Debian: Re-packaged for Bookworm

[subauth.git] / PROTOCOL
diff --git a/PROTOCOL b/PROTOCOL

index 9b910c4524e1628ec33ae842ef4f1b0f47bf803a..edf13691f2dfe41891487596a23c57ed0eef72dc 100644 (file)
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -12,8 +12,10 @@ Replies always have the "error" attribute set; it contains an error
  message or an empty string to indicate success.
  
  Some operations require root privileges. Other operations are
  message or an empty string to indicate success.
  
  Some operations require root privileges. Other operations are
-unprivileged if no login name present, or if it matches the UID
-of the requesting user.
+unprivileged if no login name present, or if the correct "auth-passwd"
+is provided and target user has allowed administration of their
+account using a password authentication. Only regular password can be
+used for such authentication, tokens are not accepted.
  
  # No operation (unprivileged)
  {
  
  # No operation (unprivileged)
  {
@@ -38,6 +40,7 @@ of the requesting user.
  {
         "cmd": "create-token",
         "login": "login name",
  {
         "cmd": "create-token",
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone",
         "comment": "optional comment"
  }
         "zone": "auth zone",
         "comment": "optional comment"
  }
@@ -51,6 +54,7 @@ of the requesting user.
  {
         "cmd": "delete-token",
         "login": "login name",
  {
         "cmd": "delete-token",
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone",
         "ident": "token id"                     # "*" for all tokens for the login+zone
  }
         "zone": "auth zone",
         "ident": "token id"                     # "*" for all tokens for the login+zone
  }
@@ -59,6 +63,7 @@ of the requesting user.
  {
         "cmd": "change-token"
         "login": "login name",
  {
         "cmd": "change-token"
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone",
         "ident": "token id",
         "comment": "new comment"                # optional
         "zone": "auth zone",
         "ident": "token id",
         "comment": "new comment"                # optional
@@ -68,6 +73,7 @@ of the requesting user.
  {
         "cmd": "set-passwd",
         "login": "login name",
  {
         "cmd": "set-passwd",
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone",
         "passwd": "new password"
  }
         "zone": "auth zone",
         "passwd": "new password"
  }
@@ -76,6 +82,7 @@ of the requesting user.
  {
         "cmd": "delete-passwd",
         "login": "login name",
  {
         "cmd": "delete-passwd",
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone"
  }
  
         "zone": "auth zone"
  }
  
@@ -83,6 +90,7 @@ of the requesting user.
  {
         "cmd": "create-temp",
         "login": "login name",
  {
         "cmd": "create-temp",
         "login": "login name",
+       "auth-passwd": "current password",
         "zone": "auth zone",
         "validity": seconds             # Requested token validity
  }
         "zone": "auth zone",
         "validity": seconds             # Requested token validity
  }
@@ -99,6 +107,15 @@ of the requesting user.
         "passwd": "password or token"
  }
  
         "passwd": "password or token"
  }
  
+# Allow/disallow management of selected account using password
+{
+       "cmd": "allow-passwd-auth",
+       "login": "login name",
+       "auth-passwd": "current password",
+       "zone": "auth zone",
+       "allow": integer
+}
+
  # List user's accounts and tokens
  {
         "cmd": "list-accts",
  # List user's accounts and tokens
  {
         "cmd": "list-accts",
@@ -110,6 +127,7 @@ of the requesting user.
         "accounts": [
                 {
                         "zone": "auth zone",
         "accounts": [
                 {
                         "zone": "auth zone",
+                       "allow-passwd-auth": integer,           # Can anybody manage this account using its password?
                         "tokens": [
                                 {
                                         "type": "token type",   # passwd/token
                         "tokens": [
                                 {
                                         "type": "token type",   # passwd/token
@@ -135,6 +153,7 @@ of the requesting user.
                         "desc": "human-readable description",
                         "allow-passwd": integer,                # Does the zone support passwords?
                         "allow-tokens": integer,                # Does the zone support auth tokens?
                         "desc": "human-readable description",
                         "allow-passwd": integer,                # Does the zone support passwords?
                         "allow-tokens": integer,                # Does the zone support auth tokens?
+                       "allow-passwd-auth": integer,           # Does the zone support password authentication for account management?
                         "max-temp-validity": seconds            # Maximum validity of temp tokens
                                                                 # (if no temp tokens supported)
                 }
                         "max-temp-validity": seconds            # Maximum validity of temp tokens
                                                                 # (if no temp tokens supported)
                 }