Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    CypherX

    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page: http://dev.bukkit.org/server-mods/xauth/

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel (irc.rizon.net #LoveDespite) or toss me a message at http://love-despite.com/forum. Until we meet again, stay gold. Bang.

    ------------------------------------------------------------------​

    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.


    Features
    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
     
  2. Offline

    Doenerb0y

    if Players IP is changeing there inventory was from there last login restored. here is the error:
    Code:
    13:14:34 [INFO] Doenerb0y [/IPHERE] logged in with entity id 17108 at ([GSwelt] -172.26805813823063, 76.0, 220.23353045698542)
    >
    13:14:34 [INFO] Fetching addPacket for removed entity: CraftPlayer{name=Doenerb0y}
    >
    13:14:36 [INFO] Connection reset
    >
    13:14:36 [SEVERE] java.net.SocketException: Socket closed
    >
    13:14:36 [SEVERE]      at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:116)
    >
    13:14:36 [SEVERE]      at java.net.SocketOutputStream.write(SocketOutputStream.java:153)
    >
    13:14:36 [SEVERE]      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    >
    13:14:36 [SEVERE]      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    >
    13:14:36 [SEVERE]      at java.io.DataOutputStream.flush(DataOutputStream.java:123)
    >
    13:14:36 [SEVERE]      at net.minecraft.server.NetworkWriterThread.run(SourceFile:103)
    >
    13:14:40 [INFO] [xAuth] Doenerb0y has logged in
    anyone knows how to fix?
     
  3. Offline

    Danielk0703

    I got logged out (12 times -.-) with this message:
    "Login from another location."
    Can someone help me pls?
     
  4. Offline

    ChemicallyGodly

    somone else logged in with your name this is vannila mincraft stuff.

    Can you add an ip-login feature. basically instead of players having to log in, ip's would have to. becuase i have 2 people on my server(brothers) but one was banned but is logging in with another account and i cant ip ban them becuase i want the other brother to be able to get back on. maybe add a command like /registerip <pass>.(login would be normal /login <pass>).this way only the one brother would know the pass but not the other.

    or even better ip to username registration. player x and ip x can log-on with a pass.not player y with ip x

    Edit: I dont have a git hub account.

    Edit Edit: I keep thinking of ideas. custom account limit for certain ips. so global could be like 5 but for him just 1. separate file i presume

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jul 17, 2016
  5. Offline

    Krazy

  6. Offline

    ChemicallyGodly

  7. Offline

    Krazy

    [xAuth] Loading xAuth v2.0.5

    CypherX

    maybe this solve poblem?

    Code:
        @Override
        public void onPlayerKick(PlayerKickEvent event) {
            if (event.getReason() == "Logged in from another location.") {
                event.setCancelled(true);
            }
        }
     
        @Override
        public void onPlayerLogin(PlayerLoginEvent event) {
            for (Player p : plugin.getServer().getOnlinePlayers()) {
                if (p != event.getPlayer() && p.getName().equalsIgnoreCase(event.getPlayer().getName())) {
                    event.setResult(Result.KICK_OTHER);
                    event.setKickMessage("Another player with your name is already on this server!");
                    break;
                }
            }
        }
    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jul 17, 2016
  8. Offline

    CypherX

    It's really not necessary to post your comments on here AND on Github. Especially when you fail to read.
     
  9. Offline

    Krazy

    sorry, when new version realese?
     
  10. Offline

    CypherX

    Updated to version 2.0.6:
    • Health will no longer regenerate for players who are not logged in.
    • Fixed: Location protection activating while guest.protect-location is set to false.
    • Fixed: Item duplication exploit involving connecting with two clients.
    • Fixed: NoLagg "Synchronized code got accessed from another thread" errors.
    • Added option to show/hide inventory when not logged in. If the inventory is shown, the player will be unable to drop items and modify the inventory. If players on your server are experiencing item loss, disable this.
    • Fixed non-logged in players being able to damage other entities.
    • Fixed all players having to register even when forced registration was set to false.
    A fix for the spawn location issue has been found but causes a conflict with Multiverse (and similar plugins) so it wasn't included in this update.
     
  11. Offline

    Heliwr

    With 2.0.6 and forced: false, new players are still required to register.
     
  12. Offline

    CypherX

    Heliwr
    Make sure they don't have the xauth.register permission.
     
  13. Offline

    Heliwr

    They don't, I have only assigned that permissions node to mods+.

    edit: dammit, they do even though it isn't explicitly assigned - does your plugin assign it by default?
    edit2: working as expected with xauth.register explicitly set to false for non-mods. Thanks.
     
  14. Offline

    CypherX

    Well it's working fine on my test server. Did you change it while the server was running and not do a /xauth reload?
     
  15. Offline

    Heliwr

    No, but the permissions node was assigned 'behind the scenes'. Explicitly overriding the default assignment with a false fixed it.
     
  16. Offline

    ChemicallyGodly

    no mean to annoy but did you check out my post with the idea's of ip's
     
  17. Offline

    CypherX

    It's not feasible. What if multiple people play from the same IP?
     
  18. Offline

    ChemicallyGodly

    well basically its not a global thing its a per user special case kinda thing. i ban someone but they have a brother who still likes to get on but in that case they both can still get on just with a diff username(which i don't want).i force them to register their ip. well him(the un banned brother) and say if you give away registered ip passwords you will be ip banned. please tell me if you want me to go more in depth on this.

    http://dev.bukkit.org/server-mods/ipcheck/

    sorta like this but instead of name to ip its password to ip.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jul 17, 2016
  19. Offline

    Pijanista

    how to transfer mysql base from authme to xauth ? or i need start everything from begin.
     
  20. Offline

    CatsyLady

    well, it was not happen when the server has spout installed,
    i dont know how, but spout fixed the exploit


    maybe you re add this feature again for a spout only version?

    it is really annoying when you get kicked by haters, when they
    login with your name
     
  21. Offline

    CypherX

    Did you not read my last sentence? It says to learn how to IP ban. Dynamic IP? No problem, get a plugin that can ban IP ranges.
     
    Avarice likes this.
  22. Offline

    CatsyLady

    i did read, but there was a way to prevent it by using spout
    it worked well, so there must be a way


    yes i have a plugin, i use iptables, but that is not the "smart" way
     
  23. Offline

    Avarice

    CypherX We love this plugin, really. ^_^ Thank you for all of your hard work on it!
     
  24. Offline

    Danielk0703

    Yes, Thx dud! I love this plugin too! :)
     
  25. Offline

    nhoclesnar

    This plugin is always the greatest auth plugin. Diamonds for you cypher :)
     
  26. Offline

    Pijanista

    how to transfer mysql base from authme to xauth ? or i need start everything from begin.
     
  27. Offline

    wiigor


    I know its annoying to hear people start all the time about a bug that is very difficult to fix. And it may seem like people are not thankfull by constantly starting about the same point. But this is not the case they are really thankful you develop and mantain this beautfiful plugin. I have used it for a year now and im very happy with it. But I really think you underestimate this bug. But this bug is really a very annoying and high priority bug.

    Since people are getting logged off using this bug all the time. Just to annoy or to join a full server by kicking people off.

    People connect using proxies. A very popular minecraft grief and hack client called nodus makes it very easy to connect through any socks proxy and thousands new socks proxies appear every day, with very different IP's.

    The only real solution ATM is setting the server to online mode, defeating the need of xauth all together.

    Why isnt it possible to only kick the connecting player if and only if a player with the same name is logged into xauth?

    This means the kick algoritm could have an extra check to see if the name is currently logged into xauth and he is only kicked when he is not logged in. this should fix the issue.
     
  28. Offline

    CypherX

    wiigor

    It isn't a bug, that's how Minecraft natively handles it.
     
  29. Offline

    wiigor

    If this is true how come it used to work correctly, in previous versions of xauth, when including the spout plugin into the bukkit plugin dir? I had no problems at all with the older version and spout plugin combined. So some code of spout is a workaround for the way how Minecraft natively handles it?
     
  30. Offline

    CypherX

    There is no "if this is true". Go set up a vanilla Minecraft server and connect with the same name using two clients. What happens?
     
  31. Offline

    alexlv4

    Hi.
    This is a great plugin.
    But I have a question.
    I try to using authurl but I can not make it works

    This is my configuration
    Code:
    authurl:
      enabled: false
      url: http://mexcrafters.com/xauth/verify.php
      registration: false
      status: false
      groups: false
      broadcast-login: true
    
    The PHP file works fine I have tested it

    PHP:
    <?php
    // this script is tested with SMF 2.X
     
    /* The format is pretty simple, and always returns exactly 2 lines.
     
    if successful, return this:
     
    YES
    forum_name
     
    if not successful, return this:
     
    ERROR
    String to return to user describing error
     
    */
     
    // $localaddr should be the IP your webserver is listening on, if this page isn't being visited by the same IP ($_SERVER['REMOTE_ADDR'])
    // then errors are logged and a warning email is sent to the email configured in done() so no one tries to use this to bruteforce
    // passwords, you really should just restrict this to only the server accessing it, I only make it accessible over localhost or to
    // my home address over SSL only.
    $localaddr "127.0.0.1";
    if(
    $_SERVER['REMOTE_ADDR'] != 'minecraft.mx') die("Acceso Denegdo!");
     
    function 
    writeToFile($message$fname 'auth.log'$mode 'a'){
        
    $fp fopen($fname$mode);
        
    fwrite($fptime().': '.$message."\n");
        
    fclose($fp);
    }
     
    function 
    checkPassword($checkPass$realPass$algorithm) {
        switch (
    $algorithm) {
        case 
    1:
            return 
    $realPass == hash('whirlpool'$checkPass);
        case 
    2:
            return 
    $realPass == hash('md5'$checkPass);
        case 
    3:
            return 
    $realPass == hash('sha1'$checkPass);
        case 
    4:
            return 
    $realPass == hash('sha256'$checkPass);
        default:
            
    // xAuth hashing
            
    $saltPos = (strlen($checkPass) >= strlen($realPass) ? strlen($realPass) : strlen($checkPass));
            
    $salt substr($realPass$saltPos12);
            
    $hash hash('whirlpool'$salt $checkPass);
            return 
    $realPass == substr($hash0$saltPos) . $salt substr($hash$saltPos);
        }
    }
     
    function 
    done($msg$template "ERROR\n%s"){
        
    printf($template$msg);
        global 
    $localaddr;
        if(
    $_SERVER['REMOTE_ADDR'] != $localaddr){
            
    $result sprintf(str_replace("\n"", "$template), $msg);
            
    writeToFile("result: ".$result);
            
    // only if it's a bad pass, text me
            
    if(strpos($msg'assword') === FALSE)
                exit;
            
    $to "YOUR_EMAIL_ADDRESS_IF_REQUIRED";
            
    $subject "auth alert";
            
    $message .= $result."\n";
            
    //$message .= $_SERVER['REMOTE_ADDR']." user: ".$_REQUEST['user'].", field: ".$_REQUEST['field'].", pass length: ".strlen($_REQUEST['pass']);
            
    $message .= $_SERVER['REMOTE_ADDR']." user: ".$_REQUEST['user'].", pass length: ".strlen($_REQUEST['pass']);
            
    $from "EMAIL_TO_SEND_FROM";
            
    $headers "From: $from";
            
    $sendmail_params "-f $from -r $from";
            
    writeToFile("mail sent: ".(mail($to,$subject,$message,$headers$sendmail_params) ? 'true' 'false'));
        }
        exit;
    }
     
    if((
    $_SERVER['REMOTE_ADDR'] != 'minecraft.mx')
        || !isset(
    $_REQUEST['pass']) || !isset($_REQUEST['user']))
        
    //|| !isset($_REQUEST['field'])    || ($_REQUEST['field'] != 'minecra')
        
    die("Acceso Denegado!");
     
    $user $_REQUEST['user'];
    $pass $_REQUEST['pass'];
    //$field = 'cust_'.$_REQUEST['field'];
     
    if($_SERVER['REMOTE_ADDR'] != $localaddr)
        
    //writeToFile($_SERVER['REMOTE_ADDR']." user: $user, field: $field, pass length: ".strlen($pass));
        
    writeToFile($_SERVER['REMOTE_ADDR']." user: $user, pass length: ".strlen($pass));
     
    $db_server 'localhost';
    $db_name 'any_db';
    $db_user 'any_admin';
    $db_passwd 'any_pass';
     
     
    $link =  mysql_connect($db_server$db_user$db_passwd);
    mysql_select_db ($db_name);
    if (!
    $link) {
        die(
    'No pudo conectarse: ' mysql_error());
    }
     
    $result mysql_query("SELECT `minecraftname`, `minecraftpassword` FROM `anytable` WHERE `approved` = 1 AND `confirmed` = 1 AND `banned` = 0 AND `minecraftname` = '".$user."'" );
            if (!
    $result) {
                    echo 
    'Could not run query: ' mysql_error();
                    exit;
                }
                
    $row mysql_fetch_row($result);
    $member_name $row[0];
    $pass_hash $row[1];
     
    mysql_close($link);
     
    if(
    checkPassword($pass_hash,$pass,'0')){
        
    done($user"YES\n%s");
    }
    else{
        
    done('No estas registrado o no has dado de alta tu cuenta en tu perfil de Mexcrafters: http://mexcrafters.com/Communidad.html');
    }
     
    ?>
    Mi server IP is minecraft.mx, and mi webpage is mexcrafters.com id diferent servers
    Thanks in advance
     
Thread Status:
Not open for further replies.

Share This Page