21 #include "RConfigure.h" 49 #include <sys/types.h> 51 #if !defined(R__WIN32) && !defined(R__MACOSX) && !defined(R__FBSD) && \ 58 #if defined(R__LINUX) || defined(R__FBSD) || defined(R__OBSD) 63 # include <sys/time.h> 66 #if defined(R__MACOSX) 67 extern "C" char *crypt(
const char *,
const char *);
77 # include <openssl/bio.h> 78 # include <openssl/err.h> 79 # include <openssl/pem.h> 80 # include <openssl/rand.h> 81 # include <openssl/rsa.h> 82 # include <openssl/ssl.h> 83 # include <openssl/blowfish.h> 91 static BF_KEY fgBFKey;
97 "Globus",
"SSH",
"UidGid" };
142 int frnd =
open(
"/dev/urandom", O_RDONLY);
143 if (frnd < 0) frnd =
open(
"/dev/random", O_RDONLY);
146 ssize_t rs = read(frnd, (
void *) &r,
sizeof(
int));
149 if (rs ==
sizeof(
int))
return r;
151 Printf(
"+++ERROR+++ : auth_rand: neither /dev/urandom nor /dev/random are available or readable!");
153 if (gettimeofday(&tv,0) == 0) {
155 memcpy((
void *)&t1, (
void *)&tv.tv_sec,
sizeof(
int));
156 memcpy((
void *)&t2, (
void *)&tv.tv_usec,
sizeof(
int));
172 const char *
proto,
const char *user)
174 if (
gDebug > 2 && gAuthenticateMutex)
179 if (
gROOT->IsProofServ())
196 Info(
"TAuthenticate",
"Enter: local host: %s, user is: %s (proto: %s)",
203 if (proto && strlen(proto) > 0) {
204 char *sproto =
StrDup(proto);
205 if ((pdd = strstr(sproto,
":")) != 0) {
206 int rproto = atoi(pdd + 1);
208 if (strstr(sproto,
"root") != 0) {
225 if (strstr(sproto,
"proof") != 0) {
240 Info(
"TAuthenticate",
241 "service: %s (remote protocol: %d): fVersion: %d", sproto,
251 if (user && strlen(user) > 0) {
257 checkUser = u->
fUser;
277 Info(
"TAuthenticate",
"RSA key: default type %d", fgRSAKey);
291 fqdnsrv.
Form(
"%s:%d",fqdn.
Data(),servtype);
297 Info(
"TAuthenticate",
298 "number of HostAuth Instantiations in memory: %d",
299 GetAuthInfo()->GetSize());
305 fHostAuth = GetHostAuth(fqdnsrv, checkUser);
313 if (fProtocol.Contains(
"proof")) {
315 }
else if (fProtocol.Contains(
"root")) {
319 Int_t nw = sscanf(tmp.
Data(),
"%5s %5s %5s %5s %5s %5s",
320 am[0], am[1], am[2], am[3], am[4], am[5]);
323 for( ; i < nw; i++) {
325 if (strlen(am[i]) > 1) {
326 met = GetAuthMethodIdx(am[i]);
330 if (met > -1 && met <
kMAXSEC) {
339 fHostAuth =
new THostAuth(fRemote,fUser,0,(
const char *)0);
345 if (strchr(fHostAuth->GetHost(),
'*') || strchr(fHostAuth->GetHost(),
'*') ||
346 fHostAuth->GetServer() == -1 ) {
348 fHostAuth->SetHost(fqdn);
349 fHostAuth->SetUser(checkUser);
350 fHostAuth->SetServer(servtype);
360 if (!strncmp(tmp.
Data(),
"up",2))
362 else if (!strncmp(tmp.
Data(),
"s",1))
364 else if (!strncmp(tmp.
Data(),
"k",1))
366 else if (!strncmp(tmp.
Data(),
"g",1))
368 else if (!strncmp(tmp.
Data(),
"h",1))
370 else if (!strncmp(tmp.
Data(),
"ug",2))
372 if (sec > -1 && sec <
kMAXSEC) {
373 if (fHostAuth->HasMethod(sec)) {
374 fHostAuth->SetFirst(sec);
376 char *dtmp = GetDefaultDetails(sec, 1, checkUser);
378 fHostAuth->AddFirst(sec, det);
386 TIter next(fHostAuth->Established());
398 Info(
"CatchTimeOut",
"%d sec timeout expired (protocol: %s)",
399 fgAuthTO, fgAuthMeth[fSecurity].Data());
403 fSocket->Close(
"force");
414 if (
gDebug > 2 && gAuthenticateMutex)
422 char noSupport[80] = { 0 };
423 char triedMeth[80] = { 0 };
430 Info(
"Authenticate",
"enter: fUser: %s", fUser.Data());
437 alarm->SetInterruptSyscalls();
439 alarm->Connect(
"Timeout()",
"TAuthenticate",
this,
"CatchTimeOut()");
447 Info(
"Authenticate",
"try #: %d", ntry);
454 fSecurity = (
ESecurity) fHostAuth->GetMethod(meth);
455 fDetails = fHostAuth->GetDetails((
Int_t) fSecurity);
458 "trying authentication: method:%d, default details:%s",
459 fSecurity, fDetails.Data());
462 if (strlen(triedMeth) > 0)
463 snprintf(triedMeth, 80,
"%s %s", triedMeth, fgAuthMeth[fSecurity].Data());
465 snprintf(triedMeth, 80,
"%s", fgAuthMeth[fSecurity].Data());
475 if (fgAuthTO > 0 && alarm) {
476 alarm->Start(fgAuthTO*1000,
kTRUE);
480 if (fSecurity == kClear) {
485 user = fgDefaultUser;
487 CheckNetrc(user, passwd, pwhash,
kFALSE);
490 char *u = PromptUser(fRemote);
494 rc = GetUserPasswd(user, passwd, pwhash,
kFALSE);
502 st = ClearAuth(user, passwd, pwhash);
504 Error(
"Authenticate",
505 "unable to get user name for UsrPwd authentication");
508 }
else if (fSecurity == kSRP) {
513 user = fgDefaultUser;
515 CheckNetrc(user, passwd, pwhash,
kTRUE);
518 char *p = PromptUser(fRemote);
522 rc = GetUserPasswd(user, passwd, pwhash,
kTRUE);
527 if (!fgSecAuthHook) {
536 if (!rc && fgSecAuthHook) {
538 st = (*fgSecAuthHook) (
this, user, passwd, fRemote, fDetails,
542 Error(
"Authenticate",
543 "no support for SRP authentication available");
545 Error(
"Authenticate",
546 "unable to get user name for SRP authentication");
554 }
else if (fSecurity == kKrb5) {
559 if (!fgKrb5AuthHook) {
567 if (fgKrb5AuthHook) {
568 fUser = fgDefaultUser;
569 st = (*fgKrb5AuthHook) (
this, fUser, fDetails, fVersion);
571 Error(
"Authenticate",
572 "support for kerberos5 auth locally unavailable");
577 "remote daemon does not support Kerberos authentication");
578 if (strlen(noSupport) > 0)
579 snprintf(noSupport, 80,
"%s/Krb5", noSupport);
584 }
else if (fSecurity == kGlobus) {
588 if (!fgGlobusAuthHook) {
596 if (fgGlobusAuthHook) {
597 st = (*fgGlobusAuthHook) (
this, fUser, fDetails);
599 Error(
"Authenticate",
600 "no support for Globus authentication available");
605 "remote daemon does not support Globus authentication");
606 if (strlen(noSupport) > 0)
607 snprintf(noSupport, 80,
"%s/Globus", noSupport);
613 }
else if (fSecurity == kSSH) {
623 "remote daemon does not support SSH authentication");
624 if (strlen(noSupport) > 0)
625 snprintf(noSupport, 80,
"%s/SSH", noSupport);
630 }
else if (fSecurity == kRfio) {
635 st = RfioAuth(fUser);
640 "remote daemon does not support UidGid authentication");
641 if (strlen(noSupport) > 0)
642 snprintf(noSupport, 80,
"%s/UidGid", noSupport);
649 if (alarm) alarm->Stop();
652 st = (fTimeOut > 0) ? -3 : st;
660 Int_t nmet = fHostAuth->NumMethods();
661 Int_t remloc = nmet - ntry;
663 Info(
"Authenticate",
"remloc: %d, ntry: %d, meth: %d, fSecurity: %d",
664 remloc, ntry, meth, fSecurity);
671 fHostAuth->CountSuccess((
Int_t)fSecurity);
673 fSecContext->Print();
674 if (fSecContext->IsActive())
675 fSecContext->AddForCleanup(fSocket->GetPort(),
676 fSocket->GetRemoteProtocol(),fSocket->GetServType());
683 fHostAuth->CountFailure((
Int_t)fSecurity);
689 "negotiation not supported remotely: try next method, if any");
690 if (meth < nmet - 1) {
701 if (fSocket->Recv(stat, kind) < 0) {
707 "after failed attempt: kind= %d, stat= %d", kind, stat);
714 char *answer =
new char[len];
715 int nrec = fSocket->Recv(answer, len, kind);
723 "strings with accepted methods not received (%d:%d)",
726 sscanf(answer,
"%d %d %d %d %d %d", &rMth[0], &rMth[1],
727 &rMth[2], &rMth[3], &rMth[4], &rMth[5]);
728 if (
gDebug > 0 && remloc > 0)
730 "remotely allowed methods not yet tried: %s",
733 }
else if (stat == 0) {
735 "no more methods accepted remotely to be tried");
748 char locav[40] = { 0 };
750 for (i = 0; i < remMeth; i++) {
751 for (j = 0; j < nmet; j++) {
752 if (fHostAuth->GetMethod(j) == rMth[i] && tMth[j] == 0) {
759 snprintf(locav, 40,
"%s %d", locav, fHostAuth->GetMethod(j));
761 if (methfound)
break;
763 if (methfound)
break;
768 "no match with those locally available: %s", locav);
782 fHostAuth->CountFailure((
Int_t)fSecurity);
785 "method not even started: insufficient or wrong info: %s",
786 "try with next method, if any");
787 fHostAuth->RemoveMethod(fSecurity);
799 fHostAuth->CountFailure((
Int_t)fSecurity);
803 "status code -2 not expected from old daemons");
813 fHostAuth->CountFailure((
Int_t)fSecurity);
815 Info(
"Authenticate",
"got a timeout");
816 fHostAuth->SetLast(fSecurity);
817 if (meth < nmet - 1) {
825 fHostAuth->CountFailure((
Int_t)fSecurity);
827 Info(
"Authenticate",
"unknown status code: %d - assume failure",st);
841 if (strlen(noSupport) > 0)
842 Info(
"Authenticate",
"attempted methods %s are not supported" 843 " by remote server version", noSupport);
845 "failure: list of attempted methods: %s", triedMeth);
846 AuthError(
"Authenticate",-1);
869 Info(
"SetEnvironment",
870 "setting environment: fSecurity:%d, fDetails:%s", fSecurity,
874 fgDefaultUser = fgUser;
875 if (fSecurity == kKrb5 ||
876 (fSecurity == kGlobus &&
gROOT->IsProofServ()))
883 if (fDetails !=
"") {
885 char pt[5] = { 0 }, ru[5] = { 0 };
891 TString usrPromptDef =
TString(GetAuthMethod(fSecurity)) +
".LoginPrompt";
892 if ((ptr = strstr(fDetails,
"pt:")) != 0) {
893 sscanf(ptr + 3,
"%4s %8191s", pt, usdef);
895 if (!strncasecmp(
gEnv->
GetValue(usrPromptDef,
""),
"no",2) ||
901 TString usrReUseDef =
TString(GetAuthMethod(fSecurity)) +
".ReUse";
902 if ((ptr = strstr(fDetails,
"ru:")) != 0) {
903 sscanf(ptr + 3,
"%4s %8191s", ru, usdef);
905 if (!strncasecmp(
gEnv->
GetValue(usrReUseDef,
""),
"no",2) ||
911 TString usrValidDef =
TString(GetAuthMethod(fSecurity)) +
".Valid";
914 if ((pd = hours.Index(
":")) > -1) {
918 hh = atoi(hours.Data());
919 mm = atoi(minutes.
Data());
921 hh = atoi(hours.Data());
926 if (fSecurity == kGlobus) {
927 if ((ptr = strstr(fDetails,
"cd:")) != 0)
928 sscanf(ptr,
"%8191s %8191s", cd, usdef);
929 if ((ptr = strstr(fDetails,
"cf:")) != 0)
930 sscanf(ptr,
"%8191s %8191s", cf, usdef);
931 if ((ptr = strstr(fDetails,
"kf:")) != 0)
932 sscanf(ptr,
"%8191s %8191s", kf, usdef);
933 if ((ptr = strstr(fDetails,
"ad:")) != 0)
934 sscanf(ptr,
"%8191s %8191s", ad, usdef);
936 Info(
"SetEnvironment",
937 "details:%s, pt:%s, ru:%s, cd:%s, cf:%s, kf:%s, ad:%s",
938 fDetails.Data(),
pt, ru, cd, cf, kf, ad);
940 }
else if (fSecurity == kClear) {
941 if ((ptr = strstr(fDetails,
"us:")) != 0)
942 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
943 if ((ptr = strstr(fDetails,
"cp:")) != 0)
944 sscanf(ptr + 3,
"%8191s %8191s", cp, usdef);
946 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s cp:%s",
947 fDetails.Data(),
pt, ru,
us, cp);
948 }
else if (fSecurity == kKrb5) {
949 if ((ptr = strstr(fDetails,
"us:")) != 0)
950 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
951 if ((ptr = strstr(fDetails,
"pp:")) != 0)
952 sscanf(ptr + 3,
"%8191s %8191s", pp, usdef);
954 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s pp:%s",
955 fDetails.Data(),
pt, ru,
us, pp);
957 if ((ptr = strstr(fDetails,
"us:")) != 0)
958 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
960 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s",
961 fDetails.Data(),
pt, ru,
us);
965 if (!strncasecmp(pt,
"yes",3) || !strncmp(pt,
"1", 1))
966 fgPromptUser =
kTRUE;
969 if (fSecurity == kKrb5) {
971 if (!strncasecmp(ru,
"yes",3) || !strncmp(ru,
"1",1))
974 if (fSecurity != kGlobus || !(
gROOT->IsProofServ())) {
976 if (!strncasecmp(ru,
"no",2) || !strncmp(ru,
"0",1))
983 fgExpDate.Set(fgExpDate.Convert() + hh*3600 +
mm*60);
986 if (fSecurity == kClear) {
987 fgUsrPwdCrypt =
kTRUE;
988 if (!strncmp(cp,
"no", 2) || !strncmp(cp,
"0", 1))
993 if (fSecurity == kGlobus) {
994 if (strlen(cd) > 0) {
snprintf(usdef,8192,
" %s",cd); }
995 if (strlen(cf) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, cf); }
996 if (strlen(kf) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, kf); }
997 if (strlen(ad) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, ad); }
999 if (fSecurity == kKrb5) {
1001 if (strlen(pp) > 0) {
1002 fgKrb5Principal =
TString(pp);
1005 if (strlen(us) > 0 && strstr(us,
"@"))
1006 fgKrb5Principal =
TString(us);
1009 if (fUser.Length()) {
1012 if (strlen(us) > 0 && !strstr(us,
"@"))
1023 if (strlen(usdef) > 0) {
1024 fgDefaultUser = usdef;
1027 fgDefaultUser = fgUser;
1031 fgDefaultUser = u->
fUser;
1035 if (fgDefaultUser ==
"anonymous" || fgDefaultUser ==
"rootd" ||
1036 fgUser !=
"" || fUser !=
"") {
1042 Info(
"SetEnvironment",
"usdef:%s", fgDefaultUser.Data());
1053 Info(
"GetUserPasswd",
"Enter: User: '%s' Hash:%d SRP:%d",
1060 if (passwd ==
"" && fgPasswd !=
"" && srppwd == fgSRPPwd) {
1065 if (fgUser !=
"" && user == fgUser) {
1066 if (passwd ==
"" && fgPasswd !=
"" && srppwd == fgSRPPwd) {
1073 Info(
"GetUserPasswd",
"In memory: User: '%s' Hash:%d",
1083 Info(
"GetUserPasswd",
"In memory: User: '%s' Hash:%d",
1089 if (user ==
"" || passwd ==
"") {
1091 Info(
"GetUserPasswd",
"Checking .netrc family ...");
1092 CheckNetrc(user, passwd, pwhash, srppwd);
1095 Info(
"GetUserPasswd",
"From .netrc family: User: '%s' Hash:%d",
1100 char *p = PromptUser(fRemote);
1104 Error(
"GetUserPasswd",
"user name not set");
1124 return CheckNetrc(user, passwd, hash, srppwd);
1182 FILE *fd = fopen(net,
"r");
1184 while (fgets(line,
sizeof(line), fd) != 0) {
1188 int nword = sscanf(line,
"%63s %63s %63s %63s %63s %63s",
1189 word[0], word[1], word[2], word[3], word[4], word[5]);
1192 if (srppwd && strcmp(word[0],
"secure"))
1194 if (!srppwd && strcmp(word[0],
"machine"))
1196 if (strcmp(word[2],
"login"))
1198 if (srppwd && strcmp(word[4],
"password"))
1201 strcmp(word[4],
"password") && strcmp(word[4],
"password-hash"))
1213 if (!strcmp(word[4],
"password-hash"))
1218 if (!strcmp(word[3], user.
Data())) {
1220 if (!strcmp(word[4],
"password-hash"))
1231 "file %s exists but has not 0600 permission", net);
1235 if (first && !srppwd && !result) {
1281 return fgDefaultUser;
1289 return fgKrb5Principal;
1305 return fgPromptUser;
1315 if (idx < 0 || idx >
kMAXSEC-1) {
1316 ::Error(
"Authenticate::GetAuthMethod",
"idx out of bounds (%d)", idx);
1319 return fgAuthMeth[idx];
1330 if (meth && meth[0]) {
1351 if (fgDefaultUser !=
"")
1352 user = fgDefaultUser;
1359 if (isatty(0) == 0 || isatty(1) == 0) {
1361 "not tty: cannot prompt for user, returning default");
1368 const char *usrIn = Getline(
Form(
"Name (%s:%s): ", remote, user));
1388 if (isatty(0) == 0 || isatty(1) == 0) {
1389 ::Warning(
"TAuthenticate::PromptPasswd",
1390 "not tty: cannot prompt for passwd, returning -1");
1391 static char noint[4] = {
"-1"};
1396 const char *pw = buf;
1400 if ((fgPasswdDialog =
1401 gROOT->GetPluginManager()->FindHandler(
"TGPasswdDialog"))) {
1402 if (fgPasswdDialog->LoadPlugin() == -1) {
1405 "could not load plugin for the password dialog box");
1409 if (fgPasswdDialog && (fgPasswdDialog != (
TPluginHandler *)(-1))) {
1412 fgPasswdDialog->ExecPlugin(3, prompt, buf, 128);
1415 while (
gROOT->IsInterrupted())
1419 Gl_config(
"noecho", 1);
1420 pw = Getline(prompt);
1421 Gl_config(
"noecho", 0);
1440 return fgGlobusAuthHook;
1448 key = (key >= 0 && key <= 1) ? key : 0;
1449 return fgRSAPubExport[key].keys;
1465 if (key >= 0 && key <= 1)
1485 fgAuthInfo =
new TList;
1497 if (!fgProofAuthInfo)
1498 fgProofAuthInfo =
new TList;
1499 return fgProofAuthInfo;
1510 err = (err < kErrError) ? ((err > -1) ? err : -1) :
kErrError;
1518 lasterr =
"(last error only; re-run with gDebug > 0 for more details)";
1522 if (
gDebug > 0 || forceprint) {
1524 ::Error(
Form(
"TAuthenticate::%s", where),
"%s %s",
1528 "unknown error code: server must be running a newer ROOT version %s",
1546 if (user && user[0])
1560 if (passwd && passwd[0])
1587 fgReadHomeAuthrc = readhomeauthrc;
1595 fgExpDate = expdate;
1603 if (fgDefaultUser !=
"")
1606 if (defaultuser && defaultuser[0])
1607 fgDefaultUser = defaultuser;
1615 fgAuthTO = (to <= 0) ? -1 : to;
1623 fgAuthReUse = authreuse;
1631 fgPromptUser = promptuser;
1640 fgSecAuthHook = func;
1649 fgKrb5AuthHook = func;
1658 fgGlobusAuthHook = func;
1671 FILE *
ferr = fopen(errorfile,
"r");
1677 Int_t lerr = strlen(serr);
1678 char *
pc = (
char *)memchr(serr,
'"',lerr);
1681 pc = (
char *)memchr(pc+1,
'"',strlen(pc+1));
1685 while (fgets(line,
sizeof(line),
ferr)) {
1687 if (line[strlen(line)-1] ==
'\n')
1688 line[strlen(line)-1] =
'\0';
1690 Info(
"SshError",
"read line: %s",line);
1692 while (pc < serr + lerr) {
1693 if (pc[0] ==
'\0' || pc[0] ==
' ')
1697 Info(
"SshError",
"checking error: '%s'",pc);
1698 if (strstr(line,pc))
1723 if (
gROOT->IsProofServ()) {
1726 Info(
"SshAuth",
"SSH protocol is switched OFF by default" 1727 " for PROOF servers: use 'ProofServ.UseSSH 1'" 1728 " to enable it (see system.rootrc)");
1738 char cmdref[2][5] = {
"ssh",
"scp"};
1743 while (notfound && sshproto > -1) {
1745 strlcpy(scmd,cmdref[sshproto],5);
1754 Info(
"SshAuth",
"%s not found in $PATH", scmd);
1757 if (strcmp(
gEnv->
GetValue(
"SSH.ExecDir",
"-1"),
"-1")) {
1759 Info(
"SshAuth",
"searching user defined path ...");
1763 Info(
"SshAuth",
"%s not executable", sshExe.
Data());
1769 if (notfound) sshproto--;
1777 Info(
"SshAuth",
"%s is %s (sshproto: %d)", scmd, sshExe.
Data(), sshproto);
1790 user = GetSshUser(user);
1793 Int_t reuse = (int)fgAuthReUse;
1794 fDetails =
TString::Format(
"pt:%d ru:%d us:",(
int)fgPromptUser,(
int)fgAuthReUse)
1800 options.
Form(
"%d none %ld %s %d", opt,
1805 Int_t retval = reuse;
1833 if (fSocket->Recv(cmdinfo, reclen, kind) < 0) {
1840 Info(
"SshAuth",
"received from server command info: %s", cmdinfo);
1846 while (ci.Tokenize(tkn, from,
" ")) {
1847 if (from > 0) cmdinfo[from-1] =
'\0';
1854 if (tkn.
IsDigit() && tkn.
Atoi() == 1) fRSAKey = 1;
1861 if (isatty(0) == 0 || isatty(1) == 0) {
1862 noPrompt =
TString(
"-o 'PasswordAuthentication no' ");
1863 noPrompt +=
TString(
"-o 'StrictHostKeyChecking no' ");
1865 Info(
"SshAuth",
"using noprompt options: %s", noPrompt.
Data());
1869 Int_t srvtyp = fSocket->GetServType();
1870 Int_t rproto = fSocket->GetRemoteProtocol();
1877 if (sshproto == 0) {
1879 fileErr =
"rootsshtmp_";
1883 fileErr =
"rootsshtmp_";
1887 fileErr.
Append(
".error");
1889 sshcmd.
Form(
"%s -x -l %s %s", sshExe.
Data(), user.
Data(), noPrompt.
Data());
1897 while (ssh_rc && again && ntry--) {
1900 again = SshError(fileErr);
1902 Info(
"SshAuth",
"%d: sleeping: rc: %d, again:%d, ntry: %d",
1903 fgProcessID, ssh_rc, again, ntry);
1917 TString fileLoc =
"rootsshtmp_";
1921 fileLoc =
"rootsshtmp_";
1928 if (chmod(fileLoc, 0600) == -1) {
1929 Info(
"SshAuth",
"fchmod error: %d", errno);
1931 }
else if ((floc = fopen(fileLoc,
"w"))) {
1935 fprintf(floc,
"k: %d\n",fRSAKey+1);
1936 fwrite(fgRSAPubExport[fRSAKey].keys,1,
1937 fgRSAPubExport[fRSAKey].len,floc);
1939 fprintf(floc,
"k: %s\n",fgRSAPubExport[0].keys);
1943 fprintf(floc,
"k: -1\n");
1950 sshcmd.
Form(
"%s -p %s", sshExe.
Data(), noPrompt.
Data());
1956 user.
Data(),fRemote.Data(),cmdinfo);
1964 while (ssh_rc && again && ntry--) {
1967 again = SshError(fileErr);
1969 Info(
"SshAuth",
"%d: sleeping: rc: %d, again:%d, ntry: %d",
1970 fgProcessID, ssh_rc, again, ntry);
1991 Info(
"SshAuth",
"%d: system return code: %d (%d)",
1992 fgProcessID, ssh_rc, ntry+1);
1994 if (ssh_rc && sshproto == 0) {
1996 srvtyp = fSocket->GetServType();
1997 rproto = fSocket->GetRemoteProtocol();
2006 Int_t port = fSocket->GetPort();
2009 url.
Form(
"sockd://%s",fRemote.Data());
2017 newsock =
new TSocket(fRemote.Data(),port,-1);
2019 newsock->
Send(
"failure notification");
2022 char cd1[1024], pipe[1024], dum[1024];
2024 sscanf(cmdinfo,
"%1023s %d %1023s %1023s", cd1, &id3, pipe, dum);
2032 if (newsock->
Recv(retval, kind) >= 0) {
2033 char *buf =
new char[retval+1];
2034 if (newsock->
Recv(buf, retval+1, kind) >= 0) {
2035 if (strncmp(buf,
"OK",2)) {
2036 Info(
"SshAuth",
"from remote host %s:", fRemote.Data());
2037 Info(
"SshAuth",
">> nothing listening on port %s %s",buf,
2038 "(supposed to be associated to sshd)");
2039 Info(
"SshAuth",
">> contact the daemon administrator at %s",
2043 Info(
"SshAuth",
"from remote host %s:", fRemote.Data());
2044 Info(
"SshAuth",
">> something listening on the port" 2045 " supposed to be associated to sshd.");
2046 Info(
"SshAuth",
">> You have probably mistyped your" 2047 " password. Or you tried to hack the" 2049 Info(
"SshAuth",
">> If the problem persists you may" 2050 " consider contacting the daemon");
2051 Info(
"SshAuth",
">> administrator at %s.",fRemote.Data());
2060 if (fSocket->Recv(retval, kind) >= 0) {
2062 AuthError(
"SshAuth", retval);
2066 }
else if (ssh_rc && sshproto > 0) {
2069 Info(
"SshAuth",
"error communicating failure");
2076 Info(
"SshAuth",
"error communicating success");
2081 if ((nrec = fSocket->Recv(retval, kind)) < 0)
2084 Info(
"SshAuth",
"got message %d, flag: %d", kind, retval);
2088 AuthError(
"SshAuth", retval);
2092 if (reuse == 1 && sshproto == 0) {
2097 "problems recvn RSA key flag: got message %d, flag: %d",
2102 fRSAKey = retval - 1;
2105 if (SendRSAPublicKey(fSocket,fRSAKey) < 0)
2109 if ((nrec = fSocket->Recv(retval, kind)) < 0)
2112 Info(
"SshAuth",
"got message %d, flag: %d", kind, retval);
2117 "problems recvn (user,offset) length (%d:%d bytes:%d)", kind,
2123 reclen = (retval+1 > 256) ? 256 : retval+1;
2124 if ((nrec = fSocket->Recv(answer, reclen, kind)) < 0)
2127 Warning(
"SshAuth",
"username and offset not received (%d:%d)", kind,
2133 sscanf(answer,
"%127s %d", lUser, &offset);
2135 Info(
"SshAuth",
"received from server: user: %s, offset: %d", lUser,
2140 if (reuse == 1 && offset > -1) {
2141 if (SecureRecv(fSocket, 1, fRSAKey, &token) == -1) {
2142 Warning(
"SshAuth",
"problems secure-receiving token -" 2143 " may result in corrupted token");
2148 Info(
"SshAuth",
"received from server: token: '%s' ", token);
2154 fSecContext = fHostAuth->CreateSecContext((
const char *)lUser, fRemote,
2155 (
Int_t)kSSH, offset, fDetails,
2156 (
const char *)token, fgExpDate, 0, fRSAKey);
2159 if (token)
delete [] token;
2162 if (fSocket->Recv(retval, kind) < 0)
2165 Info(
"SshAuth",
"received from server: kind: %d, retval: %d", kind,
2188 char *p = PromptUser(fRemote);
2192 usr = fgDefaultUser;
2194 char *p = PromptUser(fRemote);
2223 if (!strcmp(href,
"*"))
2232 if (rename.
Index(href,&len) != -1 || strstr(href,
"-"))
2237 if (strstr(href,
"*"))
2249 ::Info(
"TAuthenticate::CheckHost",
"checking host IP: %s", theHost.
Data());
2260 if (pos > 0 && pos != (
Ssiz_t)(theHost.
Length()-strlen(href)))
2276 Info(
"RfioAuth",
"enter ... username %s", username.
Data());
2283 username = pw->fUser;
2284 fDetails =
TString(
"pt:0 ru:0 us:") + username;
2287 if (pw->fUid != 0) {
2300 Info(
"RfioAuth",
"sending ... %s", sstr.
Data());
2305 Info(
"RfioAuth",
"sent ... %d bytes (expected > %d)", ns,
2310 if (fSocket->Recv(stat, kind) < 0)
2313 Info(
"RfioAuth",
"after kROOTD_RFIO: kind= %d, stat= %d", kind,
2320 fHostAuth->CreateSecContext((
const char *)pw->fUser,
2321 fRemote, kRfio, -stat, fDetails, 0);
2326 if (fProtocol.Contains(
"root"))
2328 if (fProtocol.Contains(
"proof"))
2335 "%s@%s does not accept connections from %s%s",
2336 server.
Data(),fRemote.Data(),
2343 "%s@%s does not accept %s authentication from %s@%s",
2344 server.
Data(),fRemote.Data(),
2345 TAuthenticate::fgAuthMeth[5].
Data(),
2348 AuthError(
"RfioAuth", stat);
2354 Warning(
"RfioAuth",
"UidGid login as \"root\" not allowed");
2371 Info(
"ClearAuth",
"enter: user: %s (passwd hashed?: %d)",
2374 Int_t reuse = fgAuthReUse;
2375 Int_t prompt = fgPromptUser;
2376 Int_t cryptopt = fgUsrPwdCrypt;
2381 fgPromptUser, fgAuthReUse, fgUsrPwdCrypt) + user;
2383 Info(
"ClearAuth",
"ru:%d pt:%d cp:%d ns:%d rk:%d",
2384 fgAuthReUse,fgPromptUser,fgUsrPwdCrypt,needsalt,fgRSAKey);
2412 options.
Form(
"%d %ld %s %ld %s", opt,
2434 Info(
"ClearAuth",
"anonymous user");
2443 char ctag[11] = {0};
2444 if (anon == 0 && cryptopt == 1) {
2451 "problems recvn RSA key flag: got message %d, flag: %d",
2457 Info(
"ClearAuth",
"get key request ...");
2463 if (SendRSAPublicKey(fSocket,fRSAKey) < 0)
2470 if ((slen = SecureRecv(fSocket, 1, fRSAKey, &tmpsalt)) == -1) {
2471 Warning(
"ClearAuth",
"problems secure-receiving salt -" 2472 " may result in corrupted salt");
2473 Warning(
"ClearAuth",
"switch off reuse for this session");
2481 while (ltmp && tmpsalt[ltmp-1] !=
'#') ltmp--;
2483 if (tmpsalt[ltmp-1] ==
'#' &&
2484 tmpsalt[ltmp-10] ==
'#') {
2485 strlcpy(ctag,&tmpsalt[ltmp-10],11);
2504 Info(
"ClearAuth",
"got salt: '%s' (len: %d)", salt.
Data(), slen);
2507 Info(
"ClearAuth",
"Salt not required");
2509 if (SecureRecv(fSocket, 1, fRSAKey, &tmptag) == -1) {
2510 Warning(
"ClearAuth",
"problems secure-receiving rndmtag -" 2511 " may result in corrupted rndmtag");
2514 strlcpy(ctag, tmptag, 11);
2526 if (fgPasswd.Contains(
"@")) {
2540 if (localFQDN ==
"") {
2545 passwd.
Form(
"%s@%s", localuser.
Data(), localFQDN.
Data());
2548 "automatically generated anonymous passwd: %s",
2554 if (prompt == 1 || pashash.
Length() == 0) {
2558 xp.
Form(
"%s@%s password: ", user.
Data(),fRemote.Data());
2559 char *pwd = PromptPasswd(xp);
2563 Error(
"ClearAuth",
"password not set");
2568 if (needsalt && !pwdhash) {
2570 pashash =
TString(crypt(passwd, salt));
2596 if (anon == 0 && cryptopt == 1) {
2607 if (SecureSend(fSocket, 1, fRSAKey, pashash.
Data()) == -1) {
2608 Warning(
"ClearAuth",
"problems secure-sending pass hash" 2609 " - may result in authentication failure");
2616 for (
int i = 0; i < passwd.
Length(); i++) {
2617 char inv = ~passwd(i);
2627 if ((nrec = fSocket->Recv(stat, kind)) < 0 )
2630 Info(
"ClearAuth",
"after kROOTD_PASS: kind= %d, stat= %d", kind,
2635 AuthError(
"ClearAuth", stat);
2642 "problems recvn (user,offset) length (%d:%d bytes:%d)",
2647 int reclen = (stat+1 > 256) ? 256 : stat+1;
2648 if ((nrec = fSocket->Recv(answer, reclen, kind)) < 0)
2652 "username and offset not received (%d:%d)", kind,
2658 sscanf(answer,
"%127s %d", lUser, &offset);
2661 "received from server: user: %s, offset: %d (%s)", lUser,
2668 if (reuse == 1 && offset > -1) {
2670 if (cryptopt == 1) {
2671 if (SecureRecv(fSocket, 1, fRSAKey, &token) == -1) {
2673 "problems secure-receiving token -" 2674 " may result in corrupted token");
2679 token =
new char[tlen];
2680 if (fSocket->Recv(token, tlen, kind) < 0) {
2685 Warning(
"ClearAuth",
"token not received (%d:%d)", kind,
2688 for (
int i = 0; i < (int) strlen(token); i++) {
2689 token[i] = ~token[i];
2694 Info(
"ClearAuth",
"received from server: token: '%s' ",
2699 fSecContext = fHostAuth->CreateSecContext((
const char *)lUser, fRemote,
2700 kClear, offset, fDetails, (
const char *)token,
2701 fgExpDate, (
void *)pwdctx, fRSAKey);
2708 if (fSocket->Recv(stat, kind) < 0)
2718 fSecContext->SetID(
"AFS authentication");
2723 AuthError(
"ClearAuth", stat);
2736 if (fSocket->Recv(stat, kind) < 0)
2743 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
2749 if (fProtocol.Contains(
"root"))
2751 if (fProtocol.Contains(
"proof"))
2756 "%s@%s does not accept connections from %s@%s",
2757 server.
Data(),fRemote.Data(),
2763 "%s@%s does not accept %s authentication from %s@%s",
2764 server.
Data(),fRemote.Data(),
2765 TAuthenticate::fgAuthMeth[0].
Data(),
2768 AuthError(
"ClearAuth", stat);
2775 xp.
Form(
"%s@%s password: ", user.
Data(),fRemote.Data());
2776 char *p = PromptPasswd(xp);
2780 Error(
"ClearAuth",
"password not set");
2782 if (fUser ==
"anonymous" || fUser ==
"rootd") {
2785 "please use passwd of form: user@host.do.main");
2796 for (
int i = 0; i < passwd.
Length(); i++) {
2797 char inv = ~passwd(i);
2806 if (fSocket->Recv(stat, kind) < 0)
2809 Info(
"ClearAuth",
"after kROOTD_PASS: kind= %d, stat= %d", kind,
2814 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
2818 AuthError(
"ClearAuth", stat);
2838 ::Info(
"TAuthenticate::GetHostAuth",
"enter ... %s ... %s", host, user);
2844 char *
ps = (
char *)strstr(host,
":");
2846 srvtyp = atoi(ps+1);
2850 if (strncmp(host,
"default",7) && !hostFQDN.
Contains(
"*")) {
2862 if (!strncasecmp(opt,
"P",1)) {
2864 next =
new TIter(GetProofAuthInfo());
2870 while ((ai = (
THostAuth *) (*next)())) {
2872 ai->
Print(
"Authenticate::GetHostAuth");
2875 if (!(serverOK = (ai->
GetServer() == -1) ||
2880 if (!strcmp(ai->
GetHost(),
"default") && serverOK && notFound)
2884 if (CheckHost(hostFQDN,ai->
GetHost()) &&
2885 CheckHost(usr,ai->
GetUser()) && serverOK) {
2890 if (hostFQDN == ai->
GetHost() &&
2912 ::Info(
"TAuthenticate::HasHostAuth",
"enter ... %s ... %s", host, user);
2918 char *
ps = (
char *)strstr(host,
":");
2920 srvtyp = atoi(ps+1);
2923 if (strncmp(host,
"default",7) && !hostFQDN.
Contains(
"*")) {
2930 if (!strncasecmp(opt,
"P",1)) {
2932 next =
new TIter(GetProofAuthInfo());
2935 while ((ai = (
THostAuth *) (*next)())) {
2937 if (hostFQDN == ai->
GetHost() &&
2959 ::Info(
"TAuthenticate::FileExpand",
"enter ... '%s' ... 0x%lx", fexp, (
Long_t)ftmp);
2961 fin = fopen(fexp,
"r");
2965 while (fgets(line,
sizeof(line), fin) != 0) {
2969 if (line[strlen(line) - 1] ==
'\n')
2970 line[strlen(line) - 1] =
'\0';
2972 ::Info(
"TAuthenticate::FileExpand",
"read line ... '%s'", line);
2973 int nw = sscanf(line,
"%19s %8191s", cinc, fileinc);
2976 if (strcmp(cinc,
"include") != 0) {
2978 fprintf(ftmp,
"%s\n", line);
2985 sscanf(ln.
Data(),
"%19s %8191s", cinc, fileinc);
2988 if (fileinc[0] ==
'$') {
3005 if (fileinc[0] ==
'~') {
3009 char *ffull =
new char[flen];
3016 FileExpand(fileinc, ftmp);
3019 "file specified by 'include' cannot be open or read (%s)",
3034 const char copt[2][5] = {
"no",
"yes" };
3037 ::Info(
"TAuthenticate::GetDefaultDetails",
3038 "enter ... %d ...pt:%d ... '%s'", sec, opt, usr);
3040 if (opt < 0 || opt > 1)
3045 if (!usr[0] || !strncmp(usr,
"*",1))
3054 if (!usr[0] || !strncmp(usr,
"*",1))
3062 if (!usr[0] || !strncmp(usr,
"*",1))
3077 if (!usr[0] || !strncmp(usr,
"*",1))
3085 if (!usr[0] || !strncmp(usr,
"*",1))
3091 ::Info(
"TAuthenticate::GetDefaultDetails",
"returning ... %s", temp);
3101 if (!strncasecmp(opt,
"P",1))
3102 GetProofAuthInfo()->Remove(ha);
3104 GetAuthInfo()->Remove(ha);
3130 " +--------------------------- BEGIN --------------------------------+");
3135 " + List fgProofAuthInfo has %4d members +",
3136 GetProofAuthInfo()->GetSize());
3140 " +------------------------------------------------------------------+");
3141 TIter next(GetProofAuthInfo());
3148 " + List fgAuthInfo has %4d members +",
3149 GetAuthInfo()->GetSize());
3153 " +------------------------------------------------------------------+");
3154 TIter next(GetAuthInfo());
3162 " +---------------------------- END ---------------------------------+");
3178 Info(
"AuthExists",
"%d: enter: msg: %d options: '%s'",
3179 method,*message, options);
3185 TIter next(fHostAuth->Established());
3188 if (secctx->GetMethod() == method) {
3189 if (fRemote == secctx->GetHost()) {
3191 (*checksecctx)(username,secctx) == 1)
3201 if (secctx->GetMethod() == method) {
3202 if (fRemote == secctx->GetHost()) {
3204 (*checksecctx)(username,secctx) == 1) {
3217 offset = secctx->GetOffSet();
3218 token = secctx->GetToken();
3221 "found valid TSecContext: offset: %d token: '%s'",
3222 offset, token.
Data());
3227 sstr.
Form(
"%d %d %s", fgProcessID, offset, options);
3230 if (fSocket->Send(sstr, *message) < 0)
3233 Int_t reuse = *rflag;
3234 if (reuse == 1 && offset > -1) {
3240 Int_t rproto = fSocket->GetRemoteProtocol();
3241 Bool_t oldsrv = ((fProtocol.BeginsWith(
"root") && rproto == 9) ||
3242 (fProtocol.BeginsWith(
"proof") && rproto == 8));
3243 Int_t stat = 1, kind;
3245 if (fSocket->Recv(stat, kind) < 0)
3248 Warning(
"AuthExists",
"protocol error: expecting %d got %d" 3254 Info(
"AuthExists",
"offset OK");
3256 Int_t rsaKey = secctx->GetRSAKey();
3258 Info(
"AuthExists",
"key type: %d", rsaKey);
3273 if (SecureSend(fSocket, 1, rsaKey, token) == -1) {
3274 Warning(
"AuthExists",
"problems secure-sending token %s",
3275 "- may trigger problems in proofing Id ");
3280 for (
int i = 0; i < token.
Length(); i++) {
3281 char inv = ~token(i);
3289 Info(
"AuthExists",
"offset not OK - rerun authentication");
3292 secctx->DeActivate(
"");
3297 if (fSocket->Recv(stat, kind) < 0)
3300 Info(
"AuthExists",
"%d: after msg %d: kind= %d, stat= %d",
3301 method,*message, kind, stat);
3314 Error(
"AuthExists",
"%s@%s does not accept connections from %s@%s",
3320 "%s@%s does not accept %s authentication from %s@%s",
3321 server.
Data(),fRemote.Data(), fgAuthMeth[method].Data(),
3324 AuthError(
"AuthExists", stat);
3328 secctx->DeActivate(
"");
3335 fHostAuth->CreateSecContext(fUser,fRemote,method,-stat,fDetails,0);
3338 Info(
"AuthExists",
"valid authentication exists");
3340 Info(
"AuthExists",
"valid authentication exists: offset changed");
3342 Info(
"AuthExists",
"remote access authorized by /etc/hosts.equiv");
3344 Info(
"AuthExists",
"no authentication required remotely");
3350 if (fSocket->Recv(newOffSet, kind) < 0)
3353 secctx->SetOffSet(newOffSet);
3356 fSecContext = secctx;
3359 fHostAuth->Established()->Add(secctx);
3374 const char *randdev =
"/dev/urandom";
3377 if ((fd =
open(randdev, O_RDONLY)) != -1) {
3379 ::Info(
"InitRandom",
"taking seed from %s", randdev);
3380 if (read(fd, &seed,
sizeof(seed)) !=
sizeof(seed))
3381 ::Warning(
"InitRandom",
"could not read seed from %s", randdev);
3385 ::Info(
"InitRandom",
"%s not available: using time()", randdev);
3400 Info(
"GenRSAKeys",
"enter");
3402 if (fgRSAInit == 1) {
3404 Info(
"GenRSAKeys",
"Keys prviously generated - return");
3423 if (fgRSAKey == 1) {
3426 Info(
"GenRSAKeys",
"SSL: Generate Blowfish key");
3435 OpenSSL_add_all_ciphers();
3441 nbits = (nbits >= 128) ? nbits : 128;
3444 nbits = (nbits <= 15912) ? nbits : 15912;
3447 Int_t klen = nbits / 8 ;
3450 char *rbuf = GetRandString(0,klen);
3451 RAND_seed(rbuf,strlen(rbuf));
3454 fgRSAPubExport[1].len = klen;
3455 fgRSAPubExport[1].keys = rbuf;
3457 Info(
"GenRSAKeys",
"SSL: BF key length: %d", fgRSAPubExport[1].len);
3460 BF_set_key(&fgBFKey, klen, (
const unsigned char *)rbuf);
3469 Int_t l_n = 0, l_d = 0;
3476 Int_t nAttempts = 0;
3482 if (
gDebug > 2 && nAttempts > 1) {
3483 Info(
"GenRSAKeys",
"retry no. %d",nAttempts);
3496 Info(
"GenRSAKeys",
"equal primes: regenerate (%d times)",nPrimes);
3504 Info(
"GenRSAKeys",
"local: p1: '%s' ", buf);
3506 Info(
"GenRSAKeys",
"local: p2: '%s' ", buf);
3511 if (
gDebug > 2 && nAttempts > 1)
3512 Info(
"GenRSAKeys",
" genrsa: unable to generate keys (%d)",
3519 l_n = strlen(buf_n);
3522 l_e = strlen(buf_e);
3525 l_d = strlen(buf_d);
3529 Info(
"GenRSAKeys",
"local: n: '%s' length: %d", buf_n, l_n);
3530 Info(
"GenRSAKeys",
"local: e: '%s' length: %d", buf_e, l_e);
3531 Info(
"GenRSAKeys",
"local: d: '%s' length: %d", buf_d, l_d);
3542 char *tdum = GetRandString(0, lTes - 1);
3543 strlcpy(test, tdum, lTes+1);
3547 Info(
"GenRSAKeys",
"local: test string: '%s' ", test);
3550 strlcpy(buf, test, lTes+1);
3556 "local: length of crypted string: %d bytes", lout);
3562 Info(
"GenRSAKeys",
"local: after private/public : '%s' ", buf);
3564 if (strncmp(test, buf, lTes))
3568 strlcpy(buf, test, lTes+1);
3573 Info(
"GenRSAKeys",
"local: length of crypted string: %d bytes ",
3580 Info(
"GenRSAKeys",
"local: after public/private : '%s' ", buf);
3582 if (strncmp(test, buf, lTes))
3599 Info(
"GenRSAKeys",
"local: generated keys are:");
3600 Info(
"GenRSAKeys",
"local: n: '%s' length: %d", buf_n, l_n);
3601 Info(
"GenRSAKeys",
"local: e: '%s' length: %d", buf_e, l_e);
3602 Info(
"GenRSAKeys",
"local: d: '%s' length: %d", buf_d, l_d);
3606 if (fgRSAPubExport[0].keys) {
3607 delete [] fgRSAPubExport[0].keys;
3608 fgRSAPubExport[0].len = 0;
3610 fgRSAPubExport[0].len = l_n + l_d + 4;
3611 fgRSAPubExport[0].keys =
new char[fgRSAPubExport[0].len];
3613 fgRSAPubExport[0].keys[0] =
'#';
3614 memcpy(fgRSAPubExport[0].keys + 1, buf_n, l_n);
3615 fgRSAPubExport[0].keys[l_n + 1] =
'#';
3616 memcpy(fgRSAPubExport[0].keys + l_n + 2, buf_d, l_d);
3617 fgRSAPubExport[0].keys[l_n + l_d + 2] =
'#';
3618 fgRSAPubExport[0].keys[l_n + l_d + 3] = 0;
3621 Info(
"GenRSAKeys",
"local: export pub: '%s'", fgRSAPubExport[0].keys);
3624 Info(
"GenRSAKeys",
"local: export pub length: %d bytes", fgRSAPubExport[0].len);
3643 unsigned int iimx[4][4] = {
3644 {0x0, 0xffffff08, 0xafffffff, 0x2ffffffe},
3645 {0x0, 0x3ff0000, 0x7fffffe, 0x7fffffe},
3646 {0x0, 0x3ff0000, 0x7e, 0x7e},
3647 {0x0, 0x3ffc000, 0x7fffffe, 0x7fffffe}
3650 const char *cOpt[4] = {
"Any",
"LetNum",
"Hex",
"Crypt" };
3653 if (opt < 0 || opt > 2) {
3656 Info(
"GetRandString",
"unknown option: %d : assume 0", opt);
3659 Info(
"GetRandString",
"enter ... len: %d %s", len, cOpt[opt]);
3662 char *buf =
new char[len + 1];
3672 for (m = 7; m < 32; m += 7) {
3673 i = 0x7F & (frnd >>
m);
3676 if ((iimx[opt][j] & (1 << l))) {
3688 Info(
"GetRandString",
"got '%s' ", buf);
3700 Int_t key,
const char *str)
3706 ::Info(
"TAuthenticate::SecureSend",
"local: enter ... (enc: %d)", enc);
3708 Int_t slen = strlen(str) + 1;
3713 strlcpy(buftmp, str, slen+1);
3723 }
else if (key == 1) {
3728 ttmp = ((ttmp + 8)/8) * 8;
3729 unsigned char iv[8];
3730 memset((
void *)&iv[0],0,8);
3731 BF_cbc_encrypt((
const unsigned char *)str, (
unsigned char *)buftmp,
3732 strlen(str), &fgBFKey, iv, BF_ENCRYPT);
3735 ::Info(
"TAuthenticate::SecureSend",
"not compiled with SSL support:" 3736 " you should not have got here!");
3740 ::Info(
"TAuthenticate::SecureSend",
"unknown key type (%d)",key);
3747 nsen = sock->
SendRaw(buftmp, ttmp);
3749 ::Info(
"TAuthenticate::SecureSend",
3750 "local: sent %d bytes (expected: %d)", nsen,ttmp);
3772 if (sock->
Recv(buflen, 20, kind) < 0)
3774 Int_t len = atoi(buflen);
3776 ::Info(
"TAuthenticate::SecureRecv",
"got len '%s' %d (msg kind: %d)",
3781 if (!strncmp(buflen,
"-1", 2))
3785 if ((nrec = sock->
RecvRaw(buftmp, len)) < 0)
3796 const size_t strSize = strlen(buftmp) + 1;
3797 *str =
new char[strSize];
3798 strlcpy(*str, buftmp, strSize);
3800 }
else if (key == 1) {
3802 unsigned char iv[8];
3803 memset((
void *)&iv[0],0,8);
3804 *str =
new char[nrec + 1];
3805 BF_cbc_encrypt((
const unsigned char *)buftmp, (
unsigned char *)(*str),
3806 nrec, &fgBFKey, iv, BF_DECRYPT);
3807 (*str)[nrec] =
'\0';
3810 ::Info(
"TAuthenticate::SecureRecv",
"not compiled with SSL support:" 3811 " you should not have got here!");
3815 ::Info(
"TAuthenticate::SecureRecv",
"unknown key type (%d)",key);
3828 R__rsa_NUMBER &rsa_d,
char **rsassl)
3834 ::Info(
"TAuthenticate::DecodeRSAPublic",
3835 "enter: string length: %ld bytes", (
Long_t)strlen(rsaPubExport));
3838 Int_t klen = strlen(rsaPubExport);
3840 ::Info(
"TAuthenticate::DecodeRSAPublic",
3841 "key too long (%d): truncate to %d",klen,
kMAXPATHLEN);
3844 memcpy(str, rsaPubExport, klen);
3853 while (str[k] == 32) k++;
3855 if (str[k] ==
'#') {
3860 char *pd1 = strstr(str,
"#");
3861 char *pd2 = pd1 ? strstr(pd1 + 1,
"#") : (
char *)0;
3862 char *pd3 = pd2 ? strstr(pd2 + 1,
"#") : (
char *)0;
3863 if (pd1 && pd2 && pd3) {
3865 int l1 = (int) (pd2 - pd1 - 1);
3866 char *rsa_n_exp =
new char[l1 + 1];
3867 strlcpy(rsa_n_exp, pd1 + 1, l1+1);
3869 ::Info(
"TAuthenticate::DecodeRSAPublic",
3870 "got %ld bytes for rsa_n_exp", (
Long_t)strlen(rsa_n_exp));
3872 int l2 = (int) (pd3 - pd2 - 1);
3873 char *rsa_d_exp =
new char[l2 + 1];
3874 strlcpy(rsa_d_exp, pd2 + 1, 13);
3876 ::Info(
"TAuthenticate::DecodeRSAPublic",
3877 "got %ld bytes for rsa_d_exp", (
Long_t)strlen(rsa_d_exp));
3886 ::Info(
"TAuthenticate::DecodeRSAPublic",
"bad format for input string");
3895 BIO *bpub = BIO_new(BIO_s_mem());
3898 BIO_write(bpub,(
void *)str,strlen(str));
3901 if (!(rsatmp = PEM_read_bio_RSAPublicKey(bpub, 0, 0, 0))) {
3903 ::Info(
"TAuthenticate::DecodeRSAPublic",
3904 "unable to read pub key from bio");
3907 *rsassl = (
char *)rsatmp;
3909 ::Info(
"TAuthenticate::DecodeRSAPublic",
3910 "no space allocated for output variable");
3917 ::Info(
"TAuthenticate::DecodeRSAPublic",
"not compiled with SSL support:" 3918 " you should not have got here!");
3933 ::Info(
"TAuthenticate::SetRSAPublic",
3934 "enter: string length %ld bytes", (
Long_t)strlen(rsaPubExport));
3944 while (rsaPubExport[k0] == 32) k0++;
3953 if (rsaPubExport[k0] ==
'#' && rsaPubExport[k2] ==
'#') {
3954 char *p0 = (
char *)&rsaPubExport[k0];
3955 char *
p2 = (
char *)&rsaPubExport[k2];
3956 char *
p1 = strchr(p0+1,
'#');
3957 if (p1 > p0 && p1 < p2) {
3963 while (c < p1 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
3967 while (c < p2 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
3976 ::Info(
"TAuthenticate::SetRSAPublic",
" Key type: %d",rsakey);
3980 R__rsa_NUMBER rsa_n, rsa_d;
3991 BF_set_key(&fgBFKey, klen, (
const unsigned char *)rsaPubExport);
3994 ::Info(
"TAuthenticate::SetRSAPublic",
3995 "not compiled with SSL support:" 3996 " you should not have got here!");
4016 ::Info(
"TAuthenticate::SendRSAPublicKey",
4017 "received key from server %ld bytes", (
Long_t)strlen(serverPubKey));
4020 R__rsa_NUMBER rsa_n, rsa_d;
4026 RSA_free((RSA *)tmprsa);
4029 RSA *RSASSLServer = (RSA *)tmprsa;
4037 char buflen[20] = {0};
4038 Int_t slen = fgRSAPubExport[key].len;
4041 strlcpy(buftmp,fgRSAPubExport[key].keys,slen+1);
4044 }
else if (key == 1) {
4046 Int_t lcmax = RSA_size(RSASSLServer) - 11;
4051 Int_t lc = (ns > lcmax) ? lcmax : ns ;
4052 if ((ttmp = RSA_public_encrypt(lc,
4053 (
unsigned char *)&fgRSAPubExport[key].keys[kk],
4054 (
unsigned char *)&buftmp[ke],
4055 RSASSLServer,RSA_PKCS1_PADDING)) < 0) {
4058 ::Info(
"TAuthenticate::SendRSAPublicKey",
"SSL: error: '%s' ",errstr);
4068 ::Info(
"TAuthenticate::SendRSAPublicKey",
"not compiled with SSL support:" 4069 " you should not have got here!");
4074 ::Info(
"TAuthenticate::SendRSAPublicKey",
"unknown key type (%d)",key);
4077 RSA_free(RSASSLServer);
4088 ::Info(
"TAuthenticate::SendRSAPublicKey",
4089 "local: sent %d bytes (expected: %d)", nsen,ttmp);
4092 RSA_free(RSASSLServer);
4110 if (fgReadHomeAuthrc)
4113 if (authrc &&
gDebug > 2)
4114 ::Info(
"TAuthenticate::ReadRootAuthrc",
"Checking file: %s", authrc);
4116 if (authrc &&
gDebug > 1)
4117 ::Info(
"TAuthenticate::ReadRootAuthrc",
4118 "file %s cannot be read (errno: %d)", authrc, errno);
4122 ::Info(
"TAuthenticate::ReadRootAuthrc",
"Checking system file: %s", authrc);
4125 ::Info(
"TAuthenticate::ReadRootAuthrc",
4126 "file %s cannot be read (errno: %d)", authrc, errno);
4134 if (tRootAuthrc == fgRootAuthrc) {
4136 stat(tRootAuthrc, &si);
4137 if ((
UInt_t)si.st_mtime < fgLastAuthrc.Convert()) {
4139 ::Info(
"TAuthenticate::ReadRootAuthrc",
4140 "file %s already read", authrc);
4147 fgRootAuthrc = tRootAuthrc;
4156 TString filetmp =
"rootauthrc";
4159 ::Info(
"TAuthenticate::ReadRootAuthrc",
"got tmp file: %s open at 0x%lx",
4172 fd = fopen(authrc,
"r");
4175 ::Info(
"TAuthenticate::ReadRootAuthrc",
4176 "file %s cannot be open (errno: %d)", authrc, errno);
4187 while (fgets(line,
sizeof(line), fd) != 0) {
4194 if (line[strlen(line) - 1] ==
'\n')
4195 line[strlen(line) - 1] =
'\0';
4202 const size_t tmpSize = strlen(line) + 1;
4203 char *tmp =
new char[tmpSize];
4205 ::Error(
"TAuthenticate::ReadRootAuthrc",
4206 "could not allocate temporary buffer");
4210 strlcpy(tmp, line, tmpSize);
4211 char *nxt = strtok(tmp,
" ");
4213 if (!strcmp(nxt,
"proofserv") || cont) {
4223 proofserv +=
TString((
const char *)ph);
4244 if (server ==
"0" || server.
BeginsWith(
"sock"))
4246 else if (server ==
"1" || server.
BeginsWith(
"root"))
4248 else if (server ==
"2" || server.
BeginsWith(
"proof"))
4255 nxt = strtok(0,
" ");
4256 if (!strncmp(nxt,
"user",4)) {
4257 nxt = strtok(0,
" ");
4258 if (strncmp(nxt,
"list",4) && strncmp(nxt,
"method",6)) {
4260 nxt = strtok(0,
" ");
4265 TIter next(&tmpAuthInfo);
4275 tmpAuthInfo.
Add(ha);
4278 if (!strncmp(nxt,
"list",4)) {
4281 char *mth = strtok(0,
" ");
4284 if (strlen(mth) > 1) {
4286 met = GetAuthMethodIdx(mth);
4287 if (met == -1 &&
gDebug > 2)
4288 ::Info(
"TAuthenticate::ReadRootAuthrc",
4289 "unrecognized method (%s): ", mth);
4293 if (met > -1 && met <
kMAXSEC)
4295 mth = strtok(0,
" ");
4300 }
else if (!strncmp(nxt,
"method",6)) {
4303 char *mth = strtok(0,
" ");
4305 if (strlen(mth) > 1) {
4307 met = GetAuthMethodIdx(mth);
4308 if (met == -1 &&
gDebug > 2)
4309 ::Info(
"TAuthenticate::ReadRootAuthrc",
4310 "unrecognized method (%s): ", mth);
4314 if (met > -1 && met <
kMAXSEC) {
4315 const char *det = 0;
4316 nxt = strtok(0,
" ");
4318 det = (
const char *)strstr(line,nxt);
4327 if (tmp)
delete [] tmp;
4345 TList tmpproofauthinfo;
4346 if (proofserv.
Length() > 0) {
4347 char *tmps =
new char[proofserv.
Length()+1];
4348 strlcpy(tmps,proofserv.
Data(),proofserv.
Length()+1);
4349 char *nxt = strtok(tmps,
" ");
4351 TString tmp((
const char *)nxt);
4355 if ((pdd = tmp.
Index(
":")) == -1) {
4366 if ((pdd = tmp.
Index(
":")) == -1) {
4378 while (tmp.
Length() > 0) {
4380 if ((pdd = tmp.
Index(
":")) > -1)
4384 met = GetAuthMethodIdx(meth.
Data());
4385 if (met == -1 &&
gDebug > 2)
4386 ::Info(
"TAuthenticate::ReadRootAuthrc",
4387 "unrecognized method (%s): ",meth.
Data());
4388 }
else if (meth.
Length() == 1) {
4389 met = atoi(meth.
Data());
4390 if (met > -1 && met <
kMAXSEC)
4413 tmpproofauthinfo.
Add(ha);
4415 nxt = strtok(0,
" ");
4435 const char sshid[3][20] = {
"/.ssh/identity",
"/.ssh/id_dsa",
"/.ssh/id_rsa" };
4436 const char netrc[2][20] = {
"/.netrc",
"/.rootnetrc" };
4446 "not properly logged on (getpwuid unable to find relevant info)!");
4454 for (; i < 2; i++) {
4460 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4466 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4474 out.
Form(
"pt:0 ru:0 us:%s",user.
Data());
4483 if (lApp != 0 && lApp->
Argc() > 9) {
4484 if (
gROOT->IsProofServ()) {
4491 struct shmid_ds shm_ds;
4492 if (shmctl(ShmId, IPC_STAT, &shm_ds) == 0)
4504 Cdir.
Resize(Cdir.Last(
'/')+1);
4506 out.
Form(
"pt=0 ru:0 cd:%s cf:%s kf:%s ad:%s",
4507 Cdir.Data(),Ucer.Data(),Ukey.Data(),Adir.Data());
4517 for (; i < 3; i++) {
4523 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4528 out.
Form(
"pt:0 ru:0 us:%s",user.
Data());
4533 if (strlen(out) > 0)
4534 ::
Info(
"CheckProofAuth",
4535 "meth: %d ... is available: details: %s", cSec, out.
Data());
4538 "meth: %d ... is NOT available", cSec);
4556 if (!strcmp(user,ctx->
GetUser()) &&
4557 strncmp(
"AFS", ctx->
GetID(), 3))
4587 while ((hanew = (
THostAuth *)nxnew())) {
4609 while ((hanew = (
THostAuth *)nxnew())) {
4627 TIter nxai(GetAuthInfo());
4640 TIter nxpa(GetProofAuthInfo());
4673 Info(
"ProofAuthSetup",
"Buffer not found: nothing to do");
4687 *mess >> user >> passwd >> pwhash >> srppwd >> rsakey;
4705 Info(
"ProofAuthSetup",
"List of THostAuth not found");
4726 fromProofAI =
kTRUE;
4737 if (!master || fromProofAI) {
4801 if (remoteOffSet > -1 && (upwd || srp))
4805 if ((
gEnv->
GetValue(
"Proofd.SendSRPPwd",0)) && (remoteOffSet > -1))
4808 if (srp && pwdctx) {
4809 if (strcmp(pwdctx->
GetPasswd(),
"") && remoteOffSet > -1)
4814 if ((upwd && pwdctx) || (srp && sndsrp)) {
4825 mess << user << passwd << pwhash << srppwd << keytyp;
4831 char *mbuf = mess.
Buffer();
4836 ::Info(
"ProofAuthSetup",
"sending %d bytes", messb64.
Length());
4839 if (remoteOffSet > -1) {
4841 ::Error(
"ProofAuthSetup",
"problems secure-sending message buffer");
4849 ::Error(
"ProofAuthSetup",
"plain: problems sending message length");
4853 ::Error(
"ProofAuthSetup",
"problems sending message buffer");
4889 Error(
"SendHostAuth",
"invalid input: socket undefined");
4904 Info(
"SendHostAuth",
"sent %d bytes (%s)",
ns,buf.
Data());
4911 Info(
"SendHostAuth",
"sent %d bytes for closing",
ns);
4925 Error(
"RecvHostAuth",
"invalid input: socket undefined");
4940 Error(
"RecvHostAuth",
"received: kind: %d (%d bytes)", kind, nr);
4944 Info(
"RecvHostAuth",
"received %d bytes (%s)",nr,buf);
4946 while (strcmp(buf,
"END")) {
4966 fromProofAI =
kTRUE;
4977 if (!master || fromProofAI) {
5016 Info(
"RecvHostAuth",
"Error: received: kind: %d (%d bytes)", kind, nr);
5020 Info(
"RecvHostAuth",
"received %d bytes (%s)",nr,buf);
5055 if (remoteOffSet > -1 && (upwd || srp))
5059 if ((
gEnv->
GetValue(
"Proofd.SendSRPPwd",0)) && (remoteOffSet > -1))
5062 if (srp && pwdctx) {
5063 if (strcmp(pwdctx->
GetPasswd(),
"") && remoteOffSet > -1)
5068 if ((upwd && pwdctx) || (srp && sndsrp)) {
5072 Error(
"OldAuthSetup",
"failed to send offset in RSA key");
5083 if (remoteOffSet > -1)
5084 Warning(
"OldAuthSetup",
"problems secure-sending pass hash %s",
5085 "- may result in failures");
5088 for (
int i = 0; i < passwd.
Length(); i++) {
5089 char inv = ~passwd(i);
5094 if (sock->
Send(mess) < 0) {
5095 Error(
"OldAuthSetup",
"failed to send inverted password");
5105 Error(
"OldAuthSetup",
"failed to send no offset notification in RSA key");
5112 mess << user << pwhash << srppwd << ord << conf;
5114 if (sock->
Send(mess) < 0) {
5115 Error(
"OldAuthSetup",
"failed to send ordinal and config info");
5119 if (proofdProto > 6) {
5125 Error(
"OldAuthSetup",
"failed to send HostAuth info");
5144 if (sock->
Recv(retval, kind) != 2*
sizeof(
Int_t)) {
5146 Info(
"OldProofServAuthSetup",
5147 "socket has been closed due to protocol mismatch - Exiting");
5164 if ((fKey = fopen(keyfile.
Data(),
"r"))) {
5165 Int_t klen = fread((
void *)pubkey,1,
sizeof(pubkey),fKey);
5167 Error(
"OldProofServAuthSetup",
5168 "failed to read public key from '%s'", keyfile.
Data());
5177 Error(
"OldProofServAuthSetup",
"failed to open '%s'", keyfile.
Data());
5186 Error(
"OldProofServAuthSetup",
"failed to receive password");
5192 }
else if (retval == -1) {
5196 if ((sock->
Recv(mess) <= 0) || !mess) {
5197 Error(
"OldProofServAuthSetup",
"failed to receive inverted password");
5203 for (
Int_t i = 0; i < passwd.Length(); i++) {
5204 char inv = ~passwd(i);
5205 passwd.Replace(i, 1, inv);
5213 if ((sock->
Recv(mess) <= 0) || !mess) {
5214 Error(
"OldProofServAuthSetup",
"failed to receive ordinal and config info");
5222 (*mess) >> user >> pwhash >> srppwd >> conf;
5225 (*mess) >> user >> pwhash >> srppwd >> ord >> conf;
5230 (*mess) >> user >> pwhash >> srppwd >> iord;
5234 (*mess) >> user >> pwhash >> srppwd >> ord >> conf;
5256 Error(
"OldProofServAuthSetup",
"failed to receive HostAuth info");
THostAuth * GetHostAuth() const
void SetDetails(Int_t level, const char *details)
Set authentication details for specified level.
const Int_t kAUTH_SSALT_MSK
static Bool_t GetGlobalSRPPwd()
Static method returning the global SRP password flag.
static void SetKrb5AuthHook(Krb5Auth_t func)
Set kerberos5 authorization function.
virtual Bool_t AccessPathName(const char *path, EAccessMode mode=kFileExists)
Returns FALSE if one can access a file using the specified access mode.
static void SetDefaultUser(const char *defaultuser)
Set default user name.
static Int_t GetRSAInit()
Static method returning the RSA initialization flag.
void AsString(TString &out) const
Return a static string with all info in a serialized form.
virtual int GetPid()
Get process id.
static Int_t GetClientProtocol()
Static method returning supported client protocol.
static void InitRandom()
Initialize random machine using seed from /dev/urandom (or current time if /dev/urandom not available...
static Bool_t GetAuthReUse()
Static method returning the authentication reuse settings.
static RSA_num_sput_t RSA_num_sput()
const char * GetHostAddress() const
Returns the IP address string "%d.%d.%d.%d".
static Bool_t fgUsrPwdCrypt
void PrintEstablished() const
Print info about established authentication vis-a-vis of this Host.
static void RemoveSecContext(TRootSecContext *ctx)
Tool for removing SecContext ctx from THostAuth listed in fgAuthInfo or fgProofAuthInfo.
R__EXTERN const char * gRootdErrStr[]
Int_t AuthExists(TString User, Int_t method, const char *Options, Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck)
Check if we have a valid established sec context in memory Retrieves relevant info and negotiates wit...
static Bool_t fgPromptUser
Int_t(* GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det)
virtual void Print(Option_t *option="F") const
If opt is "F" (default) print object content.
const char * GetHostName() const
static constexpr double us
virtual Int_t Send(const TMessage &mess)
Send a TMessage object.
static void SetGlobalUser(const char *user)
Set global user name to be used for authentication to rootd or proofd.
Int_t(* Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version)
TString & ReplaceAll(const TString &s1, const TString &s2)
int GetPathInfo(const char *path, Long_t *id, Long_t *size, Long_t *flags, Long_t *modtime)
Get info about a file: id, size, flags, modification time.
static int auth_rand()
rand() implementation using /udev/random or /dev/random, if available
virtual Int_t Recv(TMessage *&mess)
Receive a TMessage object.
static RSA_decode_t RSA_decode()
Int_t SshAuth(TString &user)
SSH client authentication code.
Int_t OldProofServAuthSetup(TSocket *sock, Bool_t master, Int_t protocol, TString &user, TString &ord, TString &conf)
Authentication related setup in TProofServ run after successful startup.
static void RemoveHostAuth(THostAuth *ha, Option_t *opt="")
Remove THostAuth instance from the list.
This class represents an Internet Protocol (IP) address.
virtual const char * HomeDirectory(const char *userName=0)
Return the user's home directory.
static TString Decode(const char *data)
Decode a base64 string date into a generic TString.
Regular expression class.
const char * GetSshUser(TString user) const
Method returning the user to be used for the ssh login.
This class implements a mutex interface.
static GlobusAuth_t GetGlobusAuthHook()
Static method returning the globus authorization hook.
Ssiz_t Index(const char *pat, Ssiz_t i=0, ECaseCompare cmp=kExact) const
virtual UserGroup_t * GetGroupInfo(Int_t gid)
Returns all group info in the UserGroup_t structure.
virtual int Load(const char *module, const char *entry="", Bool_t system=kFALSE)
Load a shared library.
const char * GetDetails(Int_t level)
Return authentication details for specified level or "" if the specified level does not exist for thi...
Int_t StdCheckSecCtx(const char *, TRootSecContext *)
Standard version of CheckSecCtx to be passed to TAuthenticate::AuthExists Check if User is matches th...
static constexpr double ps
static TList * fgProofAuthInfo
virtual char * Which(const char *search, const char *file, EAccessMode mode=kFileExists)
Find location of file in a search path.
static char * GetDefaultDetails(Int_t method, Int_t opt, const char *user)
Determine default authentication details for method 'sec' and user 'usr'.
static constexpr double mm
static RSA_num_sget_t RSA_num_sget()
static const char * GetKrb5Principal()
Static method returning the principal to be used to init Krb5 tickets.
Bool_t HasMethod(Int_t level, Int_t *pos=0)
Return kTRUE if method 'level' is in the list.
Bool_t Authenticate()
Authenticate to remote rootd or proofd server.
static SecureAuth_t fgSecAuthHook
const Int_t kAUTH_RSATY_MSK
const char * GetUser() const
static void SetReadHomeAuthrc(Bool_t readhomeauthrc)
Set flag controlling the reading of $HOME/.rootauthrc.
Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash)
UsrPwd client authentication code.
Bool_t R_ISREG(Int_t mode)
TString & Replace(Ssiz_t pos, Ssiz_t n, const char *s)
void Print(Option_t *option="F") const
If opt is "F" (default) print object content.
virtual TObject * ReadObject(const TClass *cl)
Read object from I/O buffer.
static TPluginHandler * fgPasswdDialog
static TString Encode(const char *data)
Transform data into a null terminated base64 string.
virtual Int_t SendRaw(const void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Send a raw buffer of specified length.
Bool_t IsActive() const
Check remote OffSet and expiring Date.
static Int_t ReadRootAuthrc()
Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or <Root_etc_dir>/system.rootauthrc and create related THostAuth objects.
static TList * fgAuthInfo
static void SetPromptUser(Bool_t promptuser)
Set global PromptUser flag.
virtual int Unlink(const char *name)
Unlink, i.e. remove, a file.
static char * PromptPasswd(const char *prompt="Password: ")
Static method to prompt for the user's passwd to be used for authentication to rootd or proofd...
static GlobusAuth_t fgGlobusAuthHook
static RSA_assign_t RSA_assign()
static TString Format(const char *fmt,...)
Static method which formats a string using a printf style format descriptor and return a TString...
virtual FILE * TempFileName(TString &base, const char *dir=0)
Create a secure temporary file by appending a unique 6 letter string to base.
virtual void Sleep(UInt_t milliSec)
Sleep milliSec milli seconds.
static double p2(double t, double a, double b, double c)
TList * Established() const
virtual const char * Getenv(const char *env)
Get environment variable.
void Info(const char *location, const char *msgfmt,...)
TString & Append(const char *cs)
Bool_t EndsWith(const char *pat, ECaseCompare cmp=kExact) const
Return true if string ends with the specified string.
Int_t ProofAuthSetup()
Authentication related stuff setup in TProofServ.
Int_t RfioAuth(TString &user)
UidGid client authentication code.
virtual UserGroup_t * GetUserInfo(Int_t uid)
Returns all user info in the UserGroup_t structure.
static RSA_genprim_t RSA_genprim()
static void SetTimeOut(Int_t to)
Set timeout (active if > 0)
static void SetGlobalSRPPwd(Bool_t srppwd)
Set global SRP passwd flag to be used for authentication to rootd or proofd.
const char * GetPasswd() const
static Bool_t GetPromptUser()
Static method returning the prompt user settings.
Int_t GetRemoteProtocol() const
virtual TInetAddress GetHostByName(const char *server)
Get Internet Protocol (IP) address of host.
void Error(const char *location, const char *msgfmt,...)
TAuthenticate(TSocket *sock, const char *remote, const char *proto, const char *user="")
Create authentication object.
Int_t(* CheckSecCtx_t)(const char *subj, TRootSecContext *ctx)
const Int_t kAUTH_REUSE_MSK
const char * GetUser() const
static Int_t SecureSend(TSocket *Socket, Int_t enc, Int_t KeyType, const char *In)
Encode null terminated str using the session private key indicated by enc and sends it over the netwo...
static R__rsa_KEY_export * fgRSAPubExport
Int_t SshError(const char *errfile)
SSH error parsing: returns 0 : no error or fatal 1 : should retry (eg 'connection closed by remote ho...
TVirtualMutex * gAuthenticateMutex
static void AuthError(const char *where, Int_t error)
Print error string depending on error code.
static RSA_cmp_t RSA_cmp()
static Krb5Auth_t fgKrb5AuthHook
R__EXTERN TSystem * gSystem
Bool_t IsA(const char *methodname)
Checks if this security context is for method named 'methname' Case sensitive.
void inv(rsa_NUMBER *, rsa_NUMBER *, rsa_NUMBER *)
static void SetRSAInit(Int_t init=1)
Static method setting RSA initialization flag.
static R__rsa_KEY fgRSAPubKey
virtual TObject * Remove(TObject *obj)
Remove object from the list.
static TDatime GetGlobalExpDate()
Static method returning default expiring date for new validity contexts.
Bool_t BeginsWith(const char *s, ECaseCompare cmp=kExact) const
Int_t(* SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd, const char *remote, TString &det, Int_t version)
static void SetSecureAuthHook(SecureAuth_t func)
Set secure authorization function.
static R__rsa_KEY fgRSAPriKey
Int_t GenRSAKeys()
Generate a valid pair of private/public RSA keys to protect for authentication token exchange...
void Form(const char *fmt,...)
Formats a string using a printf style format descriptor.
char * Form(const char *fmt,...)
static char * PromptUser(const char *remote)
Static method to prompt for the user name to be used for authentication to rootd or proofd...
static TList * GetProofAuthInfo()
Static method returning the list with authentication directives to be sent to proof.
static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen)
Store RSA public keys from export string rsaPubExport.
Handles synchronous and a-synchronous timer events.
static Bool_t CheckProofAuth(Int_t cSec, TString &det)
Check if the authentication method can be attempted for the client.
virtual Int_t Exec(const char *shellcmd)
Execute a command.
void AddMethod(Int_t level, const char *details=0)
Add method to the list.
static double p1(double t, double a, double b)
void Warning(const char *location, const char *msgfmt,...)
static constexpr double nm
static const char * GetDefaultUser()
Static method returning the default user information.
virtual void WriteObject(const TObject *obj, Bool_t cacheReuse=kTRUE)
Write object to I/O buffer.
static TDatime fgLastAuthrc
static void Show(Option_t *opt="S")
Print info about the authentication sector.
char * StrDup(const char *str)
Duplicate the string str.
#define R__LOCKGUARD2(mutex)
static TList * GetAuthInfo()
Static method returning the list with authentication details.
TString & Remove(Ssiz_t pos)
const char * GetID() const
static void SetAuthReUse(Bool_t authreuse)
Set global AuthReUse flag.
void * GetContext() const
virtual Int_t GetEffectiveUid()
Returns the effective user id.
static TString fgKrb5Principal
void CatchTimeOut()
Called in connection with a timer timeout.
Int_t OldSlaveAuthSetup(TSocket *sock, Bool_t master, TString ord, TString conf)
Setup of authetication in PROOF run after successful opening of the socket.
virtual const char * HostName()
Return the system's host name.
Ssiz_t Index(const TString &str, Ssiz_t *len, Ssiz_t start=0) const
Find the first occurrence of the regexp in string and return the position, or -1 if there is no match...
char * DynamicPathName(const char *lib, Bool_t quiet=kFALSE)
Find a dynamic library called lib using the system search paths.
Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
Try to get user name and passwd from several sources.
const char * GetHost() const
void SetEnvironment()
Set default authentication environment.
static void FileExpand(const char *fin, FILE *ftmp)
Expands include directives found in fexp files The expanded, temporary file, is pointed to by 'ftmp' ...
static const TString & GetEtcDir()
Get the sysconfig directory in the installation. Static utility function.
static Int_t SecureRecv(TSocket *Socket, Int_t dec, Int_t KeyType, char **Out)
Receive str from sock and decode it using key indicated by key type Return number of received bytes o...
Bool_t Contains(const char *pat, ECaseCompare cmp=kExact) const
Int_t GetMethod(Int_t idx) const
static constexpr double s
#define SSL_load_error_strings
static Int_t SendHostAuth(TSocket *s)
Sends the list of the relevant THostAuth objects to the master or to the active slaves, typically data servers external to the proof cluster.
void ReOrder(Int_t nmet, Int_t *fmet)
Reorder nmet methods according fmet[nmet].
virtual void DispatchOneEvent(Bool_t pendingOnly=kFALSE)
Dispatch a single event.
static Bool_t CheckHost(const char *Host, const char *host)
Check if 'host' matches 'href': this means either equal or "containing" it, even with wild cards * in...
static void SetGlobalExpDate(TDatime expdate)
Set default expiring date for new validity contexts.
static TString fgDefaultUser
static void SetGlobusAuthHook(GlobusAuth_t func)
Set Globus authorization function.
static void SetGlobalPwHash(Bool_t pwhash)
Set global passwd hash flag to be used for authentication to rootd or proofd.
static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt="")
Tool for updating fgAuthInfo or fgProofAuthInfo 'nin' contains list of last input information through...
static const char * GetRSAPubExport(Int_t key=0)
Static method returning the RSA public keys.
static TString fgRootAuthrc
Bool_t R_ISDIR(Int_t mode)
TSecContext * GetSecContext() const
static const char * GetGlobalUser()
Static method returning the global user.
virtual void Add(TObject *obj)
virtual Int_t GetEffectiveGid()
Returns the effective group id.
static TString fgAuthMeth[kMAXSEC]
void Update(THostAuth *ha)
Update info with the one in ha Remaining methods, if any, get lower priority.
Int_t Atoi() const
Return integer value of string.
static RSA_encode_t RSA_encode()
static Bool_t fgReadHomeAuthrc
static constexpr double pc
static Int_t GetClientProtocol()
Static method returning supported client protocol.
Bool_t IsDigit() const
Returns true if all characters in string are digits (0-9) or white spaces, i.e.
Bool_t CheckNetrc(TString &user, TString &passwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files.
char * GetRandString(Int_t Opt, Int_t Len)
Allocates and fills a 0 terminated buffer of length len+1 with len random characters.
This class creates the ROOT Application Environment that interfaces to the windowing system eventloop...
static RSA_genrsa_t RSA_genrsa()
static void SetDefaultRSAKeyType(Int_t key)
Static method setting the default type of RSA key.
static Bool_t GetGlobalPwHash()
Static method returning the global password hash flag.
R__rsa_KEY_export R__fgRSAPubExport[2]
virtual Int_t GetSize() const
Return the capacity of the collection, i.e.
static Bool_t fgAuthReUse
virtual Int_t RecvRaw(void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Receive a raw buffer of specified length bytes.
virtual void Print(Option_t *option="") const
Print object content.
virtual Int_t GetValue(const char *name, Int_t dflt) const
Returns the integer value for a resource.
const Int_t kAUTH_CRYPT_MSK
virtual char * ConcatFileName(const char *dir, const char *name)
Concatenate a directory and a file name. User must delete returned string.
static constexpr double ns
static Int_t GetAuthMethodIdx(const char *meth)
Static method returning the method index (which can be used to find the method in GetAuthMethod())...
static THostAuth * HasHostAuth(const char *host, const char *user, Option_t *opt="R")
Checks if a THostAuth with exact match for {host,user} exists in the fgAuthInfo list If opt = "P" use...
static void SetGlobalPasswd(const char *passwd)
Set global passwd to be used for authentication to rootd or proofd.
static Int_t DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n, R__rsa_NUMBER &d, char **rsassl=0)
Store RSA public keys from export string rsaPubExport.
void Resize(Ssiz_t n)
Resize the string. Truncate or add blanks as necessary.
static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key=0)
Receives server RSA Public key Sends local RSA public key encoded.
This class stores the date and time with a precision of one second in an unsigned 32 bit word (950130...
static Int_t RecvHostAuth(TSocket *s, Option_t *opt)
Receive from client/master directives for authentications, create related THostAuth and add them to t...
const char * Data() const
static const char * GetAuthMethod(Int_t idx)
Static method returning the method corresponding to idx.