ROOT logo
ROOT » NET » AUTH » TAuthenticate

class TAuthenticate: public TObject


TAuthenticate

An authentication module for ROOT based network services, like rootd
and proofd.


Function Members (Methods)

public:
TAuthenticate(const TAuthenticate&)
TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "")
virtual~TAuthenticate()
voidTObject::AbstractMethod(const char* method) const
virtual voidTObject::AppendPad(Option_t* option = "")
Bool_tAuthenticate()
static voidAuthError(const char* where, Int_t error)
Int_tAuthExists(TString User, Int_t method, const char* Options, Int_t* Message, Int_t* Rflag, CheckSecCtx_t funcheck)
virtual voidTObject::Browse(TBrowser* b)
voidCatchTimeOut()
Bool_tCheckNetrc(TString& user, TString& passwd)
Bool_tCheckNetrc(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
static Bool_tCheckProofAuth(Int_t cSec, TString& det)
static TClass*Class()
virtual const char*TObject::ClassName() const
virtual voidTObject::Clear(Option_t* = "")
virtual TObject*TObject::Clone(const char* newname = "") const
virtual Int_tTObject::Compare(const TObject* obj) const
virtual voidTObject::Copy(TObject& object) const
static Int_tDecodeRSAPublic(const char* rsapubexport, rsa_NUMBER& n, rsa_NUMBER& d, char** rsassl = 0)
virtual voidTObject::Delete(Option_t* option = "")MENU
virtual Int_tTObject::DistancetoPrimitive(Int_t px, Int_t py)
virtual voidTObject::Draw(Option_t* option = "")
virtual voidTObject::DrawClass() constMENU
virtual TObject*TObject::DrawClone(Option_t* option = "") constMENU
virtual voidTObject::Dump() constMENU
virtual voidTObject::Error(const char* method, const char* msgfmt) const
virtual voidTObject::Execute(const char* method, const char* params, Int_t* error = 0)
virtual voidTObject::Execute(TMethod* method, TObjArray* params, Int_t* error = 0)
virtual voidTObject::ExecuteEvent(Int_t event, Int_t px, Int_t py)
virtual voidTObject::Fatal(const char* method, const char* msgfmt) const
virtual TObject*TObject::FindObject(const char* name) const
virtual TObject*TObject::FindObject(const TObject* obj) const
static TList*GetAuthInfo()
static const char*GetAuthMethod(Int_t idx)
static Int_tGetAuthMethodIdx(const char* meth)
static Bool_tGetAuthReUse()
static Int_tGetClientProtocol()
static char*GetDefaultDetails(Int_t method, Int_t opt, const char* user)
static const char*GetDefaultUser()
virtual Option_t*TObject::GetDrawOption() const
static Long_tTObject::GetDtorOnly()
static TDatimeGetGlobalExpDate()
static Bool_tGetGlobalPwHash()
static Bool_tGetGlobalSRPPwd()
static const char*GetGlobalUser()
static GlobusAuth_tGetGlobusAuthHook()
THostAuth*GetHostAuth() const
static THostAuth*GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0)
virtual const char*TObject::GetIconName() const
static const char*GetKrb5Principal()
virtual const char*TObject::GetName() const
virtual char*TObject::GetObjectInfo(Int_t px, Int_t py) const
static Bool_tTObject::GetObjectStat()
virtual Option_t*TObject::GetOption() const
static Bool_tGetPromptUser()
static TList*GetProofAuthInfo()
const char*GetProtocol() const
const char*GetRemoteHost() const
static Int_tGetRSAInit()
Int_tGetRSAKeyType() const
static const char*GetRSAPubExport(Int_t key = 0)
TRootSecContext*GetSecContext() const
TSocket*GetSocket() const
virtual const char*TObject::GetTitle() const
virtual UInt_tTObject::GetUniqueID() const
const char*GetUser() const
virtual Bool_tTObject::HandleTimer(TTimer* timer)
virtual ULong_tTObject::Hash() const
static THostAuth*HasHostAuth(const char* host, const char* user, Option_t* opt = "R")
Int_tHasTimedOut() const
virtual voidTObject::Info(const char* method, const char* msgfmt) const
virtual Bool_tTObject::InheritsFrom(const char* classname) const
virtual Bool_tTObject::InheritsFrom(const TClass* cl) const
static voidInitRandom()
virtual voidTObject::Inspect() constMENU
voidTObject::InvertBit(UInt_t f)
virtual TClass*IsA() const
virtual Bool_tTObject::IsEqual(const TObject* obj) const
virtual Bool_tTObject::IsFolder() const
Bool_tTObject::IsOnHeap() const
virtual Bool_tTObject::IsSortable() const
Bool_tTObject::IsZombie() const
virtual voidTObject::ls(Option_t* option = "") const
voidTObject::MayNotUse(const char* method) const
static voidMergeHostAuthList(TList* Std, TList* New, Option_t* Opt = "")
virtual Bool_tTObject::Notify()
static voidTObject::operator delete(void* ptr)
static voidTObject::operator delete(void* ptr, void* vp)
static voidTObject::operator delete[](void* ptr)
static voidTObject::operator delete[](void* ptr, void* vp)
void*TObject::operator new(size_t sz)
void*TObject::operator new(size_t sz, void* vp)
void*TObject::operator new[](size_t sz)
void*TObject::operator new[](size_t sz, void* vp)
TAuthenticate&operator=(const TAuthenticate&)
virtual voidTObject::Paint(Option_t* option = "")
virtual voidTObject::Pop()
virtual voidTObject::Print(Option_t* option = "") const
static char*PromptPasswd(const char* prompt = "Password: ")
static char*PromptUser(const char* remote)
virtual Int_tTObject::Read(const char* name)
static Int_tReadRootAuthrc()
virtual voidTObject::RecursiveRemove(TObject* obj)
static voidRemoveHostAuth(THostAuth* ha, Option_t* opt = "")
voidTObject::ResetBit(UInt_t f)
virtual voidTObject::SaveAs(const char* filename = "", Option_t* option = "") constMENU
virtual voidTObject::SavePrimitive(basic_ostream<char,char_traits<char> >& out, Option_t* option = "")
static Int_tSecureRecv(TSocket* Socket, Int_t dec, Int_t KeyType, char** Out)
static Int_tSecureSend(TSocket* Socket, Int_t enc, Int_t KeyType, const char* In)
static Int_tSendRSAPublicKey(TSocket* Socket, Int_t key = 0)
static voidSetAuthReUse(Bool_t authreuse)
voidTObject::SetBit(UInt_t f)
voidTObject::SetBit(UInt_t f, Bool_t set)
static voidSetDefaultRSAKeyType(Int_t key)
static voidSetDefaultUser(const char* defaultuser)
virtual voidTObject::SetDrawOption(Option_t* option = "")MENU
static voidTObject::SetDtorOnly(void* obj)
static voidSetGlobalExpDate(TDatime expdate)
static voidSetGlobalPasswd(const char* passwd)
static voidSetGlobalPwHash(Bool_t pwhash)
static voidSetGlobalSRPPwd(Bool_t srppwd)
static voidSetGlobalUser(const char* user)
static voidSetGlobusAuthHook(GlobusAuth_t func)
static voidSetKrb5AuthHook(Krb5Auth_t func)
static voidTObject::SetObjectStat(Bool_t stat)
static voidSetPromptUser(Bool_t promptuser)
static voidSetReadHomeAuthrc(Bool_t readhomeauthrc)
static voidSetRSAInit(Int_t init = 1)
voidSetRSAKeyType(Int_t key)
static Int_tSetRSAPublic(const char* rsapubexport, Int_t klen)
voidSetSecContext(TRootSecContext* ctx)
static voidSetSecureAuthHook(SecureAuth_t func)
static voidSetTimeOut(Int_t to)
virtual voidTObject::SetUniqueID(UInt_t uid)
static voidShow(Option_t* opt = "S")
virtual voidShowMembers(TMemberInspector& insp, char* parent)
virtual voidStreamer(TBuffer& b)
voidStreamerNVirtual(TBuffer& b)
virtual voidTObject::SysError(const char* method, const char* msgfmt) const
Bool_tTObject::TestBit(UInt_t f) const
Int_tTObject::TestBits(UInt_t f) const
virtual voidTObject::UseCurrentStyle()
virtual voidTObject::Warning(const char* method, const char* msgfmt) const
virtual Int_tTObject::Write(const char* name = 0, Int_t option = 0, Int_t bufsize = 0)
virtual Int_tTObject::Write(const char* name = 0, Int_t option = 0, Int_t bufsize = 0) const
protected:
virtual voidTObject::DoError(int level, const char* location, const char* fmt, va_list va) const
voidTObject::MakeZombie()
private:
static Bool_tCheckHost(const char* Host, const char* host)
Int_tClearAuth(TString& user, TString& passwd, Bool_t& pwhash)
static voidFileExpand(const char* fin, FILE* ftmp)
Int_tGenRSAKeys()
Bool_tGetPwHash() const
char*GetRandString(Int_t Opt, Int_t Len)
Int_tGetRSAKey() const
TAuthenticate::ESecurityGetSecurity() const
Bool_tGetSRPPwd() const
const char*GetSshUser(TString user) const
Bool_tGetUserPasswd(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
Int_tGetVersion() const
Int_tProofAuthSetup()
static Int_tProofAuthSetup(TSocket* sock, Bool_t client)
static voidRemoveSecContext(TRootSecContext* ctx)
Int_tRfioAuth(TString& user)
voidSetEnvironment()
Int_tSshAuth(TString& user)
Int_tSshError(const char* errfile)

Data Members

public:
enum ESecurity { kClear
kSRP
kKrb5
kGlobus
kSSH
kRfio
};
enum TObject::EStatusBits { kCanDelete
kMustCleanup
kObjInCanvas
kIsReferenced
kHasUUID
kCannotPick
kNoContextMenu
kInvalidObject
};
enum TObject::[unnamed] { kIsOnHeap
kNotDeleted
kZombie
kBitMask
kSingleKey
kOverwrite
kWriteDelete
};
private:
TStringfDetailslogon details (method dependent ...)
THostAuth*fHostAuthpointer to relevant authentication info
TStringfPasswduser's password
TStringfProtocolremote service (rootd, proofd)
Bool_tfPwHashkTRUE if fPasswd is a passwd hash
Int_tfRSAKeyType of RSA key used
TStringfRemoteremote host to which we want to connect
Bool_tfSRPPwdkTRUE if fPasswd is a SRP passwd
TRootSecContext*fSecContextpointer to relevant sec context
TAuthenticate::ESecurityfSecurityactual logon security level
TSocket*fSocketconnection to remote daemon
Int_tfTimeOuttimeout flag
TStringfUseruser to be authenticated
Int_tfVersion0,1,2, ... accordingly to remote daemon version
static TList*fgAuthInfo
static TStringfgAuthMeth[6]
static Bool_tfgAuthReUsekTRUE is ReUse required
static Int_tfgAuthTOif > 0, timeout in sec
static TStringfgDefaultUserDefault user information
static TDatimefgExpDateExpiring date for new security contexts
static GlobusAuth_tfgGlobusAuthHook
static Krb5Auth_tfgKrb5AuthHook
static TStringfgKrb5PrincipalPrincipal for Krb5 ticket
static TDatimefgLastAuthrcTime of last reading of fgRootAuthrc
static Int_tfgLastErrorLast error code processed by AuthError()
static TStringfgPasswd
static TPluginHandler*fgPasswdDialogPasswd dialog GUI plugin
static Int_tfgProcessIDID of the main thread as unique identifier
static Bool_tfgPromptUserkTRUE if user prompt required
static TList*fgProofAuthInfoSpecific lists of THostAuth fro proof
static Bool_tfgPwHashkTRUE if fgPasswd is a passwd hash
static Int_tfgRSAInit
static Int_tfgRSAKeyDefault type of RSA key to be tried
static rsa_KEYfgRSAPriKey
static rsa_KEY_exportfgRSAPubExport[2]
static rsa_KEYfgRSAPubKey
static Bool_tfgReadHomeAuthrckTRUE to look for $HOME/.rootauthrc
static TStringfgRootAuthrcPath to last rootauthrc-like file read
static Bool_tfgSRPPwdkTRUE if fgPasswd is a SRP passwd
static SecureAuth_tfgSecAuthHook
static TStringfgUser
static Bool_tfgUsrPwdCryptkTRUE if encryption for UsrPwd is required

Class Charts

Inheritance Inherited Members Includes Libraries
Class Charts

Function documentation

TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "")
 Create authentication object.
void CatchTimeOut()
 Called in connection with a timer timeout
Bool_t Authenticate()
 Authenticate to remote rootd or proofd server. Return kTRUE if
 authentication succeeded.
void SetEnvironment()
 Set default authentication environment. The values are inferred
 from fSecurity and fDetails.
Bool_t GetUserPasswd(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
 Try to get user name and passwd from several sources.
Bool_t CheckNetrc(TString& user, TString& passwd)
 Try to get user name and passwd from the ~/.rootnetrc or
 ~/.netrc files. For more info see the version with 4 arguments.
 This version is maintained for backward compatability reasons.
Bool_t CheckNetrc(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
 Try to get user name and passwd from the ~/.rootnetrc or
 ~/.netrc files. First ~/.rootnetrc is tried, after that ~/.netrc.
 These files will only be used when their access masks are 0600.
 Returns kTRUE if user and passwd were found for the machine
 specified in the URL. If kFALSE, user and passwd are "".
 If srppwd == kTRUE then a SRP ('secure') pwd is searched for in
 the files.
 The boolean pwhash is set to kTRUE if the returned passwd is to
 be understood as password hash, i.e. if the 'password-hash' keyword
 is found in the 'machine' lines; not implemented for 'secure'
 and the .netrc file.
 The format of these files are:

 # this is a comment line
 machine <machine fqdn> login <user> password <passwd>
 machine <machine fqdn> login <user> password-hash <passwd>

 and in addition ~/.rootnetrc also supports:

 secure <machine fqdn> login <user> password <passwd>

 <machine fqdn> may be a domain name or contain the wild card '*'.

 for the secure protocols. All lines must start in the first column.
const char * GetGlobalUser()
 Static method returning the global user.
Bool_t GetGlobalPwHash()
 Static method returning the global password hash flag.
Bool_t GetGlobalSRPPwd()
 Static method returning the global SRP password flag.
TDatime GetGlobalExpDate()
 Static method returning default expiring date for new validity contexts
const char * GetDefaultUser()
 Static method returning the default user information.
const char * GetKrb5Principal()
 Static method returning the principal to be used to init Krb5 tickets.
Bool_t GetAuthReUse()
 Static method returning the authentication reuse settings.
Bool_t GetPromptUser()
 Static method returning the prompt user settings.
const char * GetAuthMethod(Int_t idx)
 Static method returning the method corresponding to idx.
Int_t GetAuthMethodIdx(const char* meth)
 Static method returning the method index (which can be used to find
 the method in GetAuthMethod()). Returns -1 in case meth is not found.
char * PromptUser(const char* remote)
 Static method to prompt for the user name to be used for authentication
 to rootd or proofd. User is asked to type user name.
 Returns user name (which must be deleted by caller) or 0.
 If non-interactive run (eg ProofServ) returns default user.
char * PromptPasswd(const char* prompt = "Password: ")
 Static method to prompt for the user's passwd to be used for
 authentication to rootd or proofd. Uses non-echoing command line
 to get passwd. Returns passwd (which must de deleted by caller) or 0.
 If non-interactive run (eg ProofServ) returns -1
GlobusAuth_t GetGlobusAuthHook()
 Static method returning the globus authorization hook.
const char * GetRSAPubExport(Int_t key = 0)
 Static method returning the RSA public keys.
Int_t GetRSAInit()
 Static method returning the RSA initialization flag.
void SetDefaultRSAKeyType(Int_t key)
 Static method setting the default type of RSA key.
void SetRSAInit(Int_t init = 1)
 Static method setting RSA initialization flag.
TList * GetAuthInfo()
 Static method returning the list with authentication details.
TList * GetProofAuthInfo()
 Static method returning the list with authentication directives
 to be sent to proof.
void AuthError(const char* where, Int_t error)
 Print error string depending on error code.
void SetGlobalUser(const char* user)
 Set global user name to be used for authentication to rootd or proofd.
void SetGlobalPasswd(const char* passwd)
 Set global passwd to be used for authentication to rootd or proofd.
void SetGlobalPwHash(Bool_t pwhash)
 Set global passwd hash flag to be used for authentication to rootd or proofd.
void SetGlobalSRPPwd(Bool_t srppwd)
 Set global SRP passwd flag to be used for authentication to rootd or proofd.
void SetReadHomeAuthrc(Bool_t readhomeauthrc)
 Set flag controlling the reading of $HOME/.rootauthrc.
 In PROOF the administrator may want to switch off private settings.
 Always true, may only be set false via option to proofd.
void SetGlobalExpDate(TDatime expdate)
 Set default expiring date for new validity contexts
void SetDefaultUser(const char* defaultuser)
 Set default user name.
void SetTimeOut(Int_t to)
 Set timeout (active if > 0)
void SetAuthReUse(Bool_t authreuse)
 Set global AuthReUse flag
void SetPromptUser(Bool_t promptuser)
 Set global PromptUser flag
void SetSecureAuthHook(SecureAuth_t func)
 Set secure authorization function. Automatically called when libSRPAuth
 is loaded.
void SetKrb5AuthHook(Krb5Auth_t func)
 Set kerberos5 authorization function. Automatically called when
 libKrb5Auth is loaded.
void SetGlobusAuthHook(GlobusAuth_t func)
 Set Globus authorization function. Automatically called when
 libGlobusAuth is loaded.
Int_t SshError(const char* errfile)
 SSH error parsing: returns
     0  :  no error or fatal
     1  :  should retry (eg 'connection closed by remote host')
Int_t SshAuth(TString& user)
 SSH client authentication code.
const char * GetSshUser(TString user) const
 Method returning the user to be used for the ssh login.
 Looks first at SSH.Login and finally at env USER.
 If SSH.LoginPrompt is set to 'yes' it prompts for the 'login name'
Bool_t CheckHost(const char* Host, const char* host)
 Check if 'host' matches 'href':
 this means either equal or "containing" it, even with wild cards *
 in the first field (in the case 'href' is a name, ie not IP address)
 Returns kTRUE if the two matches.
Int_t RfioAuth(TString& user)
 UidGid client authentication code.
 Returns 0 in case authentication failed
         1 in case of success
        <0 in case of system error
Int_t ClearAuth(TString& user, TString& passwd, Bool_t& pwhash)
 UsrPwd client authentication code.
 Returns 0 in case authentication failed
         1 in case of success
THostAuth * GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0)
 Sets fUser=user and search fgAuthInfo for the entry pertaining to
 (host,user), setting fHostAuth accordingly.
 If opt = "P" use fgProofAuthInfo list instead
 If no entry is found fHostAuth is not changed
THostAuth * HasHostAuth(const char* host, const char* user, Option_t* opt = "R")
 Checks if a THostAuth with exact match for {host,user} exists
 in the fgAuthInfo list
 If opt = "P" use ProofAuthInfo list instead
 Returns pointer to it or 0
void FileExpand(const char* fin, FILE* ftmp)
 Expands include directives found in fexp files
 The expanded, temporary file, is pointed to by 'ftmp'
 and should be already open. To be called recursively.
char * GetDefaultDetails(Int_t method, Int_t opt, const char* user)
 Determine default authentication details for method 'sec' and user 'usr'.
 Checks .rootrc family files. Returned string must be deleted by the user.
void RemoveHostAuth(THostAuth* ha, Option_t* opt = "")
 Remove THostAuth instance from the list
void Show(Option_t* opt = "S")
 Print info about the authentication sector.
 If 'opt' contains 's' or 'S' prints information about established TSecContext,
 else prints information about THostAuth (if 'opt' is 'p' or 'P', prints
 Proof related information)
Int_t AuthExists(TString User, Int_t method, const char* Options, Int_t* Message, Int_t* Rflag, CheckSecCtx_t funcheck)
 Check if we have a valid established sec context in memory
 Retrieves relevant info and negotiates with server.
 options = "Opt,strlen(username),username.Data()"
 message = kROOTD_USER, ...
void InitRandom()
 Initialize random machine using seed from /dev/urandom
 (or current time if /dev/urandom not available).
Int_t GenRSAKeys()
 Generate a valid pair of private/public RSA keys to protect for
 authentication token exchange
char * GetRandString(Int_t Opt, Int_t Len)
 Allocates and fills a 0 terminated buffer of length len+1 with
 len random characters.
 Returns pointer to the buffer (to be deleted by the caller)
 opt = 0      any non dangerous char
       1      letters and numbers  (upper and lower case)
       2      hex characters       (upper and lower case)
Int_t SecureSend(TSocket* Socket, Int_t enc, Int_t KeyType, const char* In)
 Encode null terminated str using the session private key indicated by enc
 and sends it over the network
 Returns number of bytes sent, or -1 in case of error.
 enc = 1 for private encoding, enc = 2 for public encoding
Int_t SecureRecv(TSocket* Socket, Int_t dec, Int_t KeyType, char** Out)
 Receive str from sock and decode it using key indicated by key type
 Return number of received bytes or -1 in case of error.
 dec = 1 for private decoding, dec = 2 for public decoding
Int_t DecodeRSAPublic(const char* rsapubexport, rsa_NUMBER& n, rsa_NUMBER& d, char** rsassl = 0)
 Store RSA public keys from export string rsaPubExport.
Int_t SetRSAPublic(const char* rsapubexport, Int_t klen)
 Store RSA public keys from export string rsaPubExport.
 Returns type of stored key, or -1 is not recognized
Int_t SendRSAPublicKey(TSocket* Socket, Int_t key = 0)
 Receives server RSA Public key
 Sends local RSA public key encoded
Int_t ReadRootAuthrc()
 Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or
 <Root_etc_dir>/system.rootauthrc and create related THostAuth objects.
 Files are read only if they changed since last reading
 If 'proofconf' is defined, check also file proofconf for directives
Bool_t CheckProofAuth(Int_t cSec, TString& det)
 Check if the authentication method can be attempted for the client.
void MergeHostAuthList(TList* Std, TList* New, Option_t* Opt = "")
 Tool for updating fgAuthInfo or fgProofAuthInfo
 'nin' contains list of last input information through (re)reading
 of a rootauthrc-alike file. 'nin' info has priority.
 'std' is cleaned from inactive members.
 'nin' members used to update existing members in 'std' are
 removed from 'nin', do that they do not leak
 opt = "P" for proofauthinfo.
void RemoveSecContext(TRootSecContext* ctx)
 Tool for removing SecContext ctx from THostAuth listed in
 fgAuthInfo or fgProofAuthInfo
Int_t ProofAuthSetup()
 Authentication related stuff setup in TProofServ.
 This is the place where the buffer send by the client / master is
 decoded. It contains also password information, if the case requires.
 Return 0 on success, -1 on failure.
Int_t ProofAuthSetup(TSocket* sock, Bool_t client)
 Setup of authetication related stuff in PROOF run after a
 successful authentication.
 Return 0 on success, -1 on failure.
Int_t GetClientProtocol()
 Static method returning supported client protocol.
Bool_t GetPwHash() const
{ return fPwHash; }
Int_t GetRSAKey() const
{ return fRSAKey; }
ESecurity GetSecurity() const
{ return fSecurity; }
Bool_t GetSRPPwd() const
{ return fSRPPwd; }
Int_t GetVersion() const
{ return fVersion; }
TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "")
{ }
THostAuth * GetHostAuth() const
{ return fHostAuth; }
const char * GetProtocol() const
{ return fProtocol; }
const char * GetRemoteHost() const
{ return fRemote; }
Int_t GetRSAKeyType() const
{ return fRSAKey; }
TRootSecContext * GetSecContext() const
{ return fSecContext; }
TSocket * GetSocket() const
{ return fSocket; }
const char * GetUser() const
{ return fUser; }
Int_t HasTimedOut() const
{ return fTimeOut; }
void SetRSAKeyType(Int_t key)
{ fRSAKey = key; }
void SetSecContext(TRootSecContext* ctx)
{ fSecContext = ctx; }