MineAuth - open-source password system for private servers
Posted 04 March 2011 - 07:06 PM
When minecraft.net is unavailable, players currently have the option of "not playing", or they can remove the authentication requirements of their private server and screen players based only on their user name (whitelist). This is a supported mode for the software, known as "offline" mode, and is useful for setting up LAN games.
MineAuth aims to make offline mode more secure, giving admins an in-house, password-controlled access system for their private offline servers.
MineAuth does not require any modification to the Minecraft client or server. After a small setup step, your players will use Minecraft just as they normally would.
To manage user accounts, MineAuth exposes a web UI where users can change their passwords. The web UI includes an admin tools panel for adding and deleting users, password rescue, and promoting other users to admin status.
MineAuth login page screenshot:
Setup is easy! A setup script is included with the download, and full, step-by-step instructions are provided in the User Guide on the main site. If you discover any issues or run into trouble, feel free to send mail to support at graycode dot com.
At the moment, MineAuth supports only the old launcher (before the "new look" 1.3 launcher). However, even if you don't update the launcher Minecraft will continue to update to the latest game files. Your game experience should be unaffected.
Posted 04 March 2011 - 07:28 PM
A brand new user makes his first post as an advertisement for an application he has developed designed around bypassing the need for minecraft.net authentication. Lots of room for abuse here. Not to mention if Notch wanted it to where the authentication wasn't needed, he would have coded it that way
Also it only works with the old launcher? That sets off a big red flag for me, and anybody with a security conscious mindset.
Posted 04 March 2011 - 07:29 PM
Old client is old. Everyone should use the new client.
Second, most people don't have a SQL database running on their systems.
Third most people don't have a website to run this from.
Fourth it's bad to edit the hosts file on a system. DNS is there for a reason. People may play on more then one server.
I applaud your efforts, however you are duplicating what exists and is provided by Mojang.
At this point any server that still uses 1.2 is out of date.
Posted 04 March 2011 - 10:25 PM
As far as the "advertisement" goes, it appeared from posts for other projects that this was a proper way to alert the community of a new project, gather feedback, and offer support:
- MineOS: viewtopic.php?f=10&t=115788
- AutoMap: viewtopic.php?f=1022&t=51629
- MCEdit: viewtopic.php?t=15522
- many more...
Your skepticism is understood - that's why it's all open-source! Thank you for the feedback.
Posted 04 March 2011 - 10:34 PM
The way you went about presenting your information wasn't bad per se..... just kind of suspicious. Nothing personal intended. The post itself is fine, but the fact that you are brand new to these forums combined with numerous phishing attempts and spam lately leads one to be wary.
I did take a quick browse through the code, and found nothing that stuck out as malicious, but again, as I said in my post: If Notch didn't want users authenticated, he wouldn't have built it into the code. The software is still in Beta testing, and they are working on getting the bugs out of the authentication system.
Posted 04 March 2011 - 10:37 PM
At this point any server that still uses 1.2 is out of date.
Just to clarify, there is no need to use an old client nor an old server. The only (temporary) requirement is that you stay on the old launcher. All the actual game files will continue to be updated as normal.
But to address the larger point of your message, yes this is currently an issue that needs to be worked on. Since we know there are others that share in this problem, rather than sitting on it we wanted to publish what we had so far, get some feedback and continue to iterate.
Though still fully functional, you're looking at the beginning of an open-source project. =) Thanks for the other feedback points as well.
Posted 04 March 2011 - 11:12 PM
I have a few responses to your comment about Notch's intentions:
First, one could argue that if Notch wanted users modifying maps, hacking inventories, and changing textures he would have provided the tools for us. Minecraft has benefited greatly from a passionate community that has been willing to work alongside Mojang to improve the game experience. We're just trying to add to this effort by solving the biggest hindrance we've personally experienced - the instability of minecraft.net.
Secondly, Notch has indeed provided a way for us to play Minecraft without access to minecraft.net authentication. Offline mode exists both for clients and servers, with a built-in, Mojang-approved method for disabling server-side authentication. However, as noted in that wiki page, this opens your server up to some security vulnerabilities. We wanted a way to make our servers more secure when running in this mode.
MineAuth also brings new features not available in the stock game, such as the ability to have multiple characters on a server, and to be able to actually choose the names of your characters.
Posted 04 March 2011 - 11:39 PM
You are right about the humor/irony present in the situation, but I can assure you I am not the type to blindly click on anything. And I do thank you for making it so open. If the source were not open I would not have bothered since this particular application works directly and admitedly with authentication..... Not much room for obscurity there if you catch my drift.
Having gone through the source and found nothing concerning, I actually plan to test this application of a virtual set up, and would be willing to give it a review when I am done testing it.
I don't think either of us are really in the mood for a debate on the propriety of this particular application. I agree that if minecraft.net were to be stabilized then the need for such applications would be eliminated. And until such a time as Mojang gets that all sorted out, there will be a "market" for solutions of this nature. What bothers me is it seems like this plug in would make it fairly easy for someone to set up a pirate server. And piracy is something I am dead against, and as a software developer I am sure you can respect that.
Like I said, I will be giving this a trial run and will report back my findings