Inactive [SEC] AuthMe v2.5.1 - High Performance Authorization plugin [1818/1.1-R1]

Discussion in 'Inactive/Unsupported Plugins' started by pomo4ka, Jun 19, 2011.

  1. Offline

    rutr

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    pomo4ka likes this.
  2. Offline

    Kaosvf

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
  3. Offline

    gameswereus

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Really great plugin! you derserve more recognition for this one I think!
  4. Offline

    Scorpien65

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Works Great! Thanks ;)
  5. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Can you use another hash algorithm to encrypt the passwords? MD5 is considered insecure and should not be used anywhere. I would recommend SHA-256 or SHA-512. You should also salt those hashes to prevent attacks with rainbow tables.

    To keep backwards compatibility you can prefix the new hashes with "$SHA$" and all hashes which don't have such a prefix are considered to be MD5. Users which still have the passwords in the old format should get a message telling them to change their password.
  6. Offline

    ipaqmaster

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    This is EXACTLY the thing I was about to request, Thank you so much.:)
  7. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Because I was bored I actually wrote a patch for the secure storage of passwords.

    Code:
    # HG changeset patch
    # User whoami <[email protected]>
    # Date 1309338985 -7200
    # Node ID e3274b122e8b365773afc5ae60b971ae39507c54
    # Parent  9e6e13d3c9e81dda34729c587adfb6ccf93d8a1e
    Use SHA-256 and a salt to secure the passwords
    
    
    diff -r 9e6e13d3c9e8 -r e3274b122e8b src/de/fgtech/pomo4ka/AuthMe/AuthMe.java
    --- a/src/de/fgtech/pomo4ka/AuthMe/AuthMe.java    Wed Jun 29 11:10:24 2011 +0200
    +++ b/src/de/fgtech/pomo4ka/AuthMe/AuthMe.java    Wed Jun 29 11:16:25 2011 +0200
    @@ -34,6 +34,8 @@
     import de.fgtech.pomo4ka.AuthMe.Parameters.Settings;
     import de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache;
     import de.fgtech.pomo4ka.AuthMe.Sessions.SessionHandler;
    +import java.io.UnsupportedEncodingException;
    +import java.security.NoSuchAlgorithmException;
    
     /**
      * AuthMe for Bukkit
    @@ -57,6 +59,7 @@
         public SessionHandler sessionhandler;
         public DataSource datas;
    
    +    @Override
         public void onEnable() {
             // Creating dir, if it doesn't exist
             final File folder = new File(Settings.PLUGIN_FOLDER);
    @@ -186,6 +189,7 @@
             MessageHandler.showInfo("AuthMe restored the player cache!");
         }
    
    +    @Override
         public void onDisable() {
             MessageHandler.showInfo("Version " + this.getDescription().getVersion()
                     + " is disabled!");
    @@ -255,8 +259,10 @@
    
                 String password = args[0];
    
    -            boolean executed = datacontroller.saveAuth(player.getName(),
    -                    encrypt(password), customInformation);
    +            String salt = Long.toHexString(Double.doubleToLongBits(Math.random()));
    +            boolean executed = datacontroller.saveAuth(player.getName(),
    +                                                       secureCrypt(password,salt),
    +                                                       customInformation);
    
                 if (!executed) {
                     player.sendMessage(messages.getMessage("Error.DatasourceError"));
    @@ -308,7 +314,7 @@
    
                 final String realPassword = datacontroller.getHash(playername);
    
    -            if (!realPassword.equals(encrypt(password))) {
    +            if(!comparePassword(password, realPassword)) {
                     if (settings.KickOnWrongPassword()) {
                         player.kickPlayer(messages
                                 .getMessage("Error.InvalidPassword"));
    @@ -353,14 +359,13 @@
                     player.sendMessage("Usage: /changepassword <oldpassword> <newpassword>");
                     return false;
                 }
    -            if (!datacontroller.getHash(player.getName()).equals(
    -                    encrypt(args[0]))) {
    +            if(!comparePassword(args[0], datacontroller.getHash(player.getName()))) {
                     player.sendMessage(messages.getMessage("Error.WrongPassword"));
                     return false;
                 }
    
    -            boolean executed = datacontroller.updateAuth(player.getName(),
    -                    encrypt(args[1]));
    +            String salt = Long.toHexString(Double.doubleToLongBits(Math.random()));
    +            boolean executed = datacontroller.updateAuth(player.getName(),secureCrypt(args[1],salt));
    
                 if (!executed) {
                     player.sendMessage(messages.getMessage("Error.DatasourceError"));
    @@ -420,8 +425,7 @@
                     player.sendMessage("Usage: /unregister <password>");
                     return false;
                 }
    -            if (!datacontroller.getHash(player.getName()).equals(
    -                    encrypt(args[0]))) {
    +            if(!comparePassword(args[0], datacontroller.getHash(player.getName()))) {
                     player.sendMessage(messages.getMessage("Error.WrongPassword"));
                     return false;
                 }
    @@ -641,19 +645,50 @@
             }
         }
    
    -    public String encrypt(String string) {
    -        try {
    -            final MessageDigest m = MessageDigest.getInstance("MD5");
    -            final byte[] bytes = string.getBytes();
    -            m.update(bytes, 0, bytes.length);
    -            final BigInteger i = new BigInteger(1, m.digest());
    +    private boolean comparePassword(String password, String hash) {
    +        if(hash.contains("$")) {
    +            String[] data = hash.split("\\$");
    +            if(data.length > 3 && data[1].equals("SHA")) {
    +                return hash.equals(secureCrypt(password,data[2]));
    +            } else {
    +                return false;
    +            }
    +        } else {
    +            return hash.equals(digestToMD5(password));
    +        }
    +    }
    
    -            return String.format("%1$032X", i).toLowerCase();
    -        } catch (final Exception e) {
    -        }
    +    private String secureCrypt(String password, String salt) {
    +        return "$SHA$" + salt + "$" + digestToSHA256(digestToSHA256(password) + salt);
    +    }
    
    -        return "";
    -    }
    +    private String digestToSHA256(String message) {
    +        try {
    +            MessageDigest md = MessageDigest.getInstance("SHA-256");
    +            md.reset();
    +            md.update(message.getBytes("UTF-8"));
    +            byte[] digest = md.digest();
    +            BigInteger i = new BigInteger(1, digest);
    +            return String.format("%0" + (digest.length << 1) + "x", i);
    +        } catch(UnsupportedEncodingException ex) {
    +        } catch(NoSuchAlgorithmException ex) {
    +        }
    +        return "";
    +    }
    +
    +    public String digestToMD5(String string) {
    +        try {
    +            final MessageDigest m = MessageDigest.getInstance("MD5");
    +            final byte[] bytes = string.getBytes();
    +            m.update(bytes, 0, bytes.length);
    +            final BigInteger i = new BigInteger(1, m.digest());
    +
    +            return String.format("%1$032X", i).toLowerCase();
    +        } catch(final Exception e) {
    +        }
    +
    +        return "";
    +    }
    
         public void extractDefaultFile(String name) {
             File actual = new File(Settings.PLUGIN_FOLDER, name);
    
  8. Offline

    dark_hunter

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Could you explain to me how the patch would work?
  9. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Well its more for the author of the plugin as he has to include it and recompile the plugin.


    If you want I send you a compiled version of the plugin with the patch included via PM. But as I dont even know if pomo4ka will include it in the plugin at all I would not use that version for anything but testing.
  10. Offline

    Kaosvf

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
  11. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    pomo4ka likes this.
  12. Offline

    pomo4ka

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
  13. Offline

    Kaosvf

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    solved, thx (yes I use MySQL)
  14. Offline

    Robertas279

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Nice job, worth of notification, just your 0.77 version (fixed registering) now is bugged with login. When i login it just keeps spamming the message "Please login use /login password" and noone can play.
  15. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Flatfile or MySQL, Any errors on the console?
  16. Offline

    z0z1ch

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Help!
    As will now request php code for my site?
    old code, $ pass = md5 (trim ($ _POST ['password']));
    Thank you!
  17. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    You want people to register from your website right? The old code should work as the plugin still recognizes md5 hash sums.


    The new format of the hash sum looks like this:

    $SHA$salt$hashsum

    in pseudo code it is created like this:

    Code:
    # (Pseudo code)
    String salt = randomString(maxLength:16);
    String encryptedPassword = "$SHA$" + salt + "$" + sha256(sha256(password) + salt);
    
    and if you want to compare if a password is the same as a encrypted password you have to do something like this:

    Code:
    # (Pseudo code)
    String[] tmp = split("$",encryptedPassword);
    String salt = tmp[1];
    if(encryptedPassword == "$SHA$" + salt + "$" + sha256(sha256(password) + salt))
    
  18. Offline

    alfskan

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
  19. Offline

    pomo4ka

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    alfskan likes this.
  20. Offline

    alfskan

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I cant wait XD
  21. Offline

    Magie

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Hi, Can you explain me how do you save SHA hash please?
    F. e. $SHA$3fe6143f3d2401b0$abf175df491f13ccb4c90f9cb3c509ba2b342a4f4ed576034b1920c96a7a3fa3...
    I don't understant what is between second and third dollar.

    Thanks, Magie
  22. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Thats the salt. Look at this to understand how exactly the hash sum is created.

    To describe it in words:
    1. Create a random string (the salt)
    2. Create a sha256 hash sum from the password
    3. Append the salt to the hash created in 2.
    4. Create a sha256 hash of the string created in 3.
    5. Create a string with "$SHA$" append the salt, append "$", append the hash created in 4.
  23. Offline

    Pingoo

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Where download Authme v. 0.75 for Bukkit 935 ?
  24. Offline

    SpencerB

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I'm getting the following spammed in my console. It's a Null Pointer so I'm not sure what it can't find.
  25. Offline

    swehunter2000

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    My console is beeing spammed with this:
    Code:
    12:01:39 [ALLVARLIG] Could not pass event ENTITY_DAMAGE to AuthMe
    java.lang.NullPointerException
            at de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache.getLastAlert(PlayerC
    ache.java:68)
            at de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache.isAlertNeeded(Player
    Cache.java:76)
            at de.fgtech.pomo4ka.AuthMe.AuthMe.checkAuth(AuthMe.java:589)
            at de.fgtech.pomo4ka.AuthMe.Listener.AuthMeEntityListener.onEntityDamage
    (AuthMeEntityListener.java:30)
            at org.bukkit.plugin.java.JavaPluginLoader$55.execute(JavaPluginLoader.j
    ava:628)
            at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.jav
    a:58)
            at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.j
    ava:321)
            at net.minecraft.server.EntityLiving.R(EntityLiving.java:122)
            at com.citizens.Resources.NPClib.PathNPC.updateMove(PathNPC.java:64)
            at com.citizens.Resources.NPClib.Creatures.CreatureNPC.doTick(CreatureNP
    C.java:36)
            at com.citizens.Resources.NPClib.Creatures.EvilCreatureNPC.doTick(EvilCr
    eatureNPC.java:49)
            at com.citizens.CreatureTask$CreatureTick.run(CreatureTask.java:186)
            at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(C
    raftScheduler.java:137)
            at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:438)
            at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:361)
            at net.minecraft.server.ThreadServerApplication.run(SourceFile:422)
  26. Offline

    treymok

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Whenever I use /login pass I get this in my console....

    Code:
    18:25:37 [SEVERE] java.lang.ArrayIndexOutOfBoundsException: 36
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.InventoryCache.FlatfileCache.readCache(FlatfileCache.java:111)
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.AuthMe.performPlayerLogin(AuthMe.java:617)
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.AuthMe.onCommand(AuthMe.java:332)
    18:25:37 [SEVERE]       at org.bukkit.command.PluginCommand.execute(PluginCommand.java:35)
    18:25:37 [SEVERE]       at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:129)
    18:25:37 [SEVERE]       at org.bukkit.craftbukkit.CraftServer.dispatchCommand(CraftServer.java:298)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.handleCommand(NetServerHandler.java:711)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.chat(NetServerHandler.java:676)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:669)
    18:25:37 [SEVERE]       at net.minecraft.server.Packet3Chat.a(Packet3Chat.java:33)
    18:25:37 [SEVERE]       at net.minecraft.server.NetworkManager.b(NetworkManager.java:226)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:84)
    18:25:37 [SEVERE]       at net.minecraft.server.NetworkListenThread.a(SourceFile:105)
    18:25:37 [SEVERE]       at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:451)
    18:25:37 [SEVERE]       at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:361)
    18:25:37 [SEVERE]       at net.minecraft.server.ThreadServerApplication.run(SourceFile:422)
    18:25:37 [INFO] [AuthMe] Player Treymok logged in!
  27. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    Are you using another Plugin which changes/increases the size of your inventory?
  28. Offline

    whoami

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    This is the same bug described in this post. We are currently testing a fix which will hopefully get rid of this.
  29. Offline

    treymok

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I was using MultiInv with no problems... when I also got BackPack it gave that....
  30. Offline

    Pingoo

    dev.bukkit.org profile:
    CFUSERNAME
    My Plugins (CFCOUNT)
    Minecraft account:
    MCUSERNAME
    I dont possible to connect in Server.
    I write /login <mypassword>
    And a message say I successful login
    But I dont move and message say "Login with /login <password>
    Screen :


    I have Bukkit 935 and I use a lasted Version of Authme

    Sorry I have a solve My probleme : I have 2 plugins authme: Authme -v0.72 and LAsted authme. Just delete Authme v0.72.
    Sorry

Share This Page