Username Verification is a process used to establish a player's identity on a ClassiCube server, and ensures that the player connecting is who they say they are.
When running servers, it is important that you enable this feature, especially when running public servers advertised on the ClassiCube server tracker. Leaving it disabled is a major security risk, and malicious players can:
Impersonate you, your administrators, and other players on the server
Easily and quickly evade name-based bans
Kick other players out of the server (See "Collision Kicking" below)
How do I enable Username Verification?
Thankfully, on most server software, username verification is enabled by default. But, if you accidentally turned it off and cannot find where the option is located, this section will help you!
In MCGalaxy, the name verification option can be found in Settings > Server in the section "Advanced Configuration"
In ProCraft, the name verification option can be found in the Security tab in the section "Connection"
In PyCCS 0.1.0+, the name verification flag can be enabled by setting 'verify_names' to True when constructing the Server object
# PyCCS 0.1.0+
server = Server(verify_names=True)
SHAMELESS SELF-PLUG: Try this (unfinished) ClassiCube server today! It's in Alpha and can be found here
Mentioned previously in this post, Collision Kicking occurs when a player with the same name attempts to join a server. On certain servers, joining as someone already connected to the server will result in the player connecting first being removed from the server. With name verification, the player currently logged in will not be kicked, since the connecting player could not be verified.
Without name verification, a player can be effectively banned from a server by others by repeatedly reconnecting as them to prevent them from playing on the server.
How it works
The server tracker employs a simple trick of cryptography in order to prove to the server that the player connecting is who they say they are.
When you log into ClassiCube.net, you create a session which allows the game client to make requests on your behalf. During this session, the game client asks ClassiCube.net for a list of servers, which contains the IP to connect to, along with a string of (seemingly) random characters called the "mppass". When connecting to the server, the game client gives the server your username, and this mppass. This allows the server to verify that you are in fact logged into ClassiCube.net
What is the mppass?
The mppass is actually a MD5 Checksum, a string of letters that is easy to compute given the original text, but (usually) impossible given only the resulting string of characters.
The original text of the mppass consists of both the username of the player connecting, and the 'salt' provided by the server to the server tracker. This salt is a random series of characters which is kept as a shared secret between the server and provider, and is never actually given to the client.
# Input String (server's salt + your username)
# Resulting mppass
When you request a list of servers from the tracker, the tracker quickly generates the mppass by putting your username at the end of that server's salt and running it through the MD5 algorithm. When you connect, the server does the same with your username and it's own salt. If the two strings match, then you are verified to be logged in to the server tracker, since the only way you could've gotten a valid mppass was through the server tracker.