Logo ROOT   6.08/07
Reference Guide
Go to the documentation of this file.
1 // @(#)root/auth:$Id$
2 // Author: Fons Rademakers 26/11/2000
4 /*************************************************************************
5  * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers. *
6  * All rights reserved. *
7  * *
8  * For the licensing terms see $ROOTSYS/LICENSE. *
9  * For the list of contributors see $ROOTSYS/README/CREDITS. *
10  *************************************************************************/
12 #ifndef ROOT_TAuthenticate
13 #define ROOT_TAuthenticate
16 //////////////////////////////////////////////////////////////////////////
17 // //
18 // TAuthenticate //
19 // //
20 // An authentication module for ROOT based network services, like rootd //
21 // and proofd. //
22 // //
23 //////////////////////////////////////////////////////////////////////////
25 #ifndef ROOT_TObject
26 #include "TObject.h"
27 #endif
28 #ifndef ROOT_TString
29 #include "TString.h"
30 #endif
31 #ifndef ROOT_TList
32 #include "TList.h"
33 #endif
34 #ifndef ROOT_TDatime
35 #include "TDatime.h"
36 #endif
37 #ifndef ROOT_rsafun
38 #include "rsafun.h"
39 #endif
40 #ifndef ROOT_AuthConst
41 #include "AuthConst.h"
42 #endif
43 #ifdef R__SSL
44 // SSL specific headers for blowfish encryption
45 #include <openssl/blowfish.h>
46 #endif
48 class TAuthenticate;
49 class THostAuth;
50 class TPluginHandler;
51 class TSocket;
52 class TRootSecContext;
53 class TVirtualMutex;
55 typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
56 typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
57 typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
58 typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
59  const char *remote, TString &det, Int_t version);
63 class TAuthenticate : public TObject {
65 friend class TRootAuth;
66 friend class TRootSecContext;
67 friend class TSocket;
69 public:
70  enum ESecurity { kClear, kSRP, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
72 private:
73  TString fDetails; // logon details (method dependent ...)
74  THostAuth *fHostAuth; // pointer to relevant authentication info
75  TString fPasswd; // user's password
76  TString fProtocol; // remote service (rootd, proofd)
77  Bool_t fPwHash; // kTRUE if fPasswd is a passwd hash
78  TString fRemote; // remote host to which we want to connect
79  Int_t fRSAKey; // Type of RSA key used
80  TRootSecContext *fSecContext; // pointer to relevant sec context
81  ESecurity fSecurity; // actual logon security level
82  TSocket *fSocket; // connection to remote daemon
83  Bool_t fSRPPwd; // kTRUE if fPasswd is a SRP passwd
84  Int_t fVersion; // 0,1,2, ... accordingly to remote daemon version
85  TString fUser; // user to be authenticated
86  Int_t fTimeOut; // timeout flag
88  Int_t GenRSAKeys();
89  Bool_t GetPwHash() const { return fPwHash; }
90  Int_t GetRSAKey() const { return fRSAKey; }
91  ESecurity GetSecurity() const { return fSecurity; }
92  Bool_t GetSRPPwd() const { return fSRPPwd; }
93  const char *GetSshUser(TString user) const;
94  Int_t GetVersion() const { return fVersion; }
95  Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
96  Bool_t GetUserPasswd(TString &user, TString &passwd,
97  Bool_t &pwhash, Bool_t srppwd);
98  char *GetRandString(Int_t Opt,Int_t Len);
100  Int_t RfioAuth(TString &user);
101  void SetEnvironment();
102  Int_t SshAuth(TString &user);
103  Int_t SshError(const char *errfile);
105  static TList *fgAuthInfo;
107  static Bool_t fgAuthReUse; // kTRUE is ReUse required
108  static TString fgDefaultUser; // Default user information
109  static TDatime fgExpDate; // Expiring date for new security contexts
112  static TString fgKrb5Principal; // Principal for Krb5 ticket
113  static TDatime fgLastAuthrc; // Time of last reading of fgRootAuthrc
115  static TPluginHandler *fgPasswdDialog; // Passwd dialog GUI plugin
116  static Bool_t fgPromptUser; // kTRUE if user prompt required
117  static TList *fgProofAuthInfo; // Specific lists of THostAuth fro proof
118  static Bool_t fgPwHash; // kTRUE if fgPasswd is a passwd hash
119  static Bool_t fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
120  static TString fgRootAuthrc; // Path to last rootauthrc-like file read
121  static Int_t fgRSAKey; // Default type of RSA key to be tried
122  static Int_t fgRSAInit;
126 #ifdef R__SSL
127  static BF_KEY fgBFKey; // Blowfish symmetric key
128 #endif
130  static Bool_t fgSRPPwd; // kTRUE if fgPasswd is a SRP passwd
131  static TString fgUser;
132  static Bool_t fgUsrPwdCrypt; // kTRUE if encryption for UsrPwd is required
133  static Int_t fgLastError; // Last error code processed by AuthError()
134  static Int_t fgAuthTO; // if > 0, timeout in sec
135  static Int_t fgProcessID; // ID of the main thread as unique identifier
137  static Bool_t CheckHost(const char *Host, const char *host);
139  static void FileExpand(const char *fin, FILE *ftmp);
140  static Int_t ProofAuthSetup(TSocket *sock, Bool_t client);
141  static void RemoveSecContext(TRootSecContext *ctx);
143 public:
144  TAuthenticate(TSocket *sock, const char *remote, const char *proto,
145  const char *user = "");
146  virtual ~TAuthenticate() { }
149  Int_t AuthExists(TString User, Int_t method, const char *Options,
150  Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
151  void CatchTimeOut();
152  Bool_t CheckNetrc(TString &user, TString &passwd);
153  Bool_t CheckNetrc(TString &user, TString &passwd,
154  Bool_t &pwhash, Bool_t srppwd);
155  THostAuth *GetHostAuth() const { return fHostAuth; }
156  const char *GetProtocol() const { return fProtocol; }
157  const char *GetRemoteHost() const { return fRemote; }
158  Int_t GetRSAKeyType() const { return fRSAKey; }
160  TSocket *GetSocket() const { return fSocket; }
161  const char *GetUser() const { return fUser; }
162  Int_t HasTimedOut() const { return fTimeOut; }
163  void SetRSAKeyType(Int_t key) { fRSAKey = key; }
164  void SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
166  static void AuthError(const char *where, Int_t error);
167  static Bool_t CheckProofAuth(Int_t cSec, TString &det);
169  static Int_t DecodeRSAPublic(const char *rsapubexport, rsa_NUMBER &n,
170  rsa_NUMBER &d, char **rsassl = 0);
172  static TList *GetAuthInfo();
173  static const char *GetAuthMethod(Int_t idx);
174  static Int_t GetAuthMethodIdx(const char *meth);
175  static Bool_t GetAuthReUse();
176  static Int_t GetClientProtocol();
177  static char *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
178  static const char *GetDefaultUser();
179  static TDatime GetGlobalExpDate();
180  static Bool_t GetGlobalPwHash();
181  static Bool_t GetGlobalSRPPwd();
182  static const char *GetGlobalUser();
184  static THostAuth *GetHostAuth(const char *host, const char *user="",
185  Option_t *opt = "R", Int_t *Exact = 0);
186  static const char *GetKrb5Principal();
187  static Bool_t GetPromptUser();
188  static TList *GetProofAuthInfo();
189  static Int_t GetRSAInit();
190  static const char *GetRSAPubExport(Int_t key = 0);
191  static THostAuth *HasHostAuth(const char *host, const char *user,
192  Option_t *opt = "R");
193  static void InitRandom();
194  static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
195  static char *PromptPasswd(const char *prompt = "Password: ");
196  static char *PromptUser(const char *remote);
197  static Int_t ReadRootAuthrc();
198  static void RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
199  static Int_t SecureRecv(TSocket *Socket, Int_t dec,
200  Int_t KeyType, char **Out);
201  static Int_t SecureSend(TSocket *Socket, Int_t enc,
202  Int_t KeyType, const char *In);
203  static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
204  static void SetAuthReUse(Bool_t authreuse);
205  static void SetDefaultUser(const char *defaultuser);
206  static void SetGlobalExpDate(TDatime expdate);
207  static void SetGlobalPasswd(const char *passwd);
208  static void SetGlobalPwHash(Bool_t pwhash);
209  static void SetGlobalSRPPwd(Bool_t srppwd);
210  static void SetGlobalUser(const char *user);
211  static void SetGlobusAuthHook(GlobusAuth_t func);
212  static void SetKrb5AuthHook(Krb5Auth_t func);
213  static void SetPromptUser(Bool_t promptuser);
214  static void SetDefaultRSAKeyType(Int_t key);
215  static void SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
216  static void SetRSAInit(Int_t init = 1);
217  static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen);
218  static void SetSecureAuthHook(SecureAuth_t func);
219  static void SetTimeOut(Int_t to);
220  static void Show(Option_t *opt="S");
222  ClassDef(TAuthenticate,0) // Class providing remote authentication service
223 };
225 #endif
THostAuth * GetHostAuth() const
static Bool_t GetGlobalSRPPwd()
Static method returning the global SRP password flag.
static void SetKrb5AuthHook(Krb5Auth_t func)
Set kerberos5 authorization function.
static void SetDefaultUser(const char *defaultuser)
Set default user name.
static Int_t GetRSAInit()
Static method returning the RSA initialization flag.
static Int_t GetClientProtocol()
Static method returning supported client protocol.
void SetRSAKeyType(Int_t key)
static void InitRandom()
Initialize random machine using seed from /dev/urandom (or current time if /dev/urandom not available...
static Bool_t GetAuthReUse()
Static method returning the authentication reuse settings.
static Int_t fgAuthTO
THostAuth * fHostAuth
Definition: TAuthenticate.h:74
TString fPasswd
Definition: TAuthenticate.h:75
static Bool_t fgUsrPwdCrypt
static TDatime fgExpDate
static void RemoveSecContext(TRootSecContext *ctx)
Tool for removing SecContext ctx from THostAuth listed in fgAuthInfo or fgProofAuthInfo.
TSocket * GetSocket() const
Int_t AuthExists(TString User, Int_t method, const char *Options, Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck)
Check if we have a valid established sec context in memory Retrieves relevant info and negotiates wit...
Bool_t GetPwHash() const
Definition: TAuthenticate.h:89
static Bool_t fgPromptUser
Int_t(* GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det)
Definition: TAuthenticate.h:56
const char Option_t
Definition: RtypesCore.h:62
TString fDetails
Definition: TAuthenticate.h:73
static void SetGlobalUser(const char *user)
Set global user name to be used for authentication to rootd or proofd.
Int_t(* Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version)
Definition: TAuthenticate.h:57
Int_t SshAuth(TString &user)
SSH client authentication code.
static void RemoveHostAuth(THostAuth *ha, Option_t *opt="")
Remove THostAuth instance from the list.
const char * GetSshUser(TString user) const
Method returning the user to be used for the ssh login.
This class implements a mutex interface.
Definition: TVirtualMutex.h:34
static GlobusAuth_t GetGlobusAuthHook()
Static method returning the globus authorization hook.
Basic string class.
Definition: TString.h:137
static Bool_t fgSRPPwd
const Int_t kMAXSEC
Definition: AuthConst.h:28
Int_t GetRSAKeyType() const
int Int_t
Definition: RtypesCore.h:41
bool Bool_t
Definition: RtypesCore.h:59
const char * GetProtocol() const
static TList * fgProofAuthInfo
static char * GetDefaultDetails(Int_t method, Int_t opt, const char *user)
Determine default authentication details for method &#39;sec&#39; and user &#39;usr&#39;.
const char * GetRemoteHost() const
static const char * GetKrb5Principal()
Static method returning the principal to be used to init Krb5 tickets.
R__EXTERN TVirtualMutex * gAuthenticateMutex
Definition: TAuthenticate.h:61
Bool_t Authenticate()
Authenticate to remote rootd or proofd server.
static SecureAuth_t fgSecAuthHook
static void SetReadHomeAuthrc(Bool_t readhomeauthrc)
Set flag controlling the reading of $HOME/.rootauthrc.
Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash)
UsrPwd client authentication code.
static TPluginHandler * fgPasswdDialog
static Int_t fgRSAKey
static Int_t ReadRootAuthrc()
Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or <Root_etc_dir>/system.rootauthrc and create related THostAuth objects.
static TList * fgAuthInfo
static void SetPromptUser(Bool_t promptuser)
Set global PromptUser flag.
static char * PromptPasswd(const char *prompt="Password: ")
Static method to prompt for the user&#39;s passwd to be used for authentication to rootd or proofd...
static GlobusAuth_t fgGlobusAuthHook
static rsa_KEY fgRSAPubKey
static Int_t fgProcessID
#define ClassDef(name, id)
Definition: Rtypes.h:254
ESecurity fSecurity
Definition: TAuthenticate.h:81
static Int_t DecodeRSAPublic(const char *rsapubexport, rsa_NUMBER &n, rsa_NUMBER &d, char **rsassl=0)
Store RSA public keys from export string rsaPubExport.
static rsa_KEY_export fgRSAPubExport[2]
Int_t HasTimedOut() const
Int_t ProofAuthSetup()
Authentication related stuff setup in TProofServ.
Int_t RfioAuth(TString &user)
UidGid client authentication code.
static Int_t fgRSAInit
static void SetTimeOut(Int_t to)
Set timeout (active if > 0)
static void SetGlobalSRPPwd(Bool_t srppwd)
Set global SRP passwd flag to be used for authentication to rootd or proofd.
static Bool_t GetPromptUser()
Static method returning the prompt user settings.
TRootSecContext * GetSecContext() const
TAuthenticate(TSocket *sock, const char *remote, const char *proto, const char *user="")
Create authentication object.
Int_t(* CheckSecCtx_t)(const char *subj, TRootSecContext *ctx)
Definition: TAuthenticate.h:55
static Int_t SecureSend(TSocket *Socket, Int_t enc, Int_t KeyType, const char *In)
Encode null terminated str using the session private key indicated by enc and sends it over the netwo...
A doubly linked list.
Definition: TList.h:47
void SetSecContext(TRootSecContext *ctx)
Int_t SshError(const char *errfile)
SSH error parsing: returns 0 : no error or fatal 1 : should retry (eg &#39;connection closed by remote ho...
static void AuthError(const char *where, Int_t error)
Print error string depending on error code.
static Krb5Auth_t fgKrb5AuthHook
static void SetRSAInit(Int_t init=1)
Static method setting RSA initialization flag.
static TDatime GetGlobalExpDate()
Static method returning default expiring date for new validity contexts.
Int_t(* SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd, const char *remote, TString &det, Int_t version)
Definition: TAuthenticate.h:58
static void SetSecureAuthHook(SecureAuth_t func)
Set secure authorization function.
Int_t GenRSAKeys()
Generate a valid pair of private/public RSA keys to protect for authentication token exchange...
Int_t GetRSAKey() const
Definition: TAuthenticate.h:90
static char * PromptUser(const char *remote)
Static method to prompt for the user name to be used for authentication to rootd or proofd...
static TList * GetProofAuthInfo()
Static method returning the list with authentication directives to be sent to proof.
static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen)
Store RSA public keys from export string rsaPubExport.
static Bool_t CheckProofAuth(Int_t cSec, TString &det)
Check if the authentication method can be attempted for the client.
Int_t GetVersion() const
Definition: TAuthenticate.h:94
TRootSecContext * fSecContext
Definition: TAuthenticate.h:80
static const char * GetDefaultUser()
Static method returning the default user information.
static TDatime fgLastAuthrc
static void Show(Option_t *opt="S")
Print info about the authentication sector.
static TString fgUser
ESecurity GetSecurity() const
Definition: TAuthenticate.h:91
static TList * GetAuthInfo()
Static method returning the list with authentication details.
static void SetAuthReUse(Bool_t authreuse)
Set global AuthReUse flag.
TString fProtocol
Definition: TAuthenticate.h:76
static Int_t fgLastError
static TString fgKrb5Principal
static Int_t init()
void CatchTimeOut()
Called in connection with a timer timeout.
std::string Message(const std::string &msg, const std::string &location)
Definition: Scanner.cxx:152
TSocket * fSocket
Definition: TAuthenticate.h:82
Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
Try to get user name and passwd from several sources.
void SetEnvironment()
Set default authentication environment.
static void FileExpand(const char *fin, FILE *ftmp)
Expands include directives found in fexp files The expanded, temporary file, is pointed to by &#39;ftmp&#39; ...
static Int_t SecureRecv(TSocket *Socket, Int_t dec, Int_t KeyType, char **Out)
Receive str from sock and decode it using key indicated by key type Return number of received bytes o...
double func(double *x, double *p)
Definition: stressTF1.cxx:213
static Bool_t CheckHost(const char *Host, const char *host)
Check if &#39;host&#39; matches &#39;href&#39;: this means either equal or "containing" it, even with wild cards * in...
static void SetGlobalExpDate(TDatime expdate)
Set default expiring date for new validity contexts.
static TString fgDefaultUser
static void SetGlobusAuthHook(GlobusAuth_t func)
Set Globus authorization function.
static void SetGlobalPwHash(Bool_t pwhash)
Set global passwd hash flag to be used for authentication to rootd or proofd.
static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt="")
Tool for updating fgAuthInfo or fgProofAuthInfo &#39;nin&#39; contains list of last input information through...
Bool_t GetSRPPwd() const
Definition: TAuthenticate.h:92
static TString fgPasswd
static const char * GetRSAPubExport(Int_t key=0)
Static method returning the RSA public keys.
Mother of all ROOT objects.
Definition: TObject.h:37
static TString fgRootAuthrc
virtual ~TAuthenticate()
#define R__EXTERN
Definition: DllImport.h:27
static const char * GetGlobalUser()
Static method returning the global user.
static Bool_t fgPwHash
static TString fgAuthMeth[kMAXSEC]
const char * proto
Definition: civetweb.c:11652
static Bool_t fgReadHomeAuthrc
static rsa_KEY fgRSAPriKey
Bool_t CheckNetrc(TString &user, TString &passwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files.
char * GetRandString(Int_t Opt, Int_t Len)
Allocates and fills a 0 terminated buffer of length len+1 with len random characters.
static void SetDefaultRSAKeyType(Int_t key)
Static method setting the default type of RSA key.
static Bool_t GetGlobalPwHash()
Static method returning the global password hash flag.
const char * GetUser() const
static Bool_t fgAuthReUse
TString fRemote
Definition: TAuthenticate.h:78
static Int_t GetAuthMethodIdx(const char *meth)
Static method returning the method index (which can be used to find the method in GetAuthMethod())...
const Int_t n
Definition: legend1.C:16
static THostAuth * HasHostAuth(const char *host, const char *user, Option_t *opt="R")
Checks if a THostAuth with exact match for {host,user} exists in the fgAuthInfo list If opt = "P" use...
static void SetGlobalPasswd(const char *passwd)
Set global passwd to be used for authentication to rootd or proofd.
static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key=0)
Receives server RSA Public key Sends local RSA public key encoded.
This class stores the date and time with a precision of one second in an unsigned 32 bit word (950130...
Definition: TDatime.h:39
static const char * GetAuthMethod(Int_t idx)
Static method returning the method corresponding to idx.