

The TeamSpeak 3 user management and permission system

=====================================================


Copyright (c) TeamSpeak Systems GmbH




-----------------------------------------------------------
1. TeamSpeak 3 server user management
-----------------------------------------------------------

The mechanism controlling user permissions on a TeamSpeak 3 server is fundamentally different than in TeamSpeak 2. 
In TeamSpeak 2 individual users were added to the servers database and permissions bound to a user login name and password. 
In TeamSpeak 3 user login names and passwords no longer exist. Instead users connect to a virtual server providing just 
a nickname, which is only used for how to display the user to others but in no way related to access control.
To indentify a user on a TeamSpeak 3 virtual server, a public key encryption mechanism is used: When the Client is started 
for the first time, it automatically creates a key pair consisting of a public and a private key. The first time a new user 
connects to a virtual server, his client will automatically send his public key to the server.

The virtual server creates a unique identifier from this public key and stores this identifier in its database. So
instead of identification with login and password, a TeamSpeak 3 server identifies users by their unique ID.
Should the user delete his private key and create a new one when connecting, he will be treated as a new individual by the server.

Since there is no input needed to register on a TeamSpeak 3 server there is no such thing as a manual registration in TeamSpeak 3.
Basically once you connect you are automatically 
registered on the server you connected to. When you join again the server will recognize you.


-----------------------------------------------------------
2. TeamSpeak 3 permission overview
-----------------------------------------------------------

All settings that you can apply to a client on the server side are stored in reference to the clients unique ID.
This way, when the client reconnects to the server maybe using a new IP, a new nickname the server can still recoginize it by 
the unique ID, and apply these settings. One of the more important settings you can apply to clients is of course to grant or 
revoke certain permissions to them.

Clients joining for the first time will automatically become a member of the default Server Permissions Group that is configured 
via the server settings  also clients that join a channel they have not visited before will automatically be inserted into the 
Default Channel Permission Group (also configured via the server settings). Usually you will be a member of some kind of 
administrator group that allows you to configure the server in the way you like it. The default group layout contains a Server Admin 
group for this purpose.

When a new virtual server is created, the servers global template groups are copied to the virtual servers server default and admin group, 
so modifying the templates is a good way to setup a security and access policy for multiple virtual servers without the need to modify 
each virtual servers permissions individually, although this can still be done to tweak individual virtual servers if required. 


-----------------------------------------------------------
3.The chicken and the egg, or how to use privilege keys
-----------------------------------------------------------

One obvious problem that presents itself is the following: How does the first client receive elevated permissions when there is no 
other client with elevated permissions yet that could grant these permissions? The solution for this problem is through permission keys, 
that will now be explained:

A permission key is similar to a client with administrator privileges that adds you to a certain permission group, but without the necessity 
of a such a client with administrator privileges to actually exist. It is a long (random looking) string that can be used as a ticket into 
a specific server group.

As an example I am a server hoster and a client has just purchased a server. I send this client a privilege key that, once it is used 
on the clients server, will grant the client that used it administrative powers. Or, in a different use case I might be a server administrator 
and I want three of my friends to become members of the clan managment permission group. Since these friends are not currently connected to 
my server and I dont have 
them stored in my buddy list I cant add them 
directly into these groups, since I dont know how to tell the server who they are. So, I generate three privilege keys that each promote 
the client that uses it into the server managment group. Then I send these privilege keys to my friends, and they can go ahead and promote 
themselves when they are online again.


---------------------------------------------------------------------------------
4. Step by step: Becoming Administrator on your own server using a privilege key 
---------------------------------------------------------------------------------

Since you will usually need at least one privilege key to grant administrative privileges after 
creating a new virtual server this task is automatically taken care of uppon creation.

Important! 
The output would look like the following example:

ServerAdmin privilege key created, please use it to gain 
serveradmin rights for your virtualserver. Please also
check the doc/privilegekey_guide.txt for details.

token=gOuRFCa5iM1iC+6GPFaeqiZXJoJrV04+tV0meuE9

Now the server owner would connect using the TeamSpeak 3 client with his still restricted permissions. The client offers a dialog to copy&paste 
above privilege key. If the privilege key is correct and has not yet been used, the user will be elevated and gain administrator permissions 
by joining the Server Admin permission group.

A privilege key can only be used once, attempting to use it a second time will result in an error. The privilege key is only valid for the 
virtual server which it was created for  other virtual servers running within the same server process are not affected.

The usual procedure to create a new virtual server is:
 Create the virtual server
 Copy the privilege key from the server log
 Start the client and connect to the new virtual server,
automatically creating a new unique user ID
 Paste the privilege key into the clients privilege 
key dialog


-----------------------------------------------------------
5. Gaining global ServerQuery administrator permissions
-----------------------------------------------------------

In addition to the privilege key mechanism, which grants administrator permissions for individual users on virtual servers, server owners 
can gain administrative powers using a global ServerQuery login. In contrary to the user management system using unique IDs, ServerQuery 
connections have to provide a login name and password.

When a server process starts for the first time, a password for a global ServerQuery super-admin account is created and printed to the 
server console output.

Important! 
The output might look like this:

Server Query Admin Acccount created
loginname= serveradmin, password= ifSsSm8w 

Using the provided login name and password, the server administrator can connect to the ServerQuery interface and login using the login command. 
The ServerQuery admin account password should be protected carefully, as this grants complete control over all virtual servers running within 
the server process.

