
    • Prevents players that are not logged in from doing anything besides walking around. No doors, no switches, no damage, no items. Really, nothing except walking around.


    Source, bug reports, feature requests, etc here! I also read this topic, of course...

    Downloads Removed - SwearWord

    Changelog:
    Version 2.4:
    - New default config file - will be written if no config file is found (tip: delete your config and reload plugin to reset to defaults / see explanation text).
    - Localization support (all messages to players are now in the config file and can be edited).
    - Kick timer (kicks people out if they do not login within set-able timeout).
    - Possibly fixed Spout support (untested, please test and report back if you are using Spout!).
    - Added option to not block interactions when not logged in.
    - Added option to kick users that are trying to connect using a name that is already in use (reverses normal behaviour of kicking the logged-in user).
    - General performance improvements and small bugfixes.

    Version 2.3:
    - Passwords are now saved encrypted.
    - Server mod updated to report version number correctly (fixes issues with some plugins / server managers)
    - Added support for not-renaming guests

    Version 2.2:
    - Updated to new Configuration API
    - Added check for server mod, will automatically switch to legacy mode if mod is not detected.

    Version 2.1.1:
    - Fixed the error about wrongly installed script being displayed even when legacy mode is not enabled. No other changes - you can safely keep using 2.1.0 instead of this version.

    Version 2.1.0:
    - Switched to BukkitPermissions - should now work with all modern permissions plugins.
    - Re-added support for hosts file editing, no longer requires modded CraftBukkit build.
    - Modded CraftBukkit build still preferred method, though!
    - Now displays more info in the server console.
    - Hopefully fixed permissions problems (player kept permissions of original username, even if auth was done afterwards).

    Version 2.0.1:
    - Major rewrite.
    - No longer requires hosts file editing or PHP script.
    - Now requires modded CraftBukkit build (included in download, source for mod available on my github!)
    - Don't want to or cannot run a modded CraftBukkit build? Use version 1.0.2 - it still works as before, but requires the PHP script and hosts file to be set up (see more information page below).
    - Fixed display issues for 1.8.
    - Fixed names not showing up correctly sometimes.
    - Added config file with insecure mode option (not recommended to use insecure mode for right now - quite experimental still).

    Version 1.0.2:
    - First public release

    How does it work?
    You run the server in online mode. The requests from the server that go to minecraft.net to verify the account are monitored through a small CraftBukkit mod or routed through a PHP script by used of a hosts file edit. Source for the server mod is available in my github, you can compile it yourself if you don't trust my build.
    If the account is minecraft.net verified, the user is automatically identified as themselves (and will be asked to set a password if they do not have one already). If it is not, the user is renamed to "player_[NUMBER]" to prevent people from kicking each other off, and then asked for their name and password to play, after which they will be renamed to their real username.

    For more detailed information, permissions, etc look here!

    Todo list: (mirror of this page)
      • Kick players if no login within X seconds
      • Custom messages
      • .....?
     
    re4397 and CoolOppo like this.
  2. Offline

    Ghoul

    Have you used the modded client to join the modded server?
     
  3. Offline

    foxsick

    Yes.
    I connected to my server through pirate client.
     
  4. Offline

    Tsusai

    The pirate client still might need the mod which is available here.

    Off topic, found a bug.
    Situation:
    2 premium people logged in and within 15 m of eachother.
    non premim logs in
    non premium authenticates, moves a bit, logs out.
    "Player_2335625" takes its place, a dead shell of a person. Only goes away after we move away (map teleport, distance, etc) and return.
     
  5. New version 2.2!
    The biggest change in this version is that it now includes a check that can detect the server mod (starting at version RB1337 of the mod - older versions will not be detected correctly).
    So, if any of you are still having problems, try this new version and see if it shines any light on what has been going wrong.

    Sounds like the server mod was not installed correctly. Try the latest version (RB1337+2.2), it will show you in the server console if everything looks good or not.

    You did not change your Apache configuration to make checkserver.jsp point to the php file. I'm not quite sure how to do this in Apache - the last time I used Apache was years ago. Perhaps someone else would be willing to donate a working config for Apache...?


    Sounds like a vanilla minecraft client bug. Let me know if this starts to be a problem though and I'll look into it some more. I might be able to prevent it somehow.

    Unfortunately not. This is part of how the default client works - it instantly disconnects if it receives the "this is a premium server" message if the user is not logged in as a premium user. My mod changes this behaviour, as do most pirated clients in some way (which should also work with this plugin).

    I don't use this myself, but it looks like simpleserver changes the traffic going in and out of the server. Not much I can do about any problems caused by that, sorry. I think the only way to "fix" this would be to find Bukkit plugins that have the functions of simpleserver that you need and stop using simpleserver...
     
  6. Offline

    Tauryuu

    The plugin config won't generate. :(

    MMA 2.2, Modded CB1337
     
  7. That's not a bug - it's my personal vision that an application should never write your config files for you, so it doesn't.
    There's only two options, and both are true/false so it's very easy to make one yourself. This is the default if no config is present:

    Code:
    securemode: true
    legacymode: false
    Simply save that as config.yml in the plugins/MixedModeAuth folder, and edit as you wish :)
     
    Tauryuu likes this.
  8. New release: 2.3

    Changed:
    - Fixed version issues in server mod - should now work correctly with plugins and server managers that check the RB number.
    - Added support for a new option "renameguests", defaults to true, when set to false will not rename users to "Player_XXX" when they join but instead to "Player" (added on request)
    - Passwords are now saved encrypted (bcrypt hashes), no longer readable by server admins (existing accounts will auto-update themselves).
     
  9. Offline

    maldiablo

    When using spout and spoutcraft clients (when official auth servers are down), spout throws exceptions and the client is unable to move. I suspect it's due to the player being renamed on entry. I believe even renaming the player to simply 'player' is causing the breakage.
    Would it be possible to add yet another no rename option? I'd like it so when a player logs in, they're not renamed at all (not even to 'player'), yet are still restricted from doing anything until they perform the /auth procedure. I suspect it would be the quick fix for spout/spoutcraft clients with problems.
    Thanks.
    -----

    Edit: I've also got an updated legacy mode PHP file for you - I found that during the past weekend's auth service outage the connect timeout wasn't enough. Connections to the auth servers were being made but data wasn't moving and therefore users were still timing out waiting for auth data. My only fix was to drop down to legacy mode and modify your PHP with additional timeout arguements on connection that fixed the issue.
    And lastly, a simple .htaccess file for people using apache to share:
    Code:
    Options +FollowSymlinks
    RewriteEngine on
    RewriteRule ^(.*)\.jsp$ $1.php [nc]
     

    Attached Files:

  10. Thanks, I'll be sure to include your changes in the next release.

    I'll see what I can do about not renaming at all... I'd prefer to fix spout support instead though. I don't use spout myself (I find it breaks too many things) but I'm willing to support it - could you include the exact errors you are getting? Maybe I can fix it so that it "simply works" even with spout. If not, I'll try adding a no-renaming option.
     
  11. Offline

    maldiablo

    Well, here are the exceptions from my log that get thrown. I mainly use spout for the vanishnopacket plugin. And for reference, I still got exceptions with every plugin other then spout disabled - so it's indeed a spout compatibility issue and not a spout plugin issue.
    Thanks for taking the time to check it out.
    Code:
    2011-10-27 15:06:03 [INFO] maldiablo [/192.168.0.131:50511] logged in with entity id 8437 at ([world] 46.10616867476563, 70.00715364766364, 31.363014190646304)
    2011-10-27 15:06:03 [INFO] [VANISH] maldiablo disappeared.
    2011-10-27 15:06:04 [INFO] [MixedModeAuth] Guest user has been asked to login.
    2011-10-27 15:06:05 [INFO] Reading data
    2011-10-27 15:06:05 [SEVERE] java.lang.NullPointerException
    2011-10-27 15:06:05 [SEVERE]     at org.getspout.spout.player.SimpleAppearanceManager.onPlayerJoin(SimpleAppearanceManager.java:294)
    2011-10-27 15:06:05 [SEVERE]     at org.getspout.spout.PlayerManager.onSpoutcraftEnable(PlayerManager.java:77)
    2011-10-27 15:06:05 [SEVERE]     at org.getspout.spout.SpoutNetServerHandler.a(SpoutNetServerHandler.java:141)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.Packet18ArmAnimation.a(SourceFile:36)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.NetworkManager.b(NetworkManager.java:226)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:92)
    2011-10-27 15:06:05 [SEVERE]     at org.getspout.spout.SpoutNetServerHandler.a(SpoutNetServerHandler.java:500)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.NetworkListenThread.a(SourceFile:108)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:471)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
    2011-10-27 15:06:05 [SEVERE]     at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-27 15:06:05 [INFO] [Spout] Successfully authenticated Player's Spoutcraft client. Running client version: 1.0.6.564
    2011-10-27 15:06:05 [WARNING] Task of 'Spout' generated an exception
    java.lang.NullPointerException
        at org.getspout.spout.player.SimpleAppearanceManager.onPlayerJoin(SimpleAppearanceManager.java:294)
        at org.getspout.spout.PostTeleport.run(SpoutPlayerListener.java:225)
        at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:137)
        at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:441)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-27 15:06:05 [WARNING] Task of 'Spout' generated an exception
    java.lang.NullPointerException
        at org.getspout.spout.player.SimpleAppearanceManager.onPlayerJoin(SimpleAppearanceManager.java:294)
        at org.getspout.spout.PostTeleport.run(SpoutPlayerListener.java:225)
        at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:137)
        at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:441)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-27 15:06:05 [WARNING] Task of 'Spout' generated an exception
    java.lang.NullPointerException
        at org.getspout.spout.player.SimpleAppearanceManager.onPlayerJoin(SimpleAppearanceManager.java:294)
        at org.getspout.spout.PostTeleport.run(SpoutPlayerListener.java:225)
        at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:137)
        at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:441)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-27 15:06:05 [WARNING] Task of 'SpoutWallet' generated an exception
    java.lang.NullPointerException
        at me.spiceking.plugins.spoutwallet.SpoutWallet.updateGUI(SpoutWallet.java:262)
        at me.spiceking.plugins.spoutwallet.SpoutWallet.onSecond(SpoutWallet.java:239)
        at me.spiceking.plugins.spoutwallet.SpoutWallet.access$000(SpoutWallet.java:51)
        at me.spiceking.plugins.spoutwallet.SpoutWallet$2.run(SpoutWallet.java:227)
        at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(CraftScheduler.java:137)
        at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:441)
        at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
        at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    2011-10-27 15:06:19 [INFO] Player lost connection: disconnect.quitting
    2011-10-27 15:06:19 [INFO] Connection reset 
     
  12. Offline

    Jonchun

    Every time I install the client mod, I keep getting "java.lang.SecurityException: SHA1 digest error for wt.class"
     
  13. Remove the meta-inf folder from the .jar file, that should fix it.
     
  14. Offline

    Jonchun

    yea lol I figured that out. Boy I feel stupid ;)
     
  15. Offline

    maldiablo

    Any word on spout compatibility yet?
    I browsed around and started to realize it's probably not a simple naming issue.
    I saw one plugin (can't remember the name) where the author had to create a bridge plugin to spout's packet handler for something. I know that's a vague statement, but it felt relevant... I've been trying to remember what it was and find it.
    Since spoutcraft clients have seperate authentication with Spout servers, maybe it's just another api you have to hook into to get things working? I'm feeling kinda desperate here. This plugin is genius as it's something I always felt I needed but never thought I'd find somebody smart enough to pull it off in an intuitive way such as how you've done it. Spout support would put this thing over the top and into godhood in my book.
     
  16. I haven't really had the time to look into it yet.
    I will sometime soon though - unfortunately my available free time is rather unpredictable, so I'm not sure how soon exactly. I'll post here as soon as I know more! :)
     
  17. Pretty major update just released:

    Version 2.4:
    - New default config file - will be written if no config file is found (tip: delete your config and reload plugin to reset to defaults / see explanation text).
    - Localization support (all messages to players are now in the config file and can be edited).
    - Kick timer (kicks people out if they do not login within set-able timeout).
    - Possibly fixed Spout support (untested, please test and report back if you are using Spout!).
    - Added option to not block interactions when not logged in.
    - Added option to kick users that are trying to connect using a name that is already in use (reverses normal behaviour of kicking the logged-in user).
    - General performance improvements and small bugfixes.

    Download link is in the main post, as always.

    @maldiablo Possibly fixed Spout support. Not sure, since I don't use spout myself so I didn't test it. Please try this new build and let me know if it works and/or the error changes... :)
     
  18. Offline

    maldiablo

    Unfortunately, still no love with spout. I get a wonderful NPE as you'll see further below.
    I also realized I forgot one minor but very important bit in the legacy mode php that you may need/want to also add to your custom CB build.
    Below:
    Code:
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
    Add:
    Code:
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    That's the additional timeout that kept me running while the auth servers were acting up. Sorry I forgot to mention it earlier.
    And lastly, here's my NPE
    Code:
    [INFO] [MixedModeAuth] Guest user has been asked to login.
    [INFO] Reading data
    [SEVERE] java.lang.NullPointerException
    [SEVERE]     at org.getspout.spout.player.SimpleAppearanceManager.onPlayerJoin(SimpleAppearanceManager.java:294)
    [SEVERE]     at org.getspout.spout.PlayerManager.onSpoutcraftEnable(PlayerManager.java:74)
    [SEVERE]     at org.getspout.spout.SpoutNetServerHandler.a(SpoutNetServerHandler.java:142)
    [SEVERE]     at net.minecraft.server.Packet18ArmAnimation.a(SourceFile:36)
    [SEVERE]     at net.minecraft.server.NetworkManager.b(NetworkManager.java:226)
    [SEVERE]     at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:92)
    [SEVERE]     at org.getspout.spout.SpoutNetServerHandler.a(SpoutNetServerHandler.java:501)
    [SEVERE]     at net.minecraft.server.NetworkListenThread.a(SourceFile:108)
    [SEVERE]     at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:471)
    [SEVERE]     at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:374)
    [SEVERE]     at net.minecraft.server.ThreadServerApplication.run(SourceFile:417)
    [INFO] [Spout] Successfully authenticated Player_176's Spoutcraft client. Running client version: 773
    [INFO] New max size: 484
    [INFO] New max size: 784
    [INFO] [Citizens] Creating new config file at plugins/Citizens/profiles/player_176.yml.
    [WARNING] Task of 'Spout' generated an exception
          
    [WARNING] Task of 'Spout' generated an exception
          
    [WARNING] Task of 'Spout' generated an exception
          
    [INFO] [MixedModeAuth] maldiablo identified via /auth
    [INFO] maldiablo lost connection: disconnect.quitting
    [INFO] Connection reset
    
     
  19. @maldiablo :
    Grmbl. Looks like there's not much I can do then - apparently Spout doesn't handle players changing identity very well... Maybe I can actually "fake" a signoff for the old name and a signon for the new name... I'll try something like that sometime soon.

    Thanks for the extra edit to checkserver.php - I'll add it in the next release.
     
  20. Offline

    davr

    yay for piracy
     
  21. Offline

    maldiablo

    @davr
    And somehow you have a 'Plugin Developer' tag under your name? Apparently being able to read isn't a qualification. That's a very troll-like respnose you got there..

    You do realize that in the default config, it does NOT allow pirate users to play? xAuth and other 'offline' mode plugins are much better suited to that. This plugin is for those that don't want to punish legit users for a company's inability to manage DRM servers.

    Here's a slightly different explaination of how it works in case you couldn't understand the original instructions/description:

    Legit user logs in while minecraft auth servers are up. If plugin sees it's legit, it lets them in. If it's the first time, they need to enter a 'backup' password. If they're not legit - they're booted.
    If minecraft auth servers go down, those legit users aren't stuck wishing they could pirate the game just to play. They're actually rewarded for being legit by being able to access the server regardless. All they have to do is validate with those backup passwords they entered while the auth servers were up.
    It doesn't take a genius to realize how valuable that is in light of how unreliable the auth servers can be at times.

    The only downside is that if a legit user didn't set a backup password while the auth servers were up, they wouldn't have any to prove they're still legit when they're down and won't be able to get in. Not much different from how things would work without the plugin to begin with though.

    tl;dr - Pirates can't take advantage of this plugin by default. If they were to do so, they'd have to reduce it to a functionality no different from other offline auth plugins therefore making all that extra effort pointless. While I can't speak for others - if I were a piracy advocate, you can bet I'd go for a simpler 'offline' plugin instead of this.
     
  22. Exactly. This plugin does not enable any piracy that is not already possible, nor does it make it any easier than it already is/was. It only rewards legit paying users with online-mode-style access into servers that are open to offline-mode players, as well as enabling secure handling of accounts when auth servers are down. :)

    Unfortunately my craftbukkit edits still got shoved in the "piracy" corner and were not accepted into the main project, so I'm stuck distributing this "modded" build which patches about 5 lines of code making this all possible -_-

    But meh, it works.
     
  23. Offline

    davr

    Oh ok, I hadn't read all the details of the plugin. I just skimmed through and saw people talking about using the "pirate client" to log on as "non-premium users".
     
  24. Offline

    maldiablo

    Well - since it's being discussed, it does add one piraty feature. In it's default configuration, server admins can create these 'backup' passwords for accounts that aren't premium or don't even exist. Cracked clients could auth with these.

    Since cracked clients can't connect without these accounts though - it would put equal accountability for piracy on the server owner. Unlike a purely 'offline' server where the intentions of the server can be argued until the end of time. Sure you'd always have some people using this to give 'buddies' free access amidst the paid users, but I think the progress this allows for outweighs that potential. Even the paid users among these pirates on such a server would be willing to overlook this knowing they have a server they can still use when the auth servers are down.

    All in all, that's why I'm in a general 'ass kissing fanboy' mode over this plugin (Yeah, I'm willing to admit it before somebody points out the obvious). After the torrent of bitching I got from my users the last time minecraft's auth servers went down - I was ready to switch to an 'offline' server model. Yeah it's a beta game, but faithful users enjoying the product don't care about any of that and rarely understand the outside forces that cause server ops so much grief.

    I despise the idea of pirate users getting in my server. You can't possibly have the same respect for a game as a pirate. A player who paid has potential to lose that investment and have to pay again if they're banned and want to get around that ban.

    Sorry - long rant. No tl;dr though. Just my 2 cents as I'd love to see this project succeed (and eventually support spout! :D)
     
  25. This actually started exactly like you describe - I wanted to let in a few buddies that didn't have an account into my otherwise online mode server.
    However, all of them have since bought the game so there's really no need for me to keep this plugin installed anymore - but everyone liked being able to play when the MC servers are down so much, that I kept it installed and am still adding features to it :)

    The problem with Spout is that I don't use it myself (don't want to, either). I don't like how it breaks horribly every single update :) (also, I run my server on 1.9pre5 now, which obviously has no spout support at all). This makes it really complicated for me to properly test/develop Spout support. I can just start an empty server with spout and test on there, I guess, but haven't had the time to set any of that up yet :)

    I'm guessing [this bug] is probably related to the Spout issues, and am looking into that now. Hopefully I can fix both problems at the same time!
     
  26. For the people that use my plugin: I confirmed that all MixedModeAuth versions work just fine with the upcoming 1.0.0 release, and a preview build (of modded CraftBukkit r1467) is available in the topic, if you scroll up to the top :)
    Note that this is not a Recommended Build, so it may be horribly broken. There are definately some problems still with this version, so only use on small and/or testing servers until a real RB is available!
     
  27. Offline

    Zombiemold

    Any way to get this to work with a Wordpress MySQL database?

    I am rubbish at this sort of thing, but I am looking to move from AuthDB.
     
  28. Currently, this only works with so called "flat files" - simple human-readable textfiles. Support for external modification is being worked on though (through webscripts), and I may consider database support as well if there are many requests for it... :)
     
  29. Offline

    Ziden

    Hai

    im using the server mod to try this, and even if i log with my original account it tells me to log in.

    Code:
    # securemode true means premium users will be automatically
    # authorized. If it is set to false, everyone has to login,
    # always.
    # (yes, it is somewhat of a misnomer, for historic reasons ^_^ )
    securemode: true
    Using lastest MMA (Mixed Mode Auth xD) (not the experimental one) and bukkit 1337

    no console errors

    is there something im missing ?

    thanx for the attention
     
  30. Can you post a log of the messages that show in the server console when you try to login, as well as all lines that start with [MixedModeAuth] during server (re)loading?
     
    Ziden likes this.
  31. Offline

    Ziden

    I got what was it, the server was running offline mode. However, if i put online-mode, offline players cant connect. "Bad Login: User not Premium".

    Is this correct ? I tought this plugin could allow original players loggin in w/o a password while non original would need one.

    Thanx for the attention.
     
Thread Status:
Not open for further replies.

Share This Page