Debian: Re-packaged for Bookworm

[subauth.git] / PROTOCOL

diff --git a/PROTOCOL b/PROTOCOL
index 9b910c4524e1628ec33ae842ef4f1b0f47bf803a..edf13691f2dfe41891487596a23c57ed0eef72dc 100644 (file)
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -12,8 +12,10 @@ Replies always have the "error" attribute set; it contains an error
 message or an empty string to indicate success.
 
 Some operations require root privileges. Other operations are
-unprivileged if no login name present, or if it matches the UID
-of the requesting user.
+unprivileged if no login name present, or if the correct "auth-passwd"
+is provided and target user has allowed administration of their
+account using a password authentication. Only regular password can be
+used for such authentication, tokens are not accepted.
 
 # No operation (unprivileged)
 {
@@ -38,6 +40,7 @@ of the requesting user.
 {
        "cmd": "create-token",
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone",
        "comment": "optional comment"
 }
@@ -51,6 +54,7 @@ of the requesting user.
 {
        "cmd": "delete-token",
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone",
        "ident": "token id"                     # "*" for all tokens for the login+zone
 }
@@ -59,6 +63,7 @@ of the requesting user.
 {
        "cmd": "change-token"
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone",
        "ident": "token id",
        "comment": "new comment"                # optional
@@ -68,6 +73,7 @@ of the requesting user.
 {
        "cmd": "set-passwd",
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone",
        "passwd": "new password"
 }
@@ -76,6 +82,7 @@ of the requesting user.
 {
        "cmd": "delete-passwd",
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone"
 }
 
@@ -83,6 +90,7 @@ of the requesting user.
 {
        "cmd": "create-temp",
        "login": "login name",
+       "auth-passwd": "current password",
        "zone": "auth zone",
        "validity": seconds             # Requested token validity
 }
@@ -99,6 +107,15 @@ of the requesting user.
        "passwd": "password or token"
 }
 
+# Allow/disallow management of selected account using password
+{
+       "cmd": "allow-passwd-auth",
+       "login": "login name",
+       "auth-passwd": "current password",
+       "zone": "auth zone",
+       "allow": integer
+}
+
 # List user's accounts and tokens
 {
        "cmd": "list-accts",
@@ -110,6 +127,7 @@ of the requesting user.
        "accounts": [
                {
                        "zone": "auth zone",
+                       "allow-passwd-auth": integer,           # Can anybody manage this account using its password?
                        "tokens": [
                                {
                                        "type": "token type",   # passwd/token
@@ -135,6 +153,7 @@ of the requesting user.
                        "desc": "human-readable description",
                        "allow-passwd": integer,                # Does the zone support passwords?
                        "allow-tokens": integer,                # Does the zone support auth tokens?
+                       "allow-passwd-auth": integer,           # Does the zone support password authentication for account management?
                        "max-temp-validity": seconds            # Maximum validity of temp tokens
                                                                # (if no temp tokens supported)
                }