Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The TeamSpeak 3 user management and permission system
- =====================================================
- Copyright (c) TeamSpeak Systems GmbH
- -----------------------------------------------------------
- 1. TeamSpeak 3 server user management
- -----------------------------------------------------------
- The mechanism controlling user permissions on a TeamSpeak 3 server is fundamentally different than in TeamSpeak 2.
- In TeamSpeak 2 individual users were added to the servers database and permissions bound to a user login name and password.
- In TeamSpeak 3 user login names and passwords no longer exist. Instead users connect to a virtual server providing just
- a nickname, which is only used for how to display the user to others but in no way related to access control.
- To indentify a user on a TeamSpeak 3 virtual server, a public key encryption mechanism is used: When the Client is started
- for the first time, it automatically creates a key pair consisting of a public and a private key. The first time a new user
- connects to a virtual server, his client will automatically send his public key to the server.
- The virtual server creates a unique identifier from this public key and stores this identifier in its database. So
- instead of identification with login and password, a TeamSpeak 3 server identifies users by their unique ID.
- Should the user delete his private key and create a new one when connecting, he will be treated as a new individual by the server.
- Since there is no input needed to �register� on a TeamSpeak 3 server there is no such thing as a manual registration in TeamSpeak 3.
- Basically once you connect you are automatically
- registered on the server you connected to. When you join again the server will recognize you.
- -----------------------------------------------------------
- 2. TeamSpeak 3 permission overview
- -----------------------------------------------------------
- All settings that you can apply to a client on the server side are stored in reference to the clients unique ID.
- This way, when the client reconnects to the server maybe using a new IP, a new nickname the server can still recoginize it by
- the unique ID, and apply these settings. One of the more important settings you can apply to clients is of course to grant or
- revoke certain permissions to them.
- Clients joining for the first time will automatically become a member of the default Server Permissions Group that is configured
- via the server settings � also clients that join a channel they have not visited before will automatically be inserted into the
- Default Channel Permission Group (also configured via the server settings). Usually you will be a member of some kind of
- administrator group that allows you to configure the server in the way you like it. The default group layout contains a �Server Admin�
- group for this purpose.
- When a new virtual server is created, the servers global template groups are copied to the virtual servers server default and admin group,
- so modifying the templates is a good way to setup a security and access policy for multiple virtual servers without the need to modify
- each virtual servers permissions individually, although this can still be done to tweak individual virtual servers if required.
- -----------------------------------------------------------
- 3.The chicken and the egg, or how to use privilege keys
- -----------------------------------------------------------
- One obvious problem that presents itself is the following: How does the first client receive elevated permissions when there is no
- other client with elevated permissions yet that could grant these permissions? The solution for this problem is through permission keys,
- that will now be explained:
- A permission key is similar to a client with administrator privileges that adds you to a certain permission group, but without the necessity
- of a such a client with administrator privileges to actually exist. It is a long (random looking) string that can be used as a ticket into
- a specific server group.
- As an example I am a server hoster and a client has just purchased a server. I send this client a privilege key that, once it is used
- on the clients server, will grant the client that used it administrative powers. Or, in a different use case I might be a server administrator
- and I want three of my friends to become members of the clan managment permission group. Since these friends are not currently connected to
- my server and I don�t have
- them stored in my buddy list I can�t add them
- directly into these groups, since I don�t know how to tell the server who they are. So, I generate three privilege keys that each promote
- the client that uses it into the server managment group. Then I send these privilege keys to my friends, and they can go ahead and promote
- themselves when they are online again.
- ---------------------------------------------------------------------------------
- 4. Step by step: Becoming Administrator on your own server using a privilege key
- ---------------------------------------------------------------------------------
- Since you will usually need at least one privilege key to grant administrative privileges after
- creating a new virtual server this task is automatically taken care of uppon creation.
- Important!
- The output would look like the following example:
- ServerAdmin privilege key created, please use it to gain
- serveradmin rights for your virtualserver. Please also
- check the doc/privilegekey_guide.txt for details.
- token=gOuRFCa5iM1iC+6GPFaeqiZXJoJrV04+tV0meuE9
- Now the server owner would connect using the TeamSpeak 3 client with his still restricted permissions. The client offers a dialog to copy&paste
- above privilege key. If the privilege key is correct and has not yet been used, the user will be elevated and gain administrator permissions
- by joining the Server Admin permission group.
- A privilege key can only be used once, attempting to use it a second time will result in an error. The privilege key is only valid for the
- virtual server which it was created for � other virtual servers running within the same server process are not affected.
- The usual procedure to create a new virtual server is:
- � Create the virtual server
- � Copy the privilege key from the server log
- � Start the client and connect to the new virtual server,
- automatically creating a new unique user ID
- � Paste the privilege key into the clients privilege
- key dialog
- -----------------------------------------------------------
- 5. Gaining global ServerQuery administrator permissions
- -----------------------------------------------------------
- In addition to the privilege key mechanism, which grants administrator permissions for individual users on virtual servers, server owners
- can gain administrative powers using a global ServerQuery login. In contrary to the user management system using unique IDs, ServerQuery
- connections have to provide a login name and password.
- When a server process starts for the first time, a password for a global ServerQuery super-admin account is created and printed to the
- server console output.
- Important!
- The output might look like this:
- Server Query Admin Acccount created
- loginname= �serveradmin�, password= �ifSsSm8w�
- Using the provided login name and password, the server administrator can connect to the ServerQuery interface and login using the �login� command.
- The ServerQuery admin account password should be protected carefully, as this grants complete control over all virtual servers running within
- the server process.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement