After reading it, I have noticed that there is no RPC method that seems to be used for authentication, and after a bit code digging I have pieced together the following simplified scenario of a client-daemon session:
The client opens a SSL socket to the server (and it does not seem to validate the certificate in any way).
The client uses the 'daemon.login' RPC method to authenticate.
Assuming correct credentials, the client will listen for events from the daemon and send RPC requests as needed.
The connection is closed by either party at the end.
My questions are:
Is the 'daemon.login' method documented somewhere? If so, please point me in the right direction
Are there any other methods that are used during authentication, besides the 'daemon.login' one?
Is the SSL certificate really not validated by the client when connecting or I have read the code wrong?
Where are the events emitted by the daemon documented
I can answer 3 for you. Saying that "all communication between the GTK UI and daemon is encrypted" is misleading. The certificate is generated automatically and is self-signed, so it can per definition not be validated, so it can just as easy be a man-in-the-middle trying to intercept your traffic. This setup only protects against a passive adversary. This might be enough for a trusted local network, but you should not expose the daemon control port to the internet. Use SSH tunneling instead.