The TeamSpeak 3 user management and permission system===================

1.  
2.  
3. The TeamSpeak 3 user management and permission system
4.  
5. =====================================================
6.  
7.  
8. Copyright (c) TeamSpeak Systems GmbH
9.  
10.  
11.  
12.  
13. -----------------------------------------------------------
14. 1. TeamSpeak 3 server user management
15. -----------------------------------------------------------
16.  
17. The mechanism controlling user permissions on a TeamSpeak 3 server is fundamentally different than in TeamSpeak 2.
18. In TeamSpeak 2 individual users were added to the servers database and permissions bound to a user login name and password.
19. In TeamSpeak 3 user login names and passwords no longer exist. Instead users connect to a virtual server providing just
20. a nickname, which is only used for how to display the user to others but in no way related to access control.
21. To indentify a user on a TeamSpeak 3 virtual server, a public key encryption mechanism is used: When the Client is started
22. for the first time, it automatically creates a key pair consisting of a public and a private key. The first time a new user
23. connects to a virtual server, his client will automatically send his public key to the server.
24.  
25. The virtual server creates a unique identifier from this public key and stores this identifier in its database. So
26. instead of identification with login and password, a TeamSpeak 3 server identifies users by their unique ID.
27. Should the user delete his private key and create a new one when connecting, he will be treated as a new individual by the server.
28.  
29. Since there is no input needed to �register� on a TeamSpeak 3 server there is no such thing as a manual registration in TeamSpeak 3.
30. Basically once you connect you are automatically
31. registered on the server you connected to. When you join again the server will recognize you.
32.  
33.  
34. -----------------------------------------------------------
35. 2. TeamSpeak 3 permission overview
36. -----------------------------------------------------------
37.  
38. All settings that you can apply to a client on the server side are stored in reference to the clients unique ID.
39. This way, when the client reconnects to the server maybe using a new IP, a new nickname the server can still recoginize it by
40. the unique ID, and apply these settings. One of the more important settings you can apply to clients is of course to grant or
41. revoke certain permissions to them.
42.  
43. Clients joining for the first time will automatically become a member of the default Server Permissions Group that is configured
44. via the server settings � also clients that join a channel they have not visited before will automatically be inserted into the
45. Default Channel Permission Group (also configured via the server settings). Usually you will be a member of some kind of
46. administrator group that allows you to configure the server in the way you like it. The default group layout contains a �Server Admin�
47. group for this purpose.
48.  
49. When a new virtual server is created, the servers global template groups are copied to the virtual servers server default and admin group,
50. so modifying the templates is a good way to setup a security and access policy for multiple virtual servers without the need to modify
51. each virtual servers permissions individually, although this can still be done to tweak individual virtual servers if required.
52.  
53.  
54. -----------------------------------------------------------
55. 3.The chicken and the egg, or how to use privilege keys
56. -----------------------------------------------------------
57.  
58. One obvious problem that presents itself is the following: How does the first client receive elevated permissions when there is no
59. other client with elevated permissions yet that could grant these permissions? The solution for this problem is through permission keys,
60. that will now be explained:
61.  
62. A permission key is similar to a client with administrator privileges that adds you to a certain permission group, but without the necessity
63. of a such a client with administrator privileges to actually exist. It is a long (random looking) string that can be used as a ticket into
64. a specific server group.
65.  
66. As an example I am a server hoster and a client has just purchased a server. I send this client a privilege key that, once it is used
67. on the clients server, will grant the client that used it administrative powers. Or, in a different use case I might be a server administrator
68. and I want three of my friends to become members of the clan managment permission group. Since these friends are not currently connected to
69. my server and I don�t have
70. them stored in my buddy list I can�t add them
71. directly into these groups, since I don�t know how to tell the server who they are. So, I generate three privilege keys that each promote
72. the client that uses it into the server managment group. Then I send these privilege keys to my friends, and they can go ahead and promote
73. themselves when they are online again.
74.  
75.  
76. ---------------------------------------------------------------------------------
77. 4. Step by step: Becoming Administrator on your own server using a privilege key
78. ---------------------------------------------------------------------------------
79.  
80. Since you will usually need at least one privilege key to grant administrative privileges after
81. creating a new virtual server this task is automatically taken care of uppon creation.
82.  
83. Important!
84. The output would look like the following example:
85.  
86. ServerAdmin privilege key created, please use it to gain
87. serveradmin rights for your virtualserver. Please also
88. check the doc/privilegekey_guide.txt for details.
89.  
90. token=gOuRFCa5iM1iC+6GPFaeqiZXJoJrV04+tV0meuE9
91.  
92. Now the server owner would connect using the TeamSpeak 3 client with his still restricted permissions. The client offers a dialog to copy&paste
93. above privilege key. If the privilege key is correct and has not yet been used, the user will be elevated and gain administrator permissions
94. by joining the Server Admin permission group.
95.  
96. A privilege key can only be used once, attempting to use it a second time will result in an error. The privilege key is only valid for the
97. virtual server which it was created for � other virtual servers running within the same server process are not affected.
98.  
99. The usual procedure to create a new virtual server is:
100. � Create the virtual server
101. � Copy the privilege key from the server log
102. � Start the client and connect to the new virtual server,
103. automatically creating a new unique user ID
104. � Paste the privilege key into the clients privilege
105. key dialog
106.  
107.  
108. -----------------------------------------------------------
109. 5. Gaining global ServerQuery administrator permissions
110. -----------------------------------------------------------
111.  
112. In addition to the privilege key mechanism, which grants administrator permissions for individual users on virtual servers, server owners
113. can gain administrative powers using a global ServerQuery login. In contrary to the user management system using unique IDs, ServerQuery
114. connections have to provide a login name and password.
115.  
116. When a server process starts for the first time, a password for a global ServerQuery super-admin account is created and printed to the
117. server console output.
118.  
119. Important!
120. The output might look like this:
121.  
122. Server Query Admin Acccount created
123. loginname= �serveradmin�, password= �ifSsSm8w�
124.  
125. Using the provided login name and password, the server administrator can connect to the ServerQuery interface and login using the �login� command.
126. The ServerQuery admin account password should be protected carefully, as this grants complete control over all virtual servers running within
127. the server process.