vAuth
vAuth
Information, Current Version: 0.1.6, Look below
If and when I recreate this plugin for the new Sponge API, the name will change, to what, I don't know just yet.
READ EVERYTHING BEFORE COMMENTING INCLUDING OTHER PAGES
Source (Also in jar)
This plugin takes the password users choose to have and encrypts it and put it in passwords.yml. Very simple configuration and all but a couple message strings are configurable via <Language>.yml. You can also add your own language files to the system by copying a default language file, renaming it and changing the message strings.
Players are unable to do ANYTHING if they are not logged in or registered (Unless you don't require logins).
Important Information
This plugin is NOT related to xAuth
NOTICE: This plugin IS compatible with ALL versions of bukkit so long as they HAVEN'T made any big code changes!
Configuration Help: Configuration
To Do
- Implement new version checker based on "Curse File API"
Setup auto install of polish language fileOverhaul language system for easier useAdd Option to disable different not logged in/registered options (I forgot to put them in 0.0.6)- Add MySQL Connect
- Add AuthMeReloaded Converter
Features List
- Require Logins or not
- Require Registering or not
- Force password changes
- Encrypted Password
- Language Support
- Permissions (SuperPerms)
- God mode til logged in or registered
- Not logged in or registered alerts
- Op Secure
- Username verify (Prevents no names and unbannable names)
- Configurable messages
- Multi-world support for logins
- Debug
Version checker- Features added in not yet obtainable builds:
- None update out
Commands
There are 8 commands:
/login or /vlogin: Login to the server to verify you are you.
/register or /vregister: Register to the server so your account is locked to you.
/changepassword or /vchangepassword: Change the password you are registered with.
Admin
/forcepassword or /vforcepassword: Change another users password (They must be online!).
/vauth [reload, setlogin, player, language (Disabled)]: Reload: Reloads Config and UserPassword Information. SetLogin: Sets the teleport location of where users are teleported to on login to verify they are who they are. Player: Login an online player via admin controls. Language: Change the language in-game(english, german, french, dutch).
/op: I added /op to this plugin to prevent people from granting op status to other players without the server owners permission so what this does is it requires a password in order for the command to go threw the password is set in the config then encrypted on startup.
/deop I added /deop to this plugin to prevent people (such as griefers) from some how gaining op on your server from deoping you (requires same password as /op).
/ops: View all ops in ops.txt
Permissions
vauth.*: Allow access to everything in this plugin
vauth.login (requireLogin/allow-all-login WILL bypass this): Allow users access to /login
vauth.register (requireLogin/allow-all-register WILL bypass this): Allow users access to /register
vauth.changepassword (allow-all-changepassword WILL bypass this): Allow users access to /changepassword
vauth.admin.*: Allow admin access
vauth.admin.forcepasswordchange: Allow users access to /forcepassword
vauth.admin.vauth: Allow users access to /vauth
vauth.admin.secureop: Allow users access to /op (They still need the password in order to op)
vauth.admin.securedeop: Allow users access to /deop (They still need the password in order to deop)
vauth.admin.ops: Allow users access to /ops
@telmer6
Its in the next version
@RobinF
What do you mean?
@funfair91
It should be haven't tested it though
Hi, is this usable in 1.3.1?
Sometimes i don't need to login.. is this a bug?
@marka2049
I'm also having this issue. It makes it very difficult for users to read the instructions on how to register.
@laserlag
Make a folder called vAuth then start the server and stop it once you stop it you'll have the files and if not I would suggest redownloading the plugin or making the yml's yourself.
It seems like the config folder/file is not being generated for me. Is there anyway you could put that up for download too? This looks like the perfect plugin for my needs.
@marka2049
There is no way to prevent it unless I put in an option for it or remove it I can add an option in the next version which will use a different encryption system
Hey,
This plugin is perfect, and exactly what I need, but I am having an issue.
Whenever somebody joins the server (whether they are registered or not) it asks them to login or register. While in this state, if you move the mouse at all, your view will keep jumping back and forth and spam the error message saying that you must login or register. Is there any way to prevent this?
Thanks, Mark
@ProjectNarna
I saw your posts and figured you were, but I also figured that the author hadn't done much in the way of security and needed a slight bit of help - hence the class I wrote. :)
@triggjo2
Thanks for helping make the minecraft world a safer place! :)
@jtgans
I added your method for the next version. Happy?
@jtgans
These are the exact points *I* was getting at. I didn't try out the plugin however, I was probing the author for the exact details. It wouldn't take somebody long to Rev the binary and work out the key that's being used to encrypt passes. What should be done instead is Salted Hashes like you mentioned. *SO* many plugins don't follow this, and the devs are none the wiser.
Incidentally, here's some code that provides a method to make a decently salted, base64-encoded hash of a users' password and compare it:
(you can download the non-mangled code at http://www.theonelab.com/files/SaltedHashPassword.txt)
To use this, just call SaltedHashPassword.hashAndEncode with the given password. The result you can store directly in the YAML config files as you are already. To verify a login, simply load in the stored Base64 data from the YAML file and stuff it into SaltedHashPassword.comparePasswordToHash along with the given password.
Apologies to those that work on this stuff often - the class isn't more java-like because I wrote it in freaking vim via ssh. :p
@triggjo2
This is a really insecure method of storing passwords, and incidentally, is also not an encryption method - can you please switch to using an MD5 or SHA-1 hash with an appropriate salt as I described? If you use that method, you don't have to worry about someone decrypting the passwords because they aren't even present on disk at that point.
@jtgans
I removed it cause anyone that knows how to google can just google the line that encrypts it and get a decryption of any password or they can just write their own. If you really must know its a simple Base64Coder encryption with one line of code.
Let's clarify some things here: MD5 is not an encryption algorithm. It is a hashing function. Put simply, you give it some data and it produces a "token" that can't be reversed to the original data on the other side. See also http://en.wikipedia.org/wiki/Cryptographic_hash_function.
So MD5 can't be "decrypted" as there's no encryption taking place at all. The original data provided to the algorithm is mutated such that the output data is only a token (also known as a "hash") and has no relation to the original data, aside from the fact that it was generated from it. To ensure that the password the user provides is correct, you simply re-hash the password they give and compare that against the hash stored in your file somewhere. From both the plugin an attacker's perspective, you do not have the original data stored anywhere and the passwords are not "decryptable".
What is possible, however, is brute force it by obtaining the hashes and repeatedly applying the same hashing algorithm against incrementing data until you produce the same token. To mitigate this attack, you "salt" the input data with a smaller additional bit of data that only your application knows about, and you guard the tokens carefully (usually done with other security mechanisms on the machine the tokens are stored on).
If you want an encryption algorithm, you want something like 3DES, TwoFish, Blowfish, El Gamal, or others, but I seriously doubt that's what you want. The security model of this plugin needs to be kept in mind: only the users need to know their passwords, so encryption is really not what you want. You want a hashing function like SHA-1 or MD5 with a salt included to keep it secure.
Since most hashing functions are well known, removing the source that generates these hashes and stores them to disk makes little sense - the attack vector isn't the source code, it's the hashes in the password file. If you're concerned about your implementation of your code, you might consider using the hashing functions provided by the Java JDK. If not, please reconsider whatever it is you're doing in the secure bits of your plugin's source - reimplementing security algorithms is a non-trivial task and is often the source of major security problems.
@itsMEE2
Ok I see the error and I can have it fixed pretty quick I'll have it in 0.0.5!
@olha2
Your welcome!
@Tombikos
Nope, MD5 can be decrypted to easy from searching it on Google.
What encryption? MD5?
Thank You so fricking mutch! finaly a autme plugin that works with MagicSpells :D
Got a problem when being Creative-Mode; non-OP Heres the error...
@triggjo2
You didn't answer my question of whether it was hashed or encrypted? If it's hashed (Like it seems) Then using a salt with your hash would prevent hash lookups from being possible.