Inactive [SEC] AuthMe v2.5.1 - High Performance Authorization plugin [1818/1.1-R1]

Discussion in 'Inactive/Unsupported Plugins' started by pomo4ka, Jun 19, 2011.

  1. Offline

    gameswereus

    Really great plugin! you derserve more recognition for this one I think!
     
  2. Offline

    Scorpien65

    Works Great! Thanks ;)
     
  3. Offline

    whoami

    Can you use another hash algorithm to encrypt the passwords? MD5 is considered insecure and should not be used anywhere. I would recommend SHA-256 or SHA-512. You should also salt those hashes to prevent attacks with rainbow tables.

    To keep backwards compatibility you can prefix the new hashes with "$SHA$" and all hashes which don't have such a prefix are considered to be MD5. Users which still have the passwords in the old format should get a message telling them to change their password.
     
  4. Offline

    ipaqmaster

    This is EXACTLY the thing I was about to request, Thank you so much.:)
     
  5. Offline

    whoami

    Because I was bored I actually wrote a patch for the secure storage of passwords.

    Code:
    # HG changeset patch
    # User whoami <[email protected]>
    # Date 1309338985 -7200
    # Node ID e3274b122e8b365773afc5ae60b971ae39507c54
    # Parent  9e6e13d3c9e81dda34729c587adfb6ccf93d8a1e
    Use SHA-256 and a salt to secure the passwords
    
    
    diff -r 9e6e13d3c9e8 -r e3274b122e8b src/de/fgtech/pomo4ka/AuthMe/AuthMe.java
    --- a/src/de/fgtech/pomo4ka/AuthMe/AuthMe.java    Wed Jun 29 11:10:24 2011 +0200
    +++ b/src/de/fgtech/pomo4ka/AuthMe/AuthMe.java    Wed Jun 29 11:16:25 2011 +0200
    @@ -34,6 +34,8 @@
     import de.fgtech.pomo4ka.AuthMe.Parameters.Settings;
     import de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache;
     import de.fgtech.pomo4ka.AuthMe.Sessions.SessionHandler;
    +import java.io.UnsupportedEncodingException;
    +import java.security.NoSuchAlgorithmException;
    
     /**
      * AuthMe for Bukkit
    @@ -57,6 +59,7 @@
         public SessionHandler sessionhandler;
         public DataSource datas;
    
    +    @Override
         public void onEnable() {
             // Creating dir, if it doesn't exist
             final File folder = new File(Settings.PLUGIN_FOLDER);
    @@ -186,6 +189,7 @@
             MessageHandler.showInfo("AuthMe restored the player cache!");
         }
    
    +    @Override
         public void onDisable() {
             MessageHandler.showInfo("Version " + this.getDescription().getVersion()
                     + " is disabled!");
    @@ -255,8 +259,10 @@
    
                 String password = args[0];
    
    -            boolean executed = datacontroller.saveAuth(player.getName(),
    -                    encrypt(password), customInformation);
    +            String salt = Long.toHexString(Double.doubleToLongBits(Math.random()));
    +            boolean executed = datacontroller.saveAuth(player.getName(),
    +                                                       secureCrypt(password,salt),
    +                                                       customInformation);
    
                 if (!executed) {
                     player.sendMessage(messages.getMessage("Error.DatasourceError"));
    @@ -308,7 +314,7 @@
    
                 final String realPassword = datacontroller.getHash(playername);
    
    -            if (!realPassword.equals(encrypt(password))) {
    +            if(!comparePassword(password, realPassword)) {
                     if (settings.KickOnWrongPassword()) {
                         player.kickPlayer(messages
                                 .getMessage("Error.InvalidPassword"));
    @@ -353,14 +359,13 @@
                     player.sendMessage("Usage: /changepassword <oldpassword> <newpassword>");
                     return false;
                 }
    -            if (!datacontroller.getHash(player.getName()).equals(
    -                    encrypt(args[0]))) {
    +            if(!comparePassword(args[0], datacontroller.getHash(player.getName()))) {
                     player.sendMessage(messages.getMessage("Error.WrongPassword"));
                     return false;
                 }
    
    -            boolean executed = datacontroller.updateAuth(player.getName(),
    -                    encrypt(args[1]));
    +            String salt = Long.toHexString(Double.doubleToLongBits(Math.random()));
    +            boolean executed = datacontroller.updateAuth(player.getName(),secureCrypt(args[1],salt));
    
                 if (!executed) {
                     player.sendMessage(messages.getMessage("Error.DatasourceError"));
    @@ -420,8 +425,7 @@
                     player.sendMessage("Usage: /unregister <password>");
                     return false;
                 }
    -            if (!datacontroller.getHash(player.getName()).equals(
    -                    encrypt(args[0]))) {
    +            if(!comparePassword(args[0], datacontroller.getHash(player.getName()))) {
                     player.sendMessage(messages.getMessage("Error.WrongPassword"));
                     return false;
                 }
    @@ -641,19 +645,50 @@
             }
         }
    
    -    public String encrypt(String string) {
    -        try {
    -            final MessageDigest m = MessageDigest.getInstance("MD5");
    -            final byte[] bytes = string.getBytes();
    -            m.update(bytes, 0, bytes.length);
    -            final BigInteger i = new BigInteger(1, m.digest());
    +    private boolean comparePassword(String password, String hash) {
    +        if(hash.contains("$")) {
    +            String[] data = hash.split("\\$");
    +            if(data.length > 3 && data[1].equals("SHA")) {
    +                return hash.equals(secureCrypt(password,data[2]));
    +            } else {
    +                return false;
    +            }
    +        } else {
    +            return hash.equals(digestToMD5(password));
    +        }
    +    }
    
    -            return String.format("%1$032X", i).toLowerCase();
    -        } catch (final Exception e) {
    -        }
    +    private String secureCrypt(String password, String salt) {
    +        return "$SHA$" + salt + "$" + digestToSHA256(digestToSHA256(password) + salt);
    +    }
    
    -        return "";
    -    }
    +    private String digestToSHA256(String message) {
    +        try {
    +            MessageDigest md = MessageDigest.getInstance("SHA-256");
    +            md.reset();
    +            md.update(message.getBytes("UTF-8"));
    +            byte[] digest = md.digest();
    +            BigInteger i = new BigInteger(1, digest);
    +            return String.format("%0" + (digest.length << 1) + "x", i);
    +        } catch(UnsupportedEncodingException ex) {
    +        } catch(NoSuchAlgorithmException ex) {
    +        }
    +        return "";
    +    }
    +
    +    public String digestToMD5(String string) {
    +        try {
    +            final MessageDigest m = MessageDigest.getInstance("MD5");
    +            final byte[] bytes = string.getBytes();
    +            m.update(bytes, 0, bytes.length);
    +            final BigInteger i = new BigInteger(1, m.digest());
    +
    +            return String.format("%1$032X", i).toLowerCase();
    +        } catch(final Exception e) {
    +        }
    +
    +        return "";
    +    }
    
         public void extractDefaultFile(String name) {
             File actual = new File(Settings.PLUGIN_FOLDER, name);
    
     
  6. Offline

    dark_hunter

    Could you explain to me how the patch would work?
     
  7. Offline

    whoami

    Well its more for the author of the plugin as he has to include it and recompile the plugin.


    If you want I send you a compiled version of the plugin with the patch included via PM. But as I dont even know if pomo4ka will include it in the plugin at all I would not use that version for anything but testing.
     
  8. Offline

    Kaosvf

  9. Offline

    whoami

    pomo4ka likes this.
  10. Offline

    pomo4ka

  11. Offline

    Kaosvf

    solved, thx (yes I use MySQL)
     
  12. Offline

    Robertas279

    Nice job, worth of notification, just your 0.77 version (fixed registering) now is bugged with login. When i login it just keeps spamming the message "Please login use /login password" and noone can play.
     
  13. Offline

    whoami

    Flatfile or MySQL, Any errors on the console?
     
  14. Offline

    z0z1ch

    Help!
    As will now request php code for my site?
    old code, $ pass = md5 (trim ($ _POST ['password']));
    Thank you!
     
  15. Offline

    whoami

    You want people to register from your website right? The old code should work as the plugin still recognizes md5 hash sums.


    The new format of the hash sum looks like this:

    $SHA$salt$hashsum

    in pseudo code it is created like this:

    Code:
    # (Pseudo code)
    String salt = randomString(maxLength:16);
    String encryptedPassword = "$SHA$" + salt + "$" + sha256(sha256(password) + salt);
    
    and if you want to compare if a password is the same as a encrypted password you have to do something like this:

    Code:
    # (Pseudo code)
    String[] tmp = split("$",encryptedPassword);
    String salt = tmp[1];
    if(encryptedPassword == "$SHA$" + salt + "$" + sha256(sha256(password) + salt))
    
     
  16. Offline

    alfskan

  17. Offline

    pomo4ka

    alfskan likes this.
  18. Offline

    alfskan

    I cant wait XD
     
  19. Offline

    Magie

    Hi, Can you explain me how do you save SHA hash please?
    F. e. $SHA$3fe6143f3d2401b0$abf175df491f13ccb4c90f9cb3c509ba2b342a4f4ed576034b1920c96a7a3fa3...
    I don't understant what is between second and third dollar.

    Thanks, Magie
     
  20. Offline

    whoami

    Thats the salt. Look at this to understand how exactly the hash sum is created.

    To describe it in words:
    1. Create a random string (the salt)
    2. Create a sha256 hash sum from the password
    3. Append the salt to the hash created in 2.
    4. Create a sha256 hash of the string created in 3.
    5. Create a string with "$SHA$" append the salt, append "$", append the hash created in 4.
     
  21. Offline

    Pingoo

    Where download Authme v. 0.75 for Bukkit 935 ?
     
  22. Offline

    SpencerB

    I'm getting the following spammed in my console. It's a Null Pointer so I'm not sure what it can't find.
     
  23. Offline

    swehunter2000

    My console is beeing spammed with this:
    Code:
    12:01:39 [ALLVARLIG] Could not pass event ENTITY_DAMAGE to AuthMe
    java.lang.NullPointerException
            at de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache.getLastAlert(PlayerC
    ache.java:68)
            at de.fgtech.pomo4ka.AuthMe.PlayerCache.PlayerCache.isAlertNeeded(Player
    Cache.java:76)
            at de.fgtech.pomo4ka.AuthMe.AuthMe.checkAuth(AuthMe.java:589)
            at de.fgtech.pomo4ka.AuthMe.Listener.AuthMeEntityListener.onEntityDamage
    (AuthMeEntityListener.java:30)
            at org.bukkit.plugin.java.JavaPluginLoader$55.execute(JavaPluginLoader.j
    ava:628)
            at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.jav
    a:58)
            at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.j
    ava:321)
            at net.minecraft.server.EntityLiving.R(EntityLiving.java:122)
            at com.citizens.Resources.NPClib.PathNPC.updateMove(PathNPC.java:64)
            at com.citizens.Resources.NPClib.Creatures.CreatureNPC.doTick(CreatureNP
    C.java:36)
            at com.citizens.Resources.NPClib.Creatures.EvilCreatureNPC.doTick(EvilCr
    eatureNPC.java:49)
            at com.citizens.CreatureTask$CreatureTick.run(CreatureTask.java:186)
            at org.bukkit.craftbukkit.scheduler.CraftScheduler.mainThreadHeartbeat(C
    raftScheduler.java:137)
            at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:438)
            at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:361)
            at net.minecraft.server.ThreadServerApplication.run(SourceFile:422)
     
  24. Offline

    treymok

    Whenever I use /login pass I get this in my console....

    Code:
    18:25:37 [SEVERE] java.lang.ArrayIndexOutOfBoundsException: 36
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.InventoryCache.FlatfileCache.readCache(FlatfileCache.java:111)
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.AuthMe.performPlayerLogin(AuthMe.java:617)
    18:25:37 [SEVERE]       at de.fgtech.pomo4ka.AuthMe.AuthMe.onCommand(AuthMe.java:332)
    18:25:37 [SEVERE]       at org.bukkit.command.PluginCommand.execute(PluginCommand.java:35)
    18:25:37 [SEVERE]       at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:129)
    18:25:37 [SEVERE]       at org.bukkit.craftbukkit.CraftServer.dispatchCommand(CraftServer.java:298)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.handleCommand(NetServerHandler.java:711)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.chat(NetServerHandler.java:676)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:669)
    18:25:37 [SEVERE]       at net.minecraft.server.Packet3Chat.a(Packet3Chat.java:33)
    18:25:37 [SEVERE]       at net.minecraft.server.NetworkManager.b(NetworkManager.java:226)
    18:25:37 [SEVERE]       at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:84)
    18:25:37 [SEVERE]       at net.minecraft.server.NetworkListenThread.a(SourceFile:105)
    18:25:37 [SEVERE]       at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:451)
    18:25:37 [SEVERE]       at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:361)
    18:25:37 [SEVERE]       at net.minecraft.server.ThreadServerApplication.run(SourceFile:422)
    18:25:37 [INFO] [AuthMe] Player Treymok logged in!
     
  25. Offline

    whoami

    Are you using another Plugin which changes/increases the size of your inventory?

    This is the same bug described in this post. We are currently testing a fix which will hopefully get rid of this.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 16, 2016
  26. Offline

    treymok

    I was using MultiInv with no problems... when I also got BackPack it gave that....
     
  27. Offline

    Pingoo

    I dont possible to connect in Server.
    I write /login <mypassword>
    And a message say I successful login
    But I dont move and message say "Login with /login <password>
    Screen :


    I have Bukkit 935 and I use a lasted Version of Authme

    Sorry I have a solve My probleme : I have 2 plugins authme: Authme -v0.72 and LAsted authme. Just delete Authme v0.72.
    Sorry
     
  28. Offline

    ettore85a

    Hi pomo4ka. Thankyou for your beautiful plugin!!

    I have something to ask...

    Using MysqlData, Can you make another 2 Colons for specify Ip Player and Online State?

    For Example
    (UserName) | (Password) | IP Address | Online
    ettore85a | fj93hfw9fwe9f | 127.0.0.1 | 1

    In Online Colon if Num is 1 = Player Online, If Num is 0 = Player Offline.

    Thank you and sorry for my very bad English ;_;

    I hope you like my idea.

    Ettore
     
  29. Offline

    pomo4ka

    Hi, I use myself plugin "IpGet" to write un address. You gave me a good idea, I'll try to do something to plug down all ip address under which the player enters.

    Version 0.79
    • Added choice between the encryption algorithm. — @whoami
    • Fixed NullPointerException (reported by Kaosvf). — @whoami
    • Fixed problem with BackPack and similar plugins (reported by treymok). — @whoami
    After updating to 0.79 version of the plugin, you will have to support encryption "MD5". To set the method "MD5", replace the value in config.yml, with the "SHA256" to "MD5". Many bugs have been fixed, thanks a lot for the developer @whoami help, he did a lot for this plugin.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 16, 2016
  30. Offline

    haris2201

    Hey,
    Is there a way to see the passwords from the MySQL-Table?

    I want to make a login over webfront (so I need to check password :D)

    Thx.
     

Share This Page