jshtab Posted April 20, 2020 Username Verification is a process used to establish a player's identity on a ClassiCube server, and ensures that the player connecting is who they say they are. When running servers, it is important that you enable this feature, especially when running public servers advertised on the ClassiCube server tracker. Leaving it disabled is a major security risk, and malicious players can: Impersonate you, your administrators, and other players on the server Easily and quickly evade name-based bans Kick other players out of the server (See "Collision Kicking" below) How do I enable Username Verification? Thankfully, on most server software, username verification is enabled by default. But, if you accidentally turned it off and cannot find where the option is located, this section will help you! MCGalaxy In MCGalaxy, the name verification option can be found in Settings > Server in the section "Advanced Configuration" ProCraft In ProCraft, the name verification option can be found in the Security tab in the section "Connection" PyCCS (alpha) In PyCCS 0.1.0+, the name verification flag can be enabled by setting 'verify_names' to True when constructing the Server object # PyCCS 0.1.0+ server = Server(verify_names=True) SHAMELESS SELF-PLUG: Try this (unfinished) ClassiCube server today! It's in Alpha and can be found here Collision Kicking Mentioned previously in this post, Collision Kicking occurs when a player with the same name attempts to join a server. On certain servers, joining as someone already connected to the server will result in the player connecting first being removed from the server. With name verification, the player currently logged in will not be kicked, since the connecting player could not be verified. Without name verification, a player can be effectively banned from a server by others by repeatedly reconnecting as them to prevent them from playing on the server. How it works The server tracker employs a simple trick of cryptography in order to prove to the server that the player connecting is who they say they are. When you log into ClassiCube.net, you create a session which allows the game client to make requests on your behalf. During this session, the game client asks ClassiCube.net for a list of servers, which contains the IP to connect to, along with a string of (seemingly) random characters called the "mppass". When connecting to the server, the game client gives the server your username, and this mppass. This allows the server to verify that you are in fact logged into ClassiCube.net What is the mppass? The mppass is actually a MD5 Checksum, a string of letters that is easy to compute given the original text, but (usually) impossible given only the resulting string of characters. The original text of the mppass consists of both the username of the player connecting, and the 'salt' provided by the server to the server tracker. This salt is a random series of characters which is kept as a shared secret between the server and provider, and is never actually given to the client. # Input String (server's salt + your username) kuqL3HHSbOVkzOZRjit983D9Vw5M3zEMjshtab # Resulting mppass 8e0aa02498370cc26807df70d795fdcd When you request a list of servers from the tracker, the tracker quickly generates the mppass by putting your username at the end of that server's salt and running it through the MD5 algorithm. When you connect, the server does the same with your username and it's own salt. If the two strings match, then you are verified to be logged in to the server tracker, since the only way you could've gotten a valid mppass was through the server tracker. Share this post Link to post
Empy Posted August 13, 2020 Although username verification is important for security reasons, you forgot to mention that MCGalaxy has server-side user verification, in the case where you disable account verification, in the form of user-defined passwords. Just thought I'd add that tidbit to your post. Share this post Link to post
