CustomAuthentication (or short CustAuth) replaces the Authentication feature of the vanilla server software to provide additional and better functionality. A vanilla server uses a well defined method to verify if a user trying to connect, owns a premium minecraft account. (more about that on wiki.vg) This verification process is now no longer done by the vanilla server but directly by SimpleServer. Like this it is possible at everytime to login in offlineMode f.e. if the minecraft login servers were not reachable for the clientside login or the serverside verification process.

Additionally there are some features to let multiple guests join a server in offlineMode at the same time and let Guests login to their normal and real account with a custom set password in an easy manner.

As already said before, there are many impressive features of CustAuth (only avilable when custAuth=true):

• join in offlineMode
• multiple guests at the same time
• register your account with a password to be able to login to your real account in offlineMode

But the whole customAuthentication works smoothly together with some other new features of SimpleServer 8.2. For example the give with damage and teleport to waypoints would not work if the vanilla server runned in onlineMode. So now SimpleServer can control itself when it has to authenticate players online and when it just lets pass them. And obviously the Bots used for some new features need to be able to pass without authentication...

There are two server options that effect CustAuth. These are onlineMode and custAuth.

• onlineMode -- determines whether SimpleServer has to do online verification of users joining. If you set this to false SimpleServer runs as before in the insecure offline mode without any guarantee of players identity. This is not recommended at all, since your server is a easy target for hackers of any kind.

• custAuth -- this option is to enable the additional registration and login system of custAuth. More on this in the next section. It also enables offlineMode joining and multiple guests at the same time.

The main part of custAuth works without you even noticing it and your server should just work as before.

If you set custAuth=true in your simpleserver.properties, CustAuth allows joining in offlineMode and offers a method to authenticate so you can access your normal account even if the online authentication with minecraft.net failed.

As soon as someone joins in offlineMode, you should notice that he gets a name like "Player1" or "Player2". Like this it's possible for multiple guests to join the server even if onlineMode=true. Note that in order to protect your work you shouldn't change the defaultGroup to one that is able to build and destroy.

The following commands are new with enabled custAuth:

• /register [OLD PW] PW PW -- If you joined with your real minecraft Account you can use this command to set a password that is later used to authenticate if you join in offlineMode. Do not use a password that is easy to guess or that you already use in other places (especially not your minecraft password). Your data is stored very secure on the server (SHA-256 hashed together with a playerspecific salt value) but is still transferred unencrypted to the server.
• /login NAME PW -- After you registered your account you can authenticate in offlineMode by using the login command with your usual playername and your password. If this succeeds you have to reconnect to the server within 60 seconds to finish your authentication process. After this you are logged in as if you were in onlineMode and have the full control over your player.

To deal with small connection problems or reconnects your authentication is remembered for one minute after a disconnect. That means that you don't have to relogin if you rejoin in less than one minute.

All the data needed for custAuth is stored in the new binary nbt-file simpleserver.dat and is not readable in plaintext. So you cannot (or not easily) add arbitrary names and passwords to the playerlist. This prevents (or at least complicates) the abuse of this feature for users that did not buy the game.

Most of custAuth you use everytime you login. But that's not the very interesting part. With custAuth you finally got the possibility to play like everyday even if you're unable to login to minecraft.net when starting the game. Simply don't forget to register yourself as soon as possible when the servers are reachable :) You don't want to be unable to use this feature as soon as it would be essential for playing...

Maybe you are afraid of using custAuth since the vanilla server runs in offline-mode. But I can assure you, that this is no issue. The whole thing that the vanilla server would do if offline-mode was false, is now done by SimpleServer. This enables some great new features (e.g. warppoints, the new give command wouldn't be possible without it).

If you set custAuth=true in your simpleserver.properties you also get the possibility to join in offlineMode and use the /login and /register commands. Turly it can be dangerous if everyone can join in offlineMode, but as long as you have the defaultGroup option set to a group that is now allowed to use, build or destroy any blocks this is no problem.

An other point is how secure your password is. As already mentioned in the explanation of the /register command, your password is stored in the simpleserver.dat file. It is hashed with the SHA-256 and some additional salt value to make bruteforce attacks more difficult. This means your password can only be found with a bruteforce attack by a person that has access to the simpleserver.dat on the server. (So your hoster and the server admin)

However the bigger problem is that your password is transmitted unencrypted to the server and if you somehow make a typo and forget to write tha first / of the command (or press an other key instead) your password is visible in global chat.

So in the end, I just suggest to use an other password than you use everywhere else (especially an other than for minecraft) and one that isn't to easy to guess. Bad passwords are a always 'test','password','asdf','123456' and so on :P