\\\ This site is under construction \\\

../

- Understanding MC Auth Servers -

Synopsis

This is less of a tutorial and more of an interesting resource I have learned over the years of messing around with Minecraft servers, it will help you understand some use cases involving Minecraft authentication servers.

Information

Have you ever tried hosting a Minecraft java edition server and wondered what the online-mode flag inside the server.properties configuration file did? If set to true, it enforces every player who joins the server to go though the official Mojang authentication servers.

By default, Mojang does the heavy lifing in terms of verifying what usernames are taken and what passwords are associated to which accounts. This takes the weight off server owners as they don't need to have a database of every user who joins on their storage media, especially useful for servers with large player counts.

If the online-mode flag is set to false, the server will operate without an authentication server. These servers are commonly known as "cracked servers" and are favored by people who wish to play Minecraft without a true Mojang account. One big reason is because they haven't purchased Minecraft and as such, have no Mojang account associated.

(I assume it's all Microsoft now due to the Mojang acquisition but I digress)

As it might sound, running a server without an authentication server is pretty silly as there is absolutely no user verification done. This means users can join the server with any username they wish and if you have operator privileges on a username, like the owner for example, regular players will be able to login as the owner and wreak havoc.

If you aren't familiar with Minecraft launchers, you might think there is no way to play as someone else unless you have access to their email and password, while this is technically true, it only applies to the Mojang auth servers. There are third-party Minecraft launchers that are made to function with cracked servers and as such, allow users to create "cracked" accounts not tied to any auth server, meaning you can call yourself anything, regardless of other players having the same username.

Thankfully, there are server-side plugins specifically created to fix this issue, they function on the principle that whenever a user joins the server, they must login and type a password. Of course, if it's the first time a player has joined, they will be asked to register a password as their username is unique to the server plugin database.

If you would like to run a vanilla server with no plugins at all and bypassing the Mojang authentication servers, you do have the option of not giving anyone operator privileges and only doing operator commands using the console. The console is a window that appears whenever you start a Minecraft server and allows you to control everything for server operation.

If you do decide on doing the former, please beware that nothing is stopping people from spamming your server with bots as you would not have plugins set up to stop such things, most authentication plugins have a time limit users can register / login for, if they exceed what is set then they are kicked.

Keeping the server behind a private LAN accessible though a VPN with connection credentials you would give to whom you trust would be preferable if you do decide to go the full vanilla no authentication plugin route as people or automated bots would not be able to scan your network for open ports that are associated to the server and start joining this way, but at that point, I doubt it would be worth the effort of making a private tunnel just for that ;)

As a clarification on the former, the reason why people or bots wouldn't be able to scan your network ports is because you would not need to open any due to you or your trusted people logging into the VPN tunnel to access the server, making the process of opening any port directly accessible through the internet redundantly counterintuitive and silly in this scenario.

The security would then be at the network level, not anything reliant on Minecraft code which interestingly means it would be better if you are planning on hosting very old versions of Minecraft, you would likely dodge a vulnerability hellscape in the future.

Hopefully this is useful to some people, I would rather pass on this knowledge rather than leave it forgotten.

A drawing of ai from beastars

Art by Joze Osaka