library: libCore
#include "TAuthenticate.h"

TAuthenticate


class description - source file - inheritance tree (.pdf)

class TAuthenticate : public TObject

Inheritance Chart:
TObject
<-
TAuthenticate
    private:
Bool_t Authenticate() static Bool_t CheckHost(const char* Host, const char* host) static Bool_t CleanupSecContext(TSecContext* ctx, Bool_t all) Int_t ClearAuth(TString& user, TString& passwd, Bool_t& pwhash) static void FileExpand(const char* fin, FILE* ftmp) Int_t GenRSAKeys() Bool_t GetPwHash() const char* GetRandString(Int_t Opt, Int_t Len) Int_t GetRSAKey() const TSecContext* GetSecContext() const TAuthenticate::ESecurity GetSecurity() const Bool_t GetSRPPwd() const const char* GetSshUser(TString user) const Bool_t GetUserPasswd(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd) Int_t GetVersion() const static void RemoveSecContext(TSecContext* ctx) Int_t RfioAuth(TString& user) void SetEnvironment() Int_t SshAuth(TString& user) Int_t SshError(const char* errfile) protected:
static void SetReadHomeAuthrc(Bool_t readhomeauthrc) public:
TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "") TAuthenticate(const TAuthenticate&) virtual ~TAuthenticate() static void AuthError(const char* where, Int_t error) Int_t AuthExists(TString User, Int_t method, const char* Options, Int_t* Message, Int_t* Rflag, CheckSecCtx_t funcheck) void CatchTimeOut() Bool_t CheckNetrc(TString& user, TString& passwd) Bool_t CheckNetrc(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd) static Bool_t CheckProofAuth(Int_t cSec, TString& det) static TClass* Class() static void CleanupSecContextAll(Option_t* opt = "k") static Int_t DecodeRSAPublic(const char* rsapubexport, rsa_NUMBER& n, rsa_NUMBER& d, void** rsassl = 0) static TList* GetAuthInfo() static const char* GetAuthMethod(Int_t idx) const static Int_t GetAuthMethodIdx(const char* meth) static Bool_t GetAuthReUse() static Int_t GetClientProtocol() static char* GetDefaultDetails(Int_t method, Int_t opt, const char* user) static const char* GetDefaultUser() const static TDatime GetGlobalExpDate() static Bool_t GetGlobalPwHash() static Bool_t GetGlobalSRPPwd() static const char* GetGlobalUser() const static GlobusAuth_t GetGlobusAuthHook() THostAuth* GetHostAuth() const static THostAuth* GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0) static const char* GetKrb5Principal() const static Bool_t GetPromptUser() static TList* GetProofAuthInfo() const char* GetProtocol() const const char* GetRemoteHost() const static Int_t GetRSAInit() Int_t GetRSAKeyType() const static const char* GetRSAPubExport(Int_t key = 0) const TSocket* GetSocket() const const char* GetUser() const static THostAuth* HasHostAuth(const char* host, const char* user, Option_t* opt = "R") Int_t HasTimedOut() const static void InitRandom() virtual TClass* IsA() const static void MergeHostAuthList(TList* Std, TList* New, Option_t* Opt = "") TAuthenticate& operator=(const TAuthenticate&) static char* PromptPasswd(const char* prompt = "Password: ") static char* PromptUser(const char* remote) static void ReadProofConf(const char* proofconf) static Int_t ReadRootAuthrc(const char* proofconf = "0") static void RemoveHostAuth(THostAuth* ha, Option_t* opt = "") static Int_t SecureRecv(TSocket* Socket, Int_t dec, Int_t KeyType, char** Out) static Int_t SecureSend(TSocket* Socket, Int_t enc, Int_t KeyType, const char* In) static Int_t SendRSAPublicKey(TSocket* Socket, Int_t key = 0) static void SetAuthReUse(Bool_t authreuse) static void SetDefaultRSAKeyType(Int_t key) static void SetDefaultUser(const char* defaultuser) static void SetGlobalExpDate(TDatime expdate) static void SetGlobalPasswd(const char* passwd) static void SetGlobalPwHash(Bool_t pwhash) static void SetGlobalSRPPwd(Bool_t srppwd) static void SetGlobalUser(const char* user) static void SetGlobusAuthHook(GlobusAuth_t func) static void SetKrb5AuthHook(Krb5Auth_t func) static void SetPromptUser(Bool_t promptuser) static void SetRSAInit(Int_t init = 1) void SetRSAKeyType(Int_t key) static Int_t SetRSAPublic(const char* rsapubexport, Int_t klen) void SetSecContext(TSecContext* ctx) static void SetSecureAuthHook(SecureAuth_t func) static void SetTimeOut(Int_t to) static void Show(Option_t* opt = "S") virtual void ShowMembers(TMemberInspector& insp, char* parent) virtual void Streamer(TBuffer& b) void StreamerNVirtual(TBuffer& b)

Data Members

    private:
TString fDetails logon details (method dependent ...) THostAuth* fHostAuth pointer to relevant authentication info TString fPasswd user's password TString fProtocol remote service (rootd, proofd) Bool_t fPwHash kTRUE if fPasswd is a passwd hash TString fRemote remote host to which we want to connect Int_t fRSAKey Type of RSA key used TSecContext* fSecContext pointer to relevant sec context TAuthenticate::ESecurity fSecurity actual logon security level TSocket* fSocket connection to remote daemon Bool_t fSRPPwd kTRUE if fPasswd is a SRP passwd Int_t fVersion 0,1,2, ... accordingly to remote daemon version TString fUser user to be authenticated Int_t fTimeOut timeout flag static TList* fgAuthInfo static TString fgAuthMeth[6] static Bool_t fgAuthReUse kTRUE is ReUse required static Int_t fgClientProtocol client protocol level static TString fgDefaultUser Default user information static TDatime fgExpDate Expiring date for new security contexts static GlobusAuth_t fgGlobusAuthHook static Krb5Auth_t fgKrb5AuthHook static TString fgKrb5Principal Principal for Krb5 ticket static TDatime fgLastAuthrc Time of last reading of fgRootAuthrc static TString fgPasswd static Bool_t fgPromptUser kTRUE if user prompt required static TList* fgProofAuthInfo Specific lists of THostAuth fro proof static Bool_t fgPwHash kTRUE if fgPasswd is a passwd hash static Bool_t fgReadHomeAuthrc kTRUE to look for $HOME/.rootauthrc static TString fgRootAuthrc Path to last rootauthrc-like file read static Int_t fgRSAKey Default type of RSA key to be tried static Int_t fgRSAInit static rsa_KEY fgRSAPriKey static rsa_KEY fgRSAPubKey static rsa_KEY_export fgRSAPubExport[2] static SecureAuth_t fgSecAuthHook static Bool_t fgSRPPwd kTRUE if fgPasswd is a SRP passwd static TString fgUser static Bool_t fgUsrPwdCrypt kTRUE if encryption for UsrPwd is required static Int_t fgLastError Last error code processed by AuthError() static Int_t fgAuthTO if > 0, timeout in sec static Int_t fgProcessID ID of the main thread as unique identifier public:
static const TAuthenticate::ESecurity kClear static const TAuthenticate::ESecurity kSRP static const TAuthenticate::ESecurity kKrb5 static const TAuthenticate::ESecurity kGlobus static const TAuthenticate::ESecurity kSSH static const TAuthenticate::ESecurity kRfio

Class Description

                                                                      
 TAuthenticate                                                        
                                                                      
 An authentication module for ROOT based network services, like rootd 
 and proofd.                                                          
                                                                      


TAuthenticate(TSocket *sock, const char *remote, const char *proto, const char *user)
 Create authentication object.

void CatchTimeOut()
 Called in connection with a timer timeout

Bool_t Authenticate()
 Authenticate to remote rootd or proofd server. Return kTRUE if
 authentication succeeded.

void SetEnvironment()
 Set default authentication environment. The values are inferred
 from fSecurity and fDetails.

Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
 Try to get user name and passwd from several sources.

Bool_t CheckNetrc(TString &user, TString &passwd)
 Try to get user name and passwd from the ~/.rootnetrc or
 ~/.netrc files. For more info see the version with 4 arguments.
 This version is maintained for backward compatability reasons.

Bool_t CheckNetrc(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
 Try to get user name and passwd from the ~/.rootnetrc or
 ~/.netrc files. First ~/.rootnetrc is tried, after that ~/.netrc.
 These files will only be used when their access masks are 0600.
 Returns kTRUE if user and passwd were found for the machine
 specified in the URL. If kFALSE, user and passwd are "".
 If srppwd == kTRUE then a SRP ('secure') pwd is searched for in
 the files.
 The boolean pwhash is set to kTRUE if the returned passwd is to
 be understood as password hash, i.e. if the 'password-hash' keyword
 is found in the 'machine' lines; not implemented for 'secure'
 and the .netrc file.
 The format of these files are:

 # this is a comment line
 machine <machine fqdn> login <user> password <passwd>
 machine <machine fqdn> login <user> password-hash <passwd>

 and in addition ~/.rootnetrc also supports:

 secure <machine fqdn> login <user> password <passwd>

 for the secure protocols. All lines must start in the first column.

const char* GetGlobalUser()
 Static method returning the global user.

Bool_t GetGlobalPwHash()
 Static method returning the global password hash flag.

Bool_t GetGlobalSRPPwd()
 Static method returning the global SRP password flag.

TDatime GetGlobalExpDate()
 Static method returning default expiring date for new validity contexts

const char* GetDefaultUser()
 Static method returning the default user information.

const char* GetKrb5Principal()
 Static method returning the principal to be used to init Krb5 tickets.

Bool_t GetAuthReUse()
 Static method returning the authentication reuse settings.

Bool_t GetPromptUser()
 Static method returning the prompt user settings.

const char* GetAuthMethod(Int_t idx)
 Static method returning the method corresponding to idx.

Int_t GetAuthMethodIdx(const char *meth)
 Static method returning the method index (which can be used to find
 the method in GetAuthMethod()). Returns -1 in case meth is not found.

char* PromptUser(const char *remote)
 Static method to prompt for the user name to be used for authentication
 to rootd or proofd. User is asked to type user name.
 Returns user name (which must be deleted by caller) or 0.
 If non-interactive run (eg ProofServ) returns default user.

char* PromptPasswd(const char *prompt)
 Static method to prompt for the user's passwd to be used for
 authentication to rootd or proofd. Uses non-echoing command line
 to get passwd. Returns passwd (which must de deleted by caller) or 0.
 If non-interactive run (eg ProofServ) returns -1

GlobusAuth_t GetGlobusAuthHook()
 Static method returning the globus authorization hook.

const char* GetRSAPubExport(Int_t key)
 Static method returning the RSA public keys.

Int_t GetRSAInit()
 Static method returning the RSA initialization flag.

void SetDefaultRSAKeyType(Int_t key)
 Static method setting the default type of RSA key.

void SetRSAInit(Int_t init)
 Static method setting RSA initialization flag.

TList* GetAuthInfo()
 Static method returning the list with authentication details.

TList* GetProofAuthInfo()
 Static method returning the list with authentication directives
 to be sent to proof.

void AuthError(const char *where, Int_t err)
 Print error string depending on error code.

void SetGlobalUser(const char *user)
 Set global user name to be used for authentication to rootd or proofd.

void SetGlobalPasswd(const char *passwd)
 Set global passwd to be used for authentication to rootd or proofd.

void SetGlobalPwHash(Bool_t pwhash)
 Set global passwd hash flag to be used for authentication to rootd or proofd.

void SetGlobalSRPPwd(Bool_t srppwd)
 Set global SRP passwd flag to be used for authentication to rootd or proofd.

void SetReadHomeAuthrc(Bool_t readhomeauthrc)
 Set flag controlling the reading of $HOME/.rootauthrc.
 In PROOF the administrator may want to switch off private settings.
 Always true, may only be set false via option to proofd.

void SetGlobalExpDate(TDatime expdate)
 Set default expiring date for new validity contexts

void SetDefaultUser(const char *defaultuser)
 Set default user name.

void SetTimeOut(Int_t to)
 Set timeout (active if > 0)

void SetAuthReUse(Bool_t authreuse)
 Set global AuthReUse flag

void SetPromptUser(Bool_t promptuser)
 Set global PromptUser flag

void SetSecureAuthHook(SecureAuth_t func)
 Set secure authorization function. Automatically called when libSRPAuth
 is loaded.

void SetKrb5AuthHook(Krb5Auth_t func)
 Set kerberos5 authorization function. Automatically called when
 libKrb5Auth is loaded.

void SetGlobusAuthHook(GlobusAuth_t func)
 Set Globus authorization function. Automatically called when
 libGlobusAuth is loaded.

Int_t SshError(const char *errorfile)
 SSH error parsing: returns
     0  :  no error or fatal
     1  :  should retry (eg 'connection closed by remote host')

Int_t SshAuth(TString &User)
 SSH client authentication code.

const char* GetSshUser(TString User) const
 Method returning the User to be used for the ssh login.
 Looks first at SSH.Login and finally at env USER.
 If SSH.LoginPrompt is set to 'yes' it prompts for the 'login name'

Bool_t CheckHost(const char *Host, const char *host)
 Check if 'Host' matches 'host':
 this means either equal or "containing" it, even with wild cards *
 in the first field (in the case 'host' is a name, ie not IP address)
 Returns kTRUE if the two matches.

Int_t RfioAuth(TString &User)
 UidGid client authentication code.
 Returns 0 in case authentication failed
         1 in case of success
        <0 in case of system error

Int_t ClearAuth(TString &User, TString &Passwd, Bool_t &PwHash)
 UsrPwd client authentication code.
 Returns 0 in case authentication failed
         1 in case of success

THostAuth* GetHostAuth(const char *host, const char *user, Option_t *Opt, Int_t *Exact)
 Sets fUser=user and search fgAuthInfo for the entry pertaining to
 (host,user), setting fHostAuth accordingly.
 If Opt = "P" use fgProofAuthInfo list instead
 If no entry is found fHostAuth is not changed

THostAuth* HasHostAuth(const char *host, const char *user, Option_t *Opt)
 Checks if a THostAuth with exact match for {host,user} exists
 in the fgAuthInfo list
 If Opt = "P" use ProofAuthInfo list instead
 Returns pointer to it or 0

void FileExpand(const char *fexp, FILE *ftmp)
 Expands include directives found in fexp files
 The expanded, temporary file, is pointed to by 'ftmp'
 and should be already open. To be called recursively.

char* GetDefaultDetails(int sec, int opt, const char *usr)
 Determine default authentication details for method 'sec' and user 'usr'.
 Checks .rootrc family files. Returned string must be deleted by the user.

void RemoveHostAuth(THostAuth * ha, Option_t *Opt)
 Remove THostAuth instance from the list

void Show(Option_t *opt)
 Print info about the authentication sector.
 If 'opt' contains 's' or 'S' prints information about established TSecContext,
 else prints information about THostAuth (if 'opt' is 'p' or 'P', prints
 Proof related information)

Int_t AuthExists(TString User, Int_t Method, const char *Options, Int_t *Message, Int_t *Rflag, CheckSecCtx_t CheckSecCtx)
 Check if we have a valid established sec context in memory
 Retrieves relevant info and negotiates with server.
 Options = "Opt,strlen(User),User.Data()"
 Message = kROOTD_USER, ...

void InitRandom()
 Initialize random machine using seed from /dev/urandom
 (or current time if /dev/urandom not available).

Int_t GenRSAKeys()
 Generate a valid pair of private/public RSA keys to protect for
 authentication token exchange

char* GetRandString(Int_t Opt, Int_t Len)
 Allocates and fills a 0 terminated buffer of length Len+1 with
 Len random characters.
 Returns pointer to the buffer (to be deleted by the caller)
 Opt = 0      any non dangerous char
       1      letters and numbers  (upper and lower case)
       2      hex characters       (upper and lower case)

Int_t SecureSend(TSocket *sock, Int_t enc, Int_t key, const char *str)
 Encode null terminated str using the session private key indcated by enc
 and sends it over the network
 Returns number of bytes sent, or -1 in case of error.
 enc = 1 for private encoding, enc = 2 for public encoding

Int_t SecureRecv(TSocket *sock, Int_t dec, Int_t key, char **str)
 Receive str from sock and decode it using key indicated by key type
 Return number of received bytes or -1 in case of error.
 dec = 1 for private decoding, dec = 2 for public decoding

Int_t DecodeRSAPublic(const char *RSAPubExport, rsa_NUMBER &RSA_n, rsa_NUMBER &RSA_d, void **RSASSL)
 Store RSA public keys from export string RSAPubExport.

Int_t SetRSAPublic(const char *RSAPubExport, Int_t klen)
 Store RSA public keys from export string RSAPubExport.
 Returns type of stored key, or -1 is not recognized

Int_t SendRSAPublicKey(TSocket *socket, Int_t key)
 Receives Server RSA Public key
 Sends local RSA public key encoded

Int_t GetClientProtocol()
 Static method returning supported client protocol.

void CleanupSecContextAll(Option_t *opt)
 Ask remote client to cleanup all active security context
 Static method called in TROOT for final cleanup

Bool_t CleanupSecContext(TSecContext *ctx, Bool_t all)
 Ask remote client to cleanup security context 'ctx'
 If 'all', all sec context with the same host as ctx
 are cleaned.
 Static method called by ~TSecContext

Int_t ReadRootAuthrc(const char *proofconf)
 Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or
 <Root_etc_dir>/system.rootauthrc and create related THostAuth objects.
 Files are read only if they changed since last reading
 If 'proofconf' is defined, check also file proofconf for directives

void ReadProofConf(const char *conffile)
 Collect information needed for authentication to slaves from
 $HOME/.proof.conf or <Root_Dir>/proof/etc/proof.conf
 Update or create THostAuth objects accordingly
 Add them to the ProofAuthInfo list.

Bool_t CheckProofAuth(Int_t cSec, TString &Out)
 Check if the authentication method can be attempted for the client.

void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt)
 Tool for updating fgAuthInfo or fgProofAuthInfo
 'New' contains list of last input information through (re)reading
 of a rootauthrc-alike file. 'New' info has priority.
 'Std' is cleaned from inactive members.
 'New' members used to update existing members in 'Std' are
 removed from 'New', do that they do not leak
 Opt = "P" for ProofAuthInfo.

void RemoveSecContext(TSecContext *ctx)
 Tool for removing SecContext ctx from THostAuth listed in
 fgAuthInfo or fgProofAuthInfo



Inline Functions


                            void ~TAuthenticate()
                          Bool_t GetPwHash() const
                           Int_t GetRSAKey() const
                    TSecContext* GetSecContext() const
        TAuthenticate::ESecurity GetSecurity() const
                          Bool_t GetSRPPwd() const
                           Int_t GetVersion() const
                     const char* GetProtocol() const
                     const char* GetRemoteHost() const
                           Int_t GetRSAKeyType() const
                        TSocket* GetSocket() const
                     const char* GetUser() const
                           Int_t HasTimedOut() const
                            void SetRSAKeyType(Int_t key)
                            void SetSecContext(TSecContext* ctx)
                      THostAuth* GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0)
                         TClass* Class()
                         TClass* IsA() const
                            void ShowMembers(TMemberInspector& insp, char* parent)
                            void Streamer(TBuffer& b)
                            void StreamerNVirtual(TBuffer& b)
                   TAuthenticate TAuthenticate(const TAuthenticate&)
                  TAuthenticate& operator=(const TAuthenticate&)


Author: Fons Rademakers 26/11/2000
Last update: root/net:$Name: $:$Id: TAuthenticate.cxx,v 1.75 2005/06/23 06:24:27 brun Exp $
Copyright (C) 1995-2000, Rene Brun and Fons Rademakers. *


ROOT page - Class index - Class Hierarchy - Top of the page

This page has been automatically generated. If you have any comments or suggestions about the page layout send a mail to ROOT support, or contact the developers with any questions or problems regarding ROOT.