FuhQuake Homepage : http://www.fuhquake.net/ FuhQuake Author : A Nourai aka 'fuhrer' (fuh) (#fuhquake on Quakenet irc) FuhQuake Forum : http://www.fuhquake.net/forum/ INTRODUCTION ------------ As of FuhQuake version 0.25, you need to install this security module for your client to be authenticated as a valid non cheat FuhQuake Quakeworld client. If you do not install this module, your client will not be authenticated by other FuhQuake clients. Without this module your client will also respond to any and all f_modified checks saying that all models are modified. If you are running a competition then you should insist all FuhQuake users install this security module. INSTALLATION ------------ For windows, simply unzip fuhquake-security.dll into the same folder as fuhquake.exe and/or fuhquake-gl.exe. For linux, simply unzip fuhquake-security.so into the same directory as fuhquake.x11 and/or fuhquake.svga and/or fuhquake-gl.glx. You will need the /proc filesystem for the linux security module to work (See the FAQ). COMPATABLE BINARIES ------------------- The security module in this package currently authenticates official FuhQuake binaries with the following versions : FuhQuake Version 0.30 (Build 585) You can type /version in the FuhQuake console to see what version and build you are running. HOW TO VALIDATE FUHQUAKE CLIENTS -------------------------------- FuhQuake clients with version at least 0.25 can authenticate other clients that appear to be FuhQuake. Basically if a client is authenticated, it means they are using a binary I put on my website and not some hacked client pretending to be FuhQuake by mimicking the f_version etc responses. This is great for competitions. You type 'validate_clients' to obtain 3 lists. The first list is a list of players who are definitely using a legitimate FuhQuake client. The last list is a list of players whose clients are not pretending to be FuhQuake (they might be using zquake, mqwcl, or some autoaim client). The middle list is the interesting one. It is a list of players whose clients appear to be FuhQuake but have not been authenticated. There are a few reasons why someone might be in this list. They might be using an old FuhQuake version that doesn't have client authentication in it. They might be using a genuine FuhQuake client with authentication support, but just haven't been authenticated yet (read below). Or they might be using some autoaim hax0red client that is trying to pass as a legitimate FuhQuake client. How do client's get authenticated? Through a hash printed in their 'f_version/fuh_version' response. To authenticate clients, you need to first do a 'fuh_version' (or 'f_version') and then type 'validate_clients'. If someone is using a legitimate FuhQuake client but you haven't seen their version response yet, then they will appear in the 'unauthenticated FuhQuake clients' list (the middle list described above). By default, FuhQuake hides the hashes from you because they look ugly. If you want to see them set 'auth_viewcrc 1'. You might be interested to know that 'verify_clients' will work when watching a demo as long as someone issues a version request in the demo. For more information see http://www.fuhquake.net/teamplay.htm . THE F_SERVER CHECK ------------------ If someone passes the validate_clients check then that means they are using an official FuhQuake binary. But it does not mean they are not cheating. They could be using an official non cheat client binary with a cheat auto aim proxy. To detect this, FuhQuake clients will respond to an 'f_server' query with the internet address (ip:port) that they are connected to. Note that the f_server response is *meaningless* unless the client has been authenticated first. To check that they have been authenticated, use the 'validate_clients' command after having issues an f_version, fuh_version or f_server (all 3 will perform client validation). In other words, after issuing an f_server request, type validate_clients to see which clients have been authenticated and then check what the f_server response for those authenticated clients are. Responses from non authenticated clients can easily be faked. THE F_MODIFIED CHECK -------------------- FuhQuake clients respond to f_modified with a list of models, sound etc that have been modified from the original ID models. If a client reports that a model has been modified, it does not necessarily mean it has been modified for the purpose of cheating. Nevertheless, competitions should insist that clients respond to 'f_modified' requests with 'all models ok". FAQ --- Q1. I'm not very smart, can you explain to me how to authenticate other clients in simple terms? A1. Follow these steps. Step 1 (Optional) : say f_version or fuh_version in messagemode1. Step 2 : say f_server in messagemode1. Step 3 : Run the validate_clients command. Players in the authenticated list are using legal binaries. Step 4 : Check the f_server response of players with authenticated binaries to see if they are directly connected to the server. If they are not, then they are using a proxy (not neccessarily cheating). Step 5 (Optional) : say f_modified and read the responses of players with authenicated binaries. Notes : *) Step 1 is optional because f_server performs client authentication just like f_version and fuh_version do. *) You have to perform the steps in that order. f_modified for example can be faked by a cheat client binary or a cheat proxy so you need to issue it last. Q2. I type f_modified/f_server (or fuh_version) in console but only my client responds. Why? A2. There are commands called f_modified, f_version and fuh_version that print your client's f_modified (etc) response. When you type f_modified (etc) in console its executing that command instead of saying f_modified (etc) in messagemode 1. Either use a different cl_chatmode, or type "say f_modified" in console, or type "f_modified" in console and hold down shift whilst pressing enter. Q3. I am playing on a quakeforge server and 'validate_clients' isn't working ?!? A3. Try using 'auth_validate 2' and read http://www.fuhquake.net/teamplay.htm for more information. Q4. I'm using Linux. How can I check if I have the /proc filesystem. A4. Type 'cat /proc/cpuinfo' (without the ') at a linux prompt. If it says file not found then you do not have the /proc filesystem and will have to install a new linux kernel. If it says your cpuinfo then you have the /proc filesystem and the linux security module should work for you. --- fuh 27/12/2002