Protocol between the server and the clients =========================================== Messages are sent through a UNIX-domain sequential packet socket and authenticated by automatic passing of user credentials. For every request, a reply is sent through the same connection. Pipelining of requests is currently not supported. All requests and replies are serialized as JSON objects. Requests have always the "cmd" attribute set to the name of the command. Replies always have the "error" attribute set; it contains an error message or an empty string to indicate success. Some operations require root privileges. Other operations are unprivileged if no login name present, or if the correct "auth-passwd" is provided and target user has allowed administration of their account using a password authentication. Only regular password can be used for such authentication, tokens are not accepted. # No operation (unprivileged) { "cmd": "nop" } # Create an account (privileged) { "cmd": "create-acct", "login": "login name", "zone": "auth zone" } # Delete an account (privileged) { "cmd": "delete-acct", "login": "login name", "zone": "auth zone" # "*" to delete accounts in all zones } # Create an authentication token { "cmd": "create-token", "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "comment": "optional comment" } { "error": "", "token": "new token", "ident": "token id" } # Delete an authentication token { "cmd": "delete-token", "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "ident": "token id" # "*" for all tokens for the login+zone } # Change parameters of a token { "cmd": "change-token" "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "ident": "token id", "comment": "new comment" # optional } # Set password for an account { "cmd": "set-passwd", "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "passwd": "new password" } # Delete password for an account { "cmd": "delete-passwd", "login": "login name", "auth-passwd": "current password", "zone": "auth zone" } # Create a temporary token { "cmd": "create-temp", "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "validity": seconds # Requested token validity } { "error": "", "token": "new token" } # Authenticate a user { "cmd": "login", "login": "login name", "zone": "auth zone", "passwd": "password or token" } # Allow/disallow management of selected account using password { "cmd": "allow-passwd-auth", "login": "login name", "auth-passwd": "current password", "zone": "auth zone", "allow": integer } # List user's accounts and tokens { "cmd": "list-accts", "login": "login name", } { "error": "", "login: "login name", "accounts": [ { "zone": "auth zone", "allow-passwd-auth": integer, # Can anybody manage this account using its password? "tokens": [ { "type": "token type", # passwd/token "ident": "token id", "lastmod": timestamp # UNIX timestamp of last modification } ... ] } ... ] } # List known authentication zones { "cmd": "list-zones" } { "error": "", "zones": [ { "name": "auth zone", "desc": "human-readable description", "allow-passwd": integer, # Does the zone support passwords? "allow-tokens": integer, # Does the zone support auth tokens? "allow-passwd-auth": integer, # Does the zone support password authentication for account management? "max-temp-validity": seconds # Maximum validity of temp tokens # (if no temp tokens supported) } ... ] }