21 #include "RConfigure.h" 49 #include <sys/types.h> 51 #if !defined(R__WIN32) && !defined(R__MACOSX) && !defined(R__FBSD) && \ 58 #if defined(R__LINUX) || defined(R__FBSD) || defined(R__OBSD) 63 # include <sys/time.h> 66 #if defined(R__MACOSX) 67 extern "C" char *crypt(
const char *,
const char *);
77 # include <openssl/bio.h> 78 # include <openssl/err.h> 79 # include <openssl/pem.h> 80 # include <openssl/rand.h> 81 # include <openssl/rsa.h> 82 # include <openssl/ssl.h> 92 "Globus",
"SSH",
"UidGid" };
114 BF_KEY TAuthenticate::fgBFKey;
140 int frnd =
open(
"/dev/urandom", O_RDONLY);
141 if (frnd < 0) frnd =
open(
"/dev/random", O_RDONLY);
144 ssize_t rs =
read(frnd, (
void *) &r,
sizeof(
int));
147 if (rs ==
sizeof(
int))
return r;
149 Printf(
"+++ERROR+++ : auth_rand: neither /dev/urandom nor /dev/random are available or readable!");
151 if (gettimeofday(&tv,0) == 0) {
153 memcpy((
void *)&t1, (
void *)&tv.tv_sec,
sizeof(
int));
154 memcpy((
void *)&t2, (
void *)&tv.tv_usec,
sizeof(
int));
170 const char *
proto,
const char *user)
172 if (
gDebug > 2 && gAuthenticateMutex)
177 if (
gROOT->IsProofServ())
194 Info(
"TAuthenticate",
"Enter: local host: %s, user is: %s (proto: %s)",
201 if (proto && strlen(proto) > 0) {
202 char *sproto =
StrDup(proto);
203 if ((pdd = strstr(sproto,
":")) != 0) {
204 int rproto = atoi(pdd + 1);
206 if (strstr(sproto,
"root") != 0) {
223 if (strstr(sproto,
"proof") != 0) {
238 Info(
"TAuthenticate",
239 "service: %s (remote protocol: %d): fVersion: %d", sproto,
249 if (user && strlen(user) > 0) {
255 checkUser = u->
fUser;
275 Info(
"TAuthenticate",
"RSA key: default type %d", fgRSAKey);
289 fqdnsrv.
Form(
"%s:%d",fqdn.
Data(),servtype);
295 Info(
"TAuthenticate",
296 "number of HostAuth Instantiations in memory: %d",
297 GetAuthInfo()->GetSize());
303 fHostAuth = GetHostAuth(fqdnsrv, checkUser);
311 if (fProtocol.Contains(
"proof")) {
313 }
else if (fProtocol.Contains(
"root")) {
317 Int_t nw = sscanf(tmp.
Data(),
"%5s %5s %5s %5s %5s %5s",
318 am[0], am[1], am[2], am[3], am[4], am[5]);
321 for( ; i < nw; i++) {
323 if (strlen(am[i]) > 1) {
324 met = GetAuthMethodIdx(am[i]);
328 if (met > -1 && met <
kMAXSEC) {
335 fHostAuth =
new THostAuth(fRemote,fUser,nm,me,0);
337 fHostAuth =
new THostAuth(fRemote,fUser,0,(
const char *)0);
343 if (strchr(fHostAuth->GetHost(),
'*') || strchr(fHostAuth->GetHost(),
'*') ||
344 fHostAuth->GetServer() == -1 ) {
346 fHostAuth->SetHost(fqdn);
347 fHostAuth->SetUser(checkUser);
348 fHostAuth->SetServer(servtype);
358 if (!strncmp(tmp.
Data(),
"up",2))
360 else if (!strncmp(tmp.
Data(),
"s",1))
362 else if (!strncmp(tmp.
Data(),
"k",1))
364 else if (!strncmp(tmp.
Data(),
"g",1))
366 else if (!strncmp(tmp.
Data(),
"h",1))
368 else if (!strncmp(tmp.
Data(),
"ug",2))
370 if (sec > -1 && sec <
kMAXSEC) {
371 if (fHostAuth->HasMethod(sec)) {
372 fHostAuth->SetFirst(sec);
374 char *dtmp = GetDefaultDetails(sec, 1, checkUser);
376 fHostAuth->AddFirst(sec, det);
384 TIter next(fHostAuth->Established());
396 Info(
"CatchTimeOut",
"%d sec timeout expired (protocol: %s)",
397 fgAuthTO, fgAuthMeth[fSecurity].
Data());
401 fSocket->Close(
"force");
412 if (
gDebug > 2 && gAuthenticateMutex)
420 char noSupport[80] = { 0 };
421 char triedMeth[80] = { 0 };
428 Info(
"Authenticate",
"enter: fUser: %s", fUser.Data());
435 alarm->SetInterruptSyscalls();
437 alarm->Connect(
"Timeout()",
"TAuthenticate",
this,
"CatchTimeOut()");
445 Info(
"Authenticate",
"try #: %d", ntry);
452 fSecurity = (
ESecurity) fHostAuth->GetMethod(meth);
453 fDetails = fHostAuth->GetDetails((
Int_t) fSecurity);
456 "trying authentication: method:%d, default details:%s",
457 fSecurity, fDetails.Data());
460 if (strlen(triedMeth) > 0)
461 snprintf(triedMeth, 80,
"%s %s", triedMeth, fgAuthMeth[fSecurity].
Data());
463 snprintf(triedMeth, 80,
"%s", fgAuthMeth[fSecurity].
Data());
473 if (fgAuthTO > 0 && alarm) {
474 alarm->Start(fgAuthTO*1000,
kTRUE);
478 if (fSecurity == kClear) {
483 user = fgDefaultUser;
485 CheckNetrc(user, passwd, pwhash,
kFALSE);
488 char *u = PromptUser(fRemote);
492 rc = GetUserPasswd(user, passwd, pwhash,
kFALSE);
500 st = ClearAuth(user, passwd, pwhash);
502 Error(
"Authenticate",
503 "unable to get user name for UsrPwd authentication");
506 }
else if (fSecurity == kSRP) {
511 user = fgDefaultUser;
513 CheckNetrc(user, passwd, pwhash,
kTRUE);
516 char *p = PromptUser(fRemote);
520 rc = GetUserPasswd(user, passwd, pwhash,
kTRUE);
525 if (!fgSecAuthHook) {
534 if (!rc && fgSecAuthHook) {
536 st = (*fgSecAuthHook) (
this, user, passwd, fRemote, fDetails,
540 Error(
"Authenticate",
541 "no support for SRP authentication available");
543 Error(
"Authenticate",
544 "unable to get user name for SRP authentication");
552 }
else if (fSecurity == kKrb5) {
557 if (!fgKrb5AuthHook) {
565 if (fgKrb5AuthHook) {
566 fUser = fgDefaultUser;
567 st = (*fgKrb5AuthHook) (
this, fUser, fDetails, fVersion);
569 Error(
"Authenticate",
570 "support for kerberos5 auth locally unavailable");
575 "remote daemon does not support Kerberos authentication");
576 if (strlen(noSupport) > 0)
577 snprintf(noSupport, 80,
"%s/Krb5", noSupport);
582 }
else if (fSecurity == kGlobus) {
586 if (!fgGlobusAuthHook) {
594 if (fgGlobusAuthHook) {
595 st = (*fgGlobusAuthHook) (
this, fUser, fDetails);
597 Error(
"Authenticate",
598 "no support for Globus authentication available");
603 "remote daemon does not support Globus authentication");
604 if (strlen(noSupport) > 0)
605 snprintf(noSupport, 80,
"%s/Globus", noSupport);
611 }
else if (fSecurity == kSSH) {
621 "remote daemon does not support SSH authentication");
622 if (strlen(noSupport) > 0)
623 snprintf(noSupport, 80,
"%s/SSH", noSupport);
628 }
else if (fSecurity == kRfio) {
633 st = RfioAuth(fUser);
638 "remote daemon does not support UidGid authentication");
639 if (strlen(noSupport) > 0)
640 snprintf(noSupport, 80,
"%s/UidGid", noSupport);
647 if (alarm) alarm->Stop();
650 st = (fTimeOut > 0) ? -3 : st;
658 Int_t nmet = fHostAuth->NumMethods();
659 Int_t remloc = nmet - ntry;
661 Info(
"Authenticate",
"remloc: %d, ntry: %d, meth: %d, fSecurity: %d",
662 remloc, ntry, meth, fSecurity);
669 fHostAuth->CountSuccess((
Int_t)fSecurity);
671 fSecContext->Print();
672 if (fSecContext->IsActive())
673 fSecContext->AddForCleanup(fSocket->GetPort(),
674 fSocket->GetRemoteProtocol(),fSocket->GetServType());
681 fHostAuth->CountFailure((
Int_t)fSecurity);
687 "negotiation not supported remotely: try next method, if any");
688 if (meth < nmet - 1) {
699 if (fSocket->Recv(stat, kind) < 0) {
705 "after failed attempt: kind= %d, stat= %d", kind, stat);
712 char *answer =
new char[len];
713 int nrec = fSocket->Recv(answer, len, kind);
721 "strings with accepted methods not received (%d:%d)",
724 sscanf(answer,
"%d %d %d %d %d %d", &rMth[0], &rMth[1],
725 &rMth[2], &rMth[3], &rMth[4], &rMth[5]);
726 if (
gDebug > 0 && remloc > 0)
728 "remotely allowed methods not yet tried: %s",
731 }
else if (stat == 0) {
733 "no more methods accepted remotely to be tried");
746 char locav[40] = { 0 };
748 for (i = 0; i < remMeth; i++) {
749 for (j = 0; j < nmet; j++) {
750 if (fHostAuth->GetMethod(j) == rMth[i] && tMth[j] == 0) {
757 snprintf(locav, 40,
"%s %d", locav, fHostAuth->GetMethod(j));
759 if (methfound)
break;
761 if (methfound)
break;
766 "no match with those locally available: %s", locav);
780 fHostAuth->CountFailure((
Int_t)fSecurity);
783 "method not even started: insufficient or wrong info: %s",
784 "try with next method, if any");
785 fHostAuth->RemoveMethod(fSecurity);
797 fHostAuth->CountFailure((
Int_t)fSecurity);
801 "status code -2 not expected from old daemons");
811 fHostAuth->CountFailure((
Int_t)fSecurity);
813 Info(
"Authenticate",
"got a timeout");
814 fHostAuth->SetLast(fSecurity);
815 if (meth < nmet - 1) {
823 fHostAuth->CountFailure((
Int_t)fSecurity);
825 Info(
"Authenticate",
"unknown status code: %d - assume failure",st);
839 if (strlen(noSupport) > 0)
840 Info(
"Authenticate",
"attempted methods %s are not supported" 841 " by remote server version", noSupport);
843 "failure: list of attempted methods: %s", triedMeth);
844 AuthError(
"Authenticate",-1);
867 Info(
"SetEnvironment",
868 "setting environment: fSecurity:%d, fDetails:%s", fSecurity,
872 fgDefaultUser = fgUser;
873 if (fSecurity == kKrb5 ||
874 (fSecurity == kGlobus &&
gROOT->IsProofServ()))
881 if (fDetails !=
"") {
883 char pt[5] = { 0 }, ru[5] = { 0 };
884 Int_t hh = 0, mm = 0;
889 TString usrPromptDef =
TString(GetAuthMethod(fSecurity)) +
".LoginPrompt";
890 if ((ptr = strstr(fDetails,
"pt:")) != 0) {
891 sscanf(ptr + 3,
"%4s %8191s", pt, usdef);
893 if (!strncasecmp(
gEnv->
GetValue(usrPromptDef,
""),
"no",2) ||
899 TString usrReUseDef =
TString(GetAuthMethod(fSecurity)) +
".ReUse";
900 if ((ptr = strstr(fDetails,
"ru:")) != 0) {
901 sscanf(ptr + 3,
"%4s %8191s", ru, usdef);
903 if (!strncasecmp(
gEnv->
GetValue(usrReUseDef,
""),
"no",2) ||
909 TString usrValidDef =
TString(GetAuthMethod(fSecurity)) +
".Valid";
912 if ((pd = hours.Index(
":")) > -1) {
916 hh = atoi(hours.Data());
917 mm = atoi(minutes.
Data());
919 hh = atoi(hours.Data());
924 if (fSecurity == kGlobus) {
925 if ((ptr = strstr(fDetails,
"cd:")) != 0)
926 sscanf(ptr,
"%8191s %8191s", cd, usdef);
927 if ((ptr = strstr(fDetails,
"cf:")) != 0)
928 sscanf(ptr,
"%8191s %8191s", cf, usdef);
929 if ((ptr = strstr(fDetails,
"kf:")) != 0)
930 sscanf(ptr,
"%8191s %8191s", kf, usdef);
931 if ((ptr = strstr(fDetails,
"ad:")) != 0)
932 sscanf(ptr,
"%8191s %8191s", ad, usdef);
934 Info(
"SetEnvironment",
935 "details:%s, pt:%s, ru:%s, cd:%s, cf:%s, kf:%s, ad:%s",
936 fDetails.Data(),
pt, ru, cd, cf, kf, ad);
938 }
else if (fSecurity == kClear) {
939 if ((ptr = strstr(fDetails,
"us:")) != 0)
940 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
941 if ((ptr = strstr(fDetails,
"cp:")) != 0)
942 sscanf(ptr + 3,
"%8191s %8191s", cp, usdef);
944 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s cp:%s",
945 fDetails.Data(),
pt, ru, us, cp);
946 }
else if (fSecurity == kKrb5) {
947 if ((ptr = strstr(fDetails,
"us:")) != 0)
948 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
949 if ((ptr = strstr(fDetails,
"pp:")) != 0)
950 sscanf(ptr + 3,
"%8191s %8191s", pp, usdef);
952 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s pp:%s",
953 fDetails.Data(),
pt, ru, us, pp);
955 if ((ptr = strstr(fDetails,
"us:")) != 0)
956 sscanf(ptr + 3,
"%8191s %8191s", us, usdef);
958 Info(
"SetEnvironment",
"details:%s, pt:%s, ru:%s, us:%s",
959 fDetails.Data(),
pt, ru, us);
963 if (!strncasecmp(pt,
"yes",3) || !strncmp(pt,
"1", 1))
964 fgPromptUser =
kTRUE;
967 if (fSecurity == kKrb5) {
969 if (!strncasecmp(ru,
"yes",3) || !strncmp(ru,
"1",1))
972 if (fSecurity != kGlobus || !(
gROOT->IsProofServ())) {
974 if (!strncasecmp(ru,
"no",2) || !strncmp(ru,
"0",1))
981 fgExpDate.Set(fgExpDate.Convert() + hh*3600 + mm*60);
984 if (fSecurity == kClear) {
985 fgUsrPwdCrypt =
kTRUE;
986 if (!strncmp(cp,
"no", 2) || !strncmp(cp,
"0", 1))
991 if (fSecurity == kGlobus) {
992 if (strlen(cd) > 0) {
snprintf(usdef,8192,
" %s",cd); }
993 if (strlen(cf) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, cf); }
994 if (strlen(kf) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, kf); }
995 if (strlen(ad) > 0) {
snprintf(usdef,8192,
"%s %s",usdef, ad); }
997 if (fSecurity == kKrb5) {
999 if (strlen(pp) > 0) {
1000 fgKrb5Principal =
TString(pp);
1003 if (strlen(us) > 0 && strstr(us,
"@"))
1004 fgKrb5Principal =
TString(us);
1007 if (fUser.Length()) {
1010 if (strlen(us) > 0 && !strstr(us,
"@"))
1021 if (strlen(usdef) > 0) {
1022 fgDefaultUser = usdef;
1025 fgDefaultUser = fgUser;
1029 fgDefaultUser = u->
fUser;
1033 if (fgDefaultUser ==
"anonymous" || fgDefaultUser ==
"rootd" ||
1034 fgUser !=
"" || fUser !=
"") {
1040 Info(
"SetEnvironment",
"usdef:%s", fgDefaultUser.Data());
1051 Info(
"GetUserPasswd",
"Enter: User: '%s' Hash:%d SRP:%d",
1058 if (passwd ==
"" && fgPasswd !=
"" && srppwd == fgSRPPwd) {
1063 if (fgUser !=
"" && user == fgUser) {
1064 if (passwd ==
"" && fgPasswd !=
"" && srppwd == fgSRPPwd) {
1071 Info(
"GetUserPasswd",
"In memory: User: '%s' Hash:%d",
1081 Info(
"GetUserPasswd",
"In memory: User: '%s' Hash:%d",
1087 if (user ==
"" || passwd ==
"") {
1089 Info(
"GetUserPasswd",
"Checking .netrc family ...");
1090 CheckNetrc(user, passwd, pwhash, srppwd);
1093 Info(
"GetUserPasswd",
"From .netrc family: User: '%s' Hash:%d",
1098 char *p = PromptUser(fRemote);
1102 Error(
"GetUserPasswd",
"user name not set");
1122 return CheckNetrc(user, passwd, hash, srppwd);
1180 FILE *fd = fopen(net,
"r");
1182 while (fgets(line,
sizeof(line), fd) != 0) {
1186 int nword = sscanf(line,
"%63s %63s %63s %63s %63s %63s",
1187 word[0], word[1], word[2], word[3], word[4], word[5]);
1190 if (srppwd && strcmp(word[0],
"secure"))
1192 if (!srppwd && strcmp(word[0],
"machine"))
1194 if (strcmp(word[2],
"login"))
1196 if (srppwd && strcmp(word[4],
"password"))
1199 strcmp(word[4],
"password") && strcmp(word[4],
"password-hash"))
1211 if (!strcmp(word[4],
"password-hash"))
1216 if (!strcmp(word[3], user.
Data())) {
1218 if (!strcmp(word[4],
"password-hash"))
1229 "file %s exists but has not 0600 permission", net);
1233 if (first && !srppwd && !result) {
1279 return fgDefaultUser;
1287 return fgKrb5Principal;
1303 return fgPromptUser;
1313 if (idx < 0 || idx >
kMAXSEC-1) {
1314 ::Error(
"Authenticate::GetAuthMethod",
"idx out of bounds (%d)", idx);
1317 return fgAuthMeth[idx];
1328 if (meth && meth[0]) {
1349 if (fgDefaultUser !=
"")
1350 user = fgDefaultUser;
1357 if (isatty(0) == 0 || isatty(1) == 0) {
1359 "not tty: cannot prompt for user, returning default");
1366 const char *usrIn = Getline(
Form(
"Name (%s:%s): ", remote, user));
1386 if (isatty(0) == 0 || isatty(1) == 0) {
1387 ::Warning(
"TAuthenticate::PromptPasswd",
1388 "not tty: cannot prompt for passwd, returning -1");
1389 static char noint[4] = {
"-1"};
1394 const char *pw = buf;
1398 if ((fgPasswdDialog =
1399 gROOT->GetPluginManager()->FindHandler(
"TGPasswdDialog"))) {
1400 if (fgPasswdDialog->LoadPlugin() == -1) {
1403 "could not load plugin for the password dialog box");
1407 if (fgPasswdDialog && (fgPasswdDialog != (
TPluginHandler *)(-1))) {
1410 fgPasswdDialog->ExecPlugin(3, prompt, buf, 128);
1413 while (
gROOT->IsInterrupted())
1417 Gl_config(
"noecho", 1);
1418 pw = Getline(prompt);
1419 Gl_config(
"noecho", 0);
1438 return fgGlobusAuthHook;
1446 key = (key >= 0 && key <= 1) ? key : 0;
1447 return fgRSAPubExport[key].keys;
1463 if (key >= 0 && key <= 1)
1483 fgAuthInfo =
new TList;
1495 if (!fgProofAuthInfo)
1496 fgProofAuthInfo =
new TList;
1497 return fgProofAuthInfo;
1508 err = (err < kErrError) ? ((err > -1) ? err : -1) :
kErrError;
1516 lasterr =
"(last error only; re-run with gDebug > 0 for more details)";
1520 if (
gDebug > 0 || forceprint) {
1522 ::Error(
Form(
"TAuthenticate::%s", where),
"%s %s",
1526 "unknown error code: server must be running a newer ROOT version %s",
1544 if (user && user[0])
1558 if (passwd && passwd[0])
1585 fgReadHomeAuthrc = readhomeauthrc;
1593 fgExpDate = expdate;
1601 if (fgDefaultUser !=
"")
1604 if (defaultuser && defaultuser[0])
1605 fgDefaultUser = defaultuser;
1613 fgAuthTO = (to <= 0) ? -1 : to;
1621 fgAuthReUse = authreuse;
1629 fgPromptUser = promptuser;
1638 fgSecAuthHook =
func;
1647 fgKrb5AuthHook =
func;
1656 fgGlobusAuthHook =
func;
1669 FILE *
ferr = fopen(errorfile,
"r");
1675 Int_t lerr = strlen(serr);
1676 char *pc = (
char *)memchr(serr,
'"',lerr);
1679 pc = (
char *)memchr(pc+1,
'"',strlen(pc+1));
1683 while (fgets(line,
sizeof(line),
ferr)) {
1685 if (line[strlen(line)-1] ==
'\n')
1686 line[strlen(line)-1] =
'\0';
1688 Info(
"SshError",
"read line: %s",line);
1690 while (pc < serr + lerr) {
1691 if (pc[0] ==
'\0' || pc[0] ==
' ')
1695 Info(
"SshError",
"checking error: '%s'",pc);
1696 if (strstr(line,pc))
1721 if (
gROOT->IsProofServ()) {
1724 Info(
"SshAuth",
"SSH protocol is switched OFF by default" 1725 " for PROOF servers: use 'ProofServ.UseSSH 1'" 1726 " to enable it (see system.rootrc)");
1736 char cmdref[2][5] = {
"ssh",
"scp"};
1741 while (notfound && sshproto > -1) {
1743 strlcpy(scmd,cmdref[sshproto],5);
1752 Info(
"SshAuth",
"%s not found in $PATH", scmd);
1755 if (strcmp(
gEnv->
GetValue(
"SSH.ExecDir",
"-1"),
"-1")) {
1757 Info(
"SshAuth",
"searching user defined path ...");
1761 Info(
"SshAuth",
"%s not executable", sshExe.
Data());
1767 if (notfound) sshproto--;
1775 Info(
"SshAuth",
"%s is %s (sshproto: %d)", scmd, sshExe.
Data(), sshproto);
1788 user = GetSshUser(user);
1791 Int_t reuse = (int)fgAuthReUse;
1792 fDetails =
TString::Format(
"pt:%d ru:%d us:",(
int)fgPromptUser,(
int)fgAuthReUse)
1798 options.
Form(
"%d none %ld %s %d", opt,
1803 Int_t retval = reuse;
1831 if (fSocket->Recv(cmdinfo, reclen, kind) < 0) {
1838 Info(
"SshAuth",
"received from server command info: %s", cmdinfo);
1844 while (ci.Tokenize(tkn, from,
" ")) {
1845 if (from > 0) cmdinfo[from-1] =
'\0';
1852 if (tkn.
IsDigit() && tkn.
Atoi() == 1) fRSAKey = 1;
1859 if (isatty(0) == 0 || isatty(1) == 0) {
1860 noPrompt =
TString(
"-o 'PasswordAuthentication no' ");
1861 noPrompt +=
TString(
"-o 'StrictHostKeyChecking no' ");
1863 Info(
"SshAuth",
"using noprompt options: %s", noPrompt.
Data());
1867 Int_t srvtyp = fSocket->GetServType();
1868 Int_t rproto = fSocket->GetRemoteProtocol();
1875 if (sshproto == 0) {
1877 fileErr =
"rootsshtmp_";
1881 fileErr =
"rootsshtmp_";
1885 fileErr.
Append(
".error");
1887 sshcmd.
Form(
"%s -x -l %s %s", sshExe.
Data(), user.
Data(), noPrompt.
Data());
1895 while (ssh_rc && again && ntry--) {
1898 again = SshError(fileErr);
1900 Info(
"SshAuth",
"%d: sleeping: rc: %d, again:%d, ntry: %d",
1901 fgProcessID, ssh_rc, again, ntry);
1915 TString fileLoc =
"rootsshtmp_";
1919 fileLoc =
"rootsshtmp_";
1926 if (chmod(fileLoc, 0600) == -1) {
1927 Info(
"SshAuth",
"fchmod error: %d", errno);
1929 }
else if ((floc = fopen(fileLoc,
"w"))) {
1933 fprintf(floc,
"k: %d\n",fRSAKey+1);
1934 fwrite(fgRSAPubExport[fRSAKey].keys,1,
1935 fgRSAPubExport[fRSAKey].len,floc);
1937 fprintf(floc,
"k: %s\n",fgRSAPubExport[0].keys);
1941 fprintf(floc,
"k: -1\n");
1948 sshcmd.
Form(
"%s -p %s", sshExe.
Data(), noPrompt.
Data());
1954 user.
Data(),fRemote.Data(),cmdinfo);
1962 while (ssh_rc && again && ntry--) {
1965 again = SshError(fileErr);
1967 Info(
"SshAuth",
"%d: sleeping: rc: %d, again:%d, ntry: %d",
1968 fgProcessID, ssh_rc, again, ntry);
1989 Info(
"SshAuth",
"%d: system return code: %d (%d)",
1990 fgProcessID, ssh_rc, ntry+1);
1992 if (ssh_rc && sshproto == 0) {
1994 srvtyp = fSocket->GetServType();
1995 rproto = fSocket->GetRemoteProtocol();
2004 Int_t port = fSocket->GetPort();
2007 url.
Form(
"sockd://%s",fRemote.Data());
2015 newsock =
new TSocket(fRemote.Data(),port,-1);
2017 newsock->
Send(
"failure notification");
2020 char cd1[1024], pipe[1024], dum[1024];
2022 sscanf(cmdinfo,
"%1023s %d %1023s %1023s", cd1, &id3, pipe, dum);
2030 if (newsock->
Recv(retval, kind) >= 0) {
2031 char *buf =
new char[retval+1];
2032 if (newsock->
Recv(buf, retval+1, kind) >= 0) {
2033 if (strncmp(buf,
"OK",2)) {
2034 Info(
"SshAuth",
"from remote host %s:", fRemote.Data());
2035 Info(
"SshAuth",
">> nothing listening on port %s %s",buf,
2036 "(supposed to be associated to sshd)");
2037 Info(
"SshAuth",
">> contact the daemon administrator at %s",
2041 Info(
"SshAuth",
"from remote host %s:", fRemote.Data());
2042 Info(
"SshAuth",
">> something listening on the port" 2043 " supposed to be associated to sshd.");
2044 Info(
"SshAuth",
">> You have probably mistyped your" 2045 " password. Or you tried to hack the" 2047 Info(
"SshAuth",
">> If the problem persists you may" 2048 " consider contacting the daemon");
2049 Info(
"SshAuth",
">> administrator at %s.",fRemote.Data());
2058 if (fSocket->Recv(retval, kind) >= 0) {
2060 AuthError(
"SshAuth", retval);
2064 }
else if (ssh_rc && sshproto > 0) {
2067 Info(
"SshAuth",
"error communicating failure");
2074 Info(
"SshAuth",
"error communicating success");
2079 if ((nrec = fSocket->Recv(retval, kind)) < 0)
2082 Info(
"SshAuth",
"got message %d, flag: %d", kind, retval);
2086 AuthError(
"SshAuth", retval);
2090 if (reuse == 1 && sshproto == 0) {
2095 "problems recvn RSA key flag: got message %d, flag: %d",
2100 fRSAKey = retval - 1;
2103 if (SendRSAPublicKey(fSocket,fRSAKey) < 0)
2107 if ((nrec = fSocket->Recv(retval, kind)) < 0)
2110 Info(
"SshAuth",
"got message %d, flag: %d", kind, retval);
2115 "problems recvn (user,offset) length (%d:%d bytes:%d)", kind,
2121 reclen = (retval+1 > 256) ? 256 : retval+1;
2122 if ((nrec = fSocket->Recv(answer, reclen, kind)) < 0)
2125 Warning(
"SshAuth",
"username and offset not received (%d:%d)", kind,
2131 sscanf(answer,
"%127s %d", lUser, &offset);
2133 Info(
"SshAuth",
"received from server: user: %s, offset: %d", lUser,
2138 if (reuse == 1 && offset > -1) {
2139 if (SecureRecv(fSocket, 1, fRSAKey, &token) == -1) {
2140 Warning(
"SshAuth",
"problems secure-receiving token -" 2141 " may result in corrupted token");
2146 Info(
"SshAuth",
"received from server: token: '%s' ", token);
2152 fSecContext = fHostAuth->CreateSecContext((
const char *)lUser, fRemote,
2153 (
Int_t)kSSH, offset, fDetails,
2154 (
const char *)token, fgExpDate, 0, fRSAKey);
2157 if (token)
delete [] token;
2160 if (fSocket->Recv(retval, kind) < 0)
2163 Info(
"SshAuth",
"received from server: kind: %d, retval: %d", kind,
2186 char *p = PromptUser(fRemote);
2190 usr = fgDefaultUser;
2192 char *p = PromptUser(fRemote);
2221 if (!strcmp(href,
"*"))
2230 if (rename.
Index(href,&len) != -1 || strstr(href,
"-"))
2235 if (strstr(href,
"*"))
2247 ::Info(
"TAuthenticate::CheckHost",
"checking host IP: %s", theHost.
Data());
2258 if (pos > 0 && pos != (
Ssiz_t)(theHost.
Length()-strlen(href)))
2274 Info(
"RfioAuth",
"enter ... username %s", username.
Data());
2281 username = pw->fUser;
2282 fDetails =
TString(
"pt:0 ru:0 us:") + username;
2285 if (pw->fUid != 0) {
2298 Info(
"RfioAuth",
"sending ... %s", sstr.
Data());
2303 Info(
"RfioAuth",
"sent ... %d bytes (expected > %d)", ns,
2308 if (fSocket->Recv(stat, kind) < 0)
2311 Info(
"RfioAuth",
"after kROOTD_RFIO: kind= %d, stat= %d", kind,
2318 fHostAuth->CreateSecContext((
const char *)pw->fUser,
2319 fRemote, kRfio, -stat, fDetails, 0);
2324 if (fProtocol.Contains(
"root"))
2326 if (fProtocol.Contains(
"proof"))
2333 "%s@%s does not accept connections from %s%s",
2334 server.
Data(),fRemote.Data(),
2341 "%s@%s does not accept %s authentication from %s@%s",
2342 server.
Data(),fRemote.Data(),
2343 TAuthenticate::fgAuthMeth[5].
Data(),
2346 AuthError(
"RfioAuth", stat);
2352 Warning(
"RfioAuth",
"UidGid login as \"root\" not allowed");
2369 Info(
"ClearAuth",
"enter: user: %s (passwd hashed?: %d)",
2372 Int_t reuse = fgAuthReUse;
2373 Int_t prompt = fgPromptUser;
2374 Int_t cryptopt = fgUsrPwdCrypt;
2379 fgPromptUser, fgAuthReUse, fgUsrPwdCrypt) + user;
2381 Info(
"ClearAuth",
"ru:%d pt:%d cp:%d ns:%d rk:%d",
2382 fgAuthReUse,fgPromptUser,fgUsrPwdCrypt,needsalt,fgRSAKey);
2410 options.
Form(
"%d %ld %s %ld %s", opt,
2432 Info(
"ClearAuth",
"anonymous user");
2441 char ctag[11] = {0};
2442 if (anon == 0 && cryptopt == 1) {
2449 "problems recvn RSA key flag: got message %d, flag: %d",
2455 Info(
"ClearAuth",
"get key request ...");
2461 if (SendRSAPublicKey(fSocket,fRSAKey) < 0)
2468 if ((slen = SecureRecv(fSocket, 1, fRSAKey, &tmpsalt)) == -1) {
2469 Warning(
"ClearAuth",
"problems secure-receiving salt -" 2470 " may result in corrupted salt");
2471 Warning(
"ClearAuth",
"switch off reuse for this session");
2479 while (ltmp && tmpsalt[ltmp-1] !=
'#') ltmp--;
2481 if (tmpsalt[ltmp-1] ==
'#' &&
2482 tmpsalt[ltmp-10] ==
'#') {
2483 strlcpy(ctag,&tmpsalt[ltmp-10],11);
2502 Info(
"ClearAuth",
"got salt: '%s' (len: %d)", salt.
Data(), slen);
2505 Info(
"ClearAuth",
"Salt not required");
2507 if (SecureRecv(fSocket, 1, fRSAKey, &tmptag) == -1) {
2508 Warning(
"ClearAuth",
"problems secure-receiving rndmtag -" 2509 " may result in corrupted rndmtag");
2512 strlcpy(ctag, tmptag, 11);
2524 if (fgPasswd.Contains(
"@")) {
2538 if (localFQDN ==
"") {
2543 passwd.
Form(
"%s@%s", localuser.
Data(), localFQDN.
Data());
2546 "automatically generated anonymous passwd: %s",
2552 if (prompt == 1 || pashash.
Length() == 0) {
2556 xp.
Form(
"%s@%s password: ", user.
Data(),fRemote.Data());
2557 char *pwd = PromptPasswd(xp);
2561 Error(
"ClearAuth",
"password not set");
2566 if (needsalt && !pwdhash) {
2568 pashash =
TString(crypt(passwd, salt));
2594 if (anon == 0 && cryptopt == 1) {
2605 if (SecureSend(fSocket, 1, fRSAKey, pashash.
Data()) == -1) {
2606 Warning(
"ClearAuth",
"problems secure-sending pass hash" 2607 " - may result in authentication failure");
2614 for (
int i = 0; i < passwd.
Length(); i++) {
2615 char inv = ~passwd(i);
2625 if ((nrec = fSocket->Recv(stat, kind)) < 0 )
2628 Info(
"ClearAuth",
"after kROOTD_PASS: kind= %d, stat= %d", kind,
2633 AuthError(
"ClearAuth", stat);
2640 "problems recvn (user,offset) length (%d:%d bytes:%d)",
2645 int reclen = (stat+1 > 256) ? 256 : stat+1;
2646 if ((nrec = fSocket->Recv(answer, reclen, kind)) < 0)
2650 "username and offset not received (%d:%d)", kind,
2656 sscanf(answer,
"%127s %d", lUser, &offset);
2659 "received from server: user: %s, offset: %d (%s)", lUser,
2666 if (reuse == 1 && offset > -1) {
2668 if (cryptopt == 1) {
2669 if (SecureRecv(fSocket, 1, fRSAKey, &token) == -1) {
2671 "problems secure-receiving token -" 2672 " may result in corrupted token");
2677 token =
new char[tlen];
2678 if (fSocket->Recv(token, tlen, kind) < 0) {
2683 Warning(
"ClearAuth",
"token not received (%d:%d)", kind,
2686 for (
int i = 0; i < (int) strlen(token); i++) {
2687 token[i] = ~token[i];
2692 Info(
"ClearAuth",
"received from server: token: '%s' ",
2697 fSecContext = fHostAuth->CreateSecContext((
const char *)lUser, fRemote,
2698 kClear, offset, fDetails, (
const char *)token,
2699 fgExpDate, (
void *)pwdctx, fRSAKey);
2706 if (fSocket->Recv(stat, kind) < 0)
2716 fSecContext->SetID(
"AFS authentication");
2721 AuthError(
"ClearAuth", stat);
2734 if (fSocket->Recv(stat, kind) < 0)
2741 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
2747 if (fProtocol.Contains(
"root"))
2749 if (fProtocol.Contains(
"proof"))
2754 "%s@%s does not accept connections from %s@%s",
2755 server.
Data(),fRemote.Data(),
2761 "%s@%s does not accept %s authentication from %s@%s",
2762 server.
Data(),fRemote.Data(),
2763 TAuthenticate::fgAuthMeth[0].
Data(),
2766 AuthError(
"ClearAuth", stat);
2773 xp.
Form(
"%s@%s password: ", user.
Data(),fRemote.Data());
2774 char *p = PromptPasswd(xp);
2778 Error(
"ClearAuth",
"password not set");
2780 if (fUser ==
"anonymous" || fUser ==
"rootd") {
2783 "please use passwd of form: user@host.do.main");
2794 for (
int i = 0; i < passwd.
Length(); i++) {
2795 char inv = ~passwd(i);
2804 if (fSocket->Recv(stat, kind) < 0)
2807 Info(
"ClearAuth",
"after kROOTD_PASS: kind= %d, stat= %d", kind,
2812 fHostAuth->CreateSecContext(user,fRemote,kClear,-1,fDetails,0);
2816 AuthError(
"ClearAuth", stat);
2836 ::Info(
"TAuthenticate::GetHostAuth",
"enter ... %s ... %s", host, user);
2842 char *ps = (
char *)strstr(host,
":");
2844 srvtyp = atoi(ps+1);
2848 if (strncmp(host,
"default",7) && !hostFQDN.
Contains(
"*")) {
2860 if (!strncasecmp(opt,
"P",1)) {
2862 next =
new TIter(GetProofAuthInfo());
2868 while ((ai = (
THostAuth *) (*next)())) {
2870 ai->
Print(
"Authenticate::GetHostAuth");
2873 if (!(serverOK = (ai->
GetServer() == -1) ||
2878 if (!strcmp(ai->
GetHost(),
"default") && serverOK && notFound)
2882 if (CheckHost(hostFQDN,ai->
GetHost()) &&
2883 CheckHost(usr,ai->
GetUser()) && serverOK) {
2888 if (hostFQDN == ai->
GetHost() &&
2910 ::Info(
"TAuthenticate::HasHostAuth",
"enter ... %s ... %s", host, user);
2916 char *ps = (
char *)strstr(host,
":");
2918 srvtyp = atoi(ps+1);
2921 if (strncmp(host,
"default",7) && !hostFQDN.
Contains(
"*")) {
2928 if (!strncasecmp(opt,
"P",1)) {
2930 next =
new TIter(GetProofAuthInfo());
2933 while ((ai = (
THostAuth *) (*next)())) {
2935 if (hostFQDN == ai->
GetHost() &&
2957 ::Info(
"TAuthenticate::FileExpand",
"enter ... '%s' ... 0x%lx", fexp, (
Long_t)ftmp);
2959 fin = fopen(fexp,
"r");
2963 while (fgets(line,
sizeof(line), fin) != 0) {
2967 if (line[strlen(line) - 1] ==
'\n')
2968 line[strlen(line) - 1] =
'\0';
2970 ::Info(
"TAuthenticate::FileExpand",
"read line ... '%s'", line);
2971 int nw = sscanf(line,
"%19s %8191s", cinc, fileinc);
2974 if (strcmp(cinc,
"include") != 0) {
2976 fprintf(ftmp,
"%s\n", line);
2983 sscanf(ln.
Data(),
"%19s %8191s", cinc, fileinc);
2986 if (fileinc[0] ==
'$') {
3003 if (fileinc[0] ==
'~') {
3007 char *ffull =
new char[flen];
3014 FileExpand(fileinc, ftmp);
3017 "file specified by 'include' cannot be open or read (%s)",
3032 const char copt[2][5] = {
"no",
"yes" };
3035 ::Info(
"TAuthenticate::GetDefaultDetails",
3036 "enter ... %d ...pt:%d ... '%s'", sec, opt, usr);
3038 if (opt < 0 || opt > 1)
3043 if (!usr[0] || !strncmp(usr,
"*",1))
3052 if (!usr[0] || !strncmp(usr,
"*",1))
3060 if (!usr[0] || !strncmp(usr,
"*",1))
3075 if (!usr[0] || !strncmp(usr,
"*",1))
3083 if (!usr[0] || !strncmp(usr,
"*",1))
3089 ::Info(
"TAuthenticate::GetDefaultDetails",
"returning ... %s", temp);
3099 if (!strncasecmp(opt,
"P",1))
3100 GetProofAuthInfo()->Remove(ha);
3102 GetAuthInfo()->Remove(ha);
3128 " +--------------------------- BEGIN --------------------------------+");
3133 " + List fgProofAuthInfo has %4d members +",
3134 GetProofAuthInfo()->GetSize());
3138 " +------------------------------------------------------------------+");
3139 TIter next(GetProofAuthInfo());
3146 " + List fgAuthInfo has %4d members +",
3147 GetAuthInfo()->GetSize());
3151 " +------------------------------------------------------------------+");
3152 TIter next(GetAuthInfo());
3160 " +---------------------------- END ---------------------------------+");
3176 Info(
"AuthExists",
"%d: enter: msg: %d options: '%s'",
3177 method,*message, options);
3183 TIter next(fHostAuth->Established());
3186 if (secctx->GetMethod() == method) {
3187 if (fRemote == secctx->GetHost()) {
3189 (*checksecctx)(username,secctx) == 1)
3199 if (secctx->GetMethod() == method) {
3200 if (fRemote == secctx->GetHost()) {
3202 (*checksecctx)(username,secctx) == 1) {
3215 offset = secctx->GetOffSet();
3216 token = secctx->GetToken();
3219 "found valid TSecContext: offset: %d token: '%s'",
3220 offset, token.
Data());
3225 sstr.
Form(
"%d %d %s", fgProcessID, offset, options);
3228 if (fSocket->Send(sstr, *message) < 0)
3231 Int_t reuse = *rflag;
3232 if (reuse == 1 && offset > -1) {
3238 Int_t rproto = fSocket->GetRemoteProtocol();
3239 Bool_t oldsrv = ((fProtocol.BeginsWith(
"root") && rproto == 9) ||
3240 (fProtocol.BeginsWith(
"proof") && rproto == 8));
3241 Int_t stat = 1, kind;
3243 if (fSocket->Recv(stat, kind) < 0)
3246 Warning(
"AuthExists",
"protocol error: expecting %d got %d" 3252 Info(
"AuthExists",
"offset OK");
3254 Int_t rsaKey = secctx->GetRSAKey();
3256 Info(
"AuthExists",
"key type: %d", rsaKey);
3271 if (SecureSend(fSocket, 1, rsaKey, token) == -1) {
3272 Warning(
"AuthExists",
"problems secure-sending token %s",
3273 "- may trigger problems in proofing Id ");
3278 for (
int i = 0; i < token.
Length(); i++) {
3279 char inv = ~token(i);
3287 Info(
"AuthExists",
"offset not OK - rerun authentication");
3290 secctx->DeActivate(
"");
3295 if (fSocket->Recv(stat, kind) < 0)
3298 Info(
"AuthExists",
"%d: after msg %d: kind= %d, stat= %d",
3299 method,*message, kind, stat);
3312 Error(
"AuthExists",
"%s@%s does not accept connections from %s@%s",
3318 "%s@%s does not accept %s authentication from %s@%s",
3319 server.
Data(),fRemote.Data(), fgAuthMeth[method].Data(),
3322 AuthError(
"AuthExists", stat);
3326 secctx->DeActivate(
"");
3333 fHostAuth->CreateSecContext(fUser,fRemote,method,-stat,fDetails,0);
3336 Info(
"AuthExists",
"valid authentication exists");
3338 Info(
"AuthExists",
"valid authentication exists: offset changed");
3340 Info(
"AuthExists",
"remote access authorized by /etc/hosts.equiv");
3342 Info(
"AuthExists",
"no authentication required remotely");
3348 if (fSocket->Recv(newOffSet, kind) < 0)
3351 secctx->SetOffSet(newOffSet);
3354 fSecContext = secctx;
3357 fHostAuth->Established()->Add(secctx);
3372 const char *randdev =
"/dev/urandom";
3375 if ((fd =
open(randdev, O_RDONLY)) != -1) {
3377 ::Info(
"InitRandom",
"taking seed from %s", randdev);
3378 if (
read(fd, &seed,
sizeof(seed)) !=
sizeof(seed))
3379 ::Warning(
"InitRandom",
"could not read seed from %s", randdev);
3383 ::Info(
"InitRandom",
"%s not available: using time()", randdev);
3398 Info(
"GenRSAKeys",
"enter");
3400 if (fgRSAInit == 1) {
3402 Info(
"GenRSAKeys",
"Keys prviously generated - return");
3421 if (fgRSAKey == 1) {
3424 Info(
"GenRSAKeys",
"SSL: Generate Blowfish key");
3433 OpenSSL_add_all_ciphers();
3439 nbits = (nbits >= 128) ? nbits : 128;
3442 nbits = (nbits <= 15912) ? nbits : 15912;
3445 Int_t klen = nbits / 8 ;
3448 char *rbuf = GetRandString(0,klen);
3449 RAND_seed(rbuf,strlen(rbuf));
3452 fgRSAPubExport[1].len = klen;
3453 fgRSAPubExport[1].keys = rbuf;
3455 Info(
"GenRSAKeys",
"SSL: BF key length: %d", fgRSAPubExport[1].len);
3458 BF_set_key(&fgBFKey, klen, (
const unsigned char *)rbuf);
3467 Int_t l_n = 0, l_d = 0;
3474 Int_t nAttempts = 0;
3480 if (
gDebug > 2 && nAttempts > 1) {
3481 Info(
"GenRSAKeys",
"retry no. %d",nAttempts);
3494 Info(
"GenRSAKeys",
"equal primes: regenerate (%d times)",nPrimes);
3502 Info(
"GenRSAKeys",
"local: p1: '%s' ", buf);
3504 Info(
"GenRSAKeys",
"local: p2: '%s' ", buf);
3509 if (
gDebug > 2 && nAttempts > 1)
3510 Info(
"GenRSAKeys",
" genrsa: unable to generate keys (%d)",
3517 l_n = strlen(buf_n);
3520 l_e = strlen(buf_e);
3523 l_d = strlen(buf_d);
3527 Info(
"GenRSAKeys",
"local: n: '%s' length: %d", buf_n, l_n);
3528 Info(
"GenRSAKeys",
"local: e: '%s' length: %d", buf_e, l_e);
3529 Info(
"GenRSAKeys",
"local: d: '%s' length: %d", buf_d, l_d);
3540 char *tdum = GetRandString(0, lTes - 1);
3541 strlcpy(test, tdum, lTes+1);
3545 Info(
"GenRSAKeys",
"local: test string: '%s' ", test);
3548 strlcpy(buf, test, lTes+1);
3554 "local: length of crypted string: %d bytes", lout);
3560 Info(
"GenRSAKeys",
"local: after private/public : '%s' ", buf);
3562 if (strncmp(test, buf, lTes))
3566 strlcpy(buf, test, lTes+1);
3571 Info(
"GenRSAKeys",
"local: length of crypted string: %d bytes ",
3578 Info(
"GenRSAKeys",
"local: after public/private : '%s' ", buf);
3580 if (strncmp(test, buf, lTes))
3597 Info(
"GenRSAKeys",
"local: generated keys are:");
3598 Info(
"GenRSAKeys",
"local: n: '%s' length: %d", buf_n, l_n);
3599 Info(
"GenRSAKeys",
"local: e: '%s' length: %d", buf_e, l_e);
3600 Info(
"GenRSAKeys",
"local: d: '%s' length: %d", buf_d, l_d);
3604 if (fgRSAPubExport[0].keys) {
3605 delete [] fgRSAPubExport[0].keys;
3606 fgRSAPubExport[0].len = 0;
3608 fgRSAPubExport[0].len = l_n + l_d + 4;
3609 fgRSAPubExport[0].keys =
new char[fgRSAPubExport[0].len];
3611 fgRSAPubExport[0].keys[0] =
'#';
3612 memcpy(fgRSAPubExport[0].keys + 1, buf_n, l_n);
3613 fgRSAPubExport[0].keys[l_n + 1] =
'#';
3614 memcpy(fgRSAPubExport[0].keys + l_n + 2, buf_d, l_d);
3615 fgRSAPubExport[0].keys[l_n + l_d + 2] =
'#';
3616 fgRSAPubExport[0].keys[l_n + l_d + 3] = 0;
3619 Info(
"GenRSAKeys",
"local: export pub: '%s'", fgRSAPubExport[0].keys);
3622 Info(
"GenRSAKeys",
"local: export pub length: %d bytes", fgRSAPubExport[0].len);
3641 unsigned int iimx[4][4] = {
3642 {0x0, 0xffffff08, 0xafffffff, 0x2ffffffe},
3643 {0x0, 0x3ff0000, 0x7fffffe, 0x7fffffe},
3644 {0x0, 0x3ff0000, 0x7e, 0x7e},
3645 {0x0, 0x3ffc000, 0x7fffffe, 0x7fffffe}
3648 const char *cOpt[4] = {
"Any",
"LetNum",
"Hex",
"Crypt" };
3651 if (opt < 0 || opt > 2) {
3654 Info(
"GetRandString",
"unknown option: %d : assume 0", opt);
3657 Info(
"GetRandString",
"enter ... len: %d %s", len, cOpt[opt]);
3660 char *buf =
new char[len + 1];
3670 for (m = 7; m < 32; m += 7) {
3671 i = 0x7F & (frnd >>
m);
3674 if ((iimx[opt][j] & (1 << l))) {
3686 Info(
"GetRandString",
"got '%s' ", buf);
3698 Int_t key,
const char *str)
3704 ::Info(
"TAuthenticate::SecureSend",
"local: enter ... (enc: %d)", enc);
3706 Int_t slen = strlen(str) + 1;
3711 strlcpy(buftmp, str, slen+1);
3721 }
else if (key == 1) {
3726 ttmp = ((ttmp + 8)/8) * 8;
3727 unsigned char iv[8];
3728 memset((
void *)&iv[0],0,8);
3729 BF_cbc_encrypt((
const unsigned char *)str, (
unsigned char *)buftmp,
3730 strlen(str), &fgBFKey, iv, BF_ENCRYPT);
3733 ::Info(
"TAuthenticate::SecureSend",
"not compiled with SSL support:" 3734 " you should not have got here!");
3738 ::Info(
"TAuthenticate::SecureSend",
"unknown key type (%d)",key);
3745 nsen = sock->
SendRaw(buftmp, ttmp);
3747 ::Info(
"TAuthenticate::SecureSend",
3748 "local: sent %d bytes (expected: %d)", nsen,ttmp);
3770 if (sock->
Recv(buflen, 20, kind) < 0)
3772 Int_t len = atoi(buflen);
3774 ::Info(
"TAuthenticate::SecureRecv",
"got len '%s' %d (msg kind: %d)",
3779 if (!strncmp(buflen,
"-1", 2))
3783 if ((nrec = sock->
RecvRaw(buftmp, len)) < 0)
3794 const size_t strSize = strlen(buftmp) + 1;
3795 *str =
new char[strSize];
3796 strlcpy(*str, buftmp, strSize);
3798 }
else if (key == 1) {
3800 unsigned char iv[8];
3801 memset((
void *)&iv[0],0,8);
3802 *str =
new char[nrec + 1];
3803 BF_cbc_encrypt((
const unsigned char *)buftmp, (
unsigned char *)(*str),
3804 nrec, &fgBFKey, iv, BF_DECRYPT);
3805 (*str)[nrec] =
'\0';
3808 ::Info(
"TAuthenticate::SecureRecv",
"not compiled with SSL support:" 3809 " you should not have got here!");
3813 ::Info(
"TAuthenticate::SecureRecv",
"unknown key type (%d)",key);
3826 R__rsa_NUMBER &rsa_d,
char **rsassl)
3832 ::Info(
"TAuthenticate::DecodeRSAPublic",
3833 "enter: string length: %ld bytes", (
Long_t)strlen(rsaPubExport));
3836 Int_t klen = strlen(rsaPubExport);
3838 ::Info(
"TAuthenticate::DecodeRSAPublic",
3839 "key too long (%d): truncate to %d",klen,
kMAXPATHLEN);
3842 memcpy(str, rsaPubExport, klen);
3851 while (str[k] == 32) k++;
3853 if (str[k] ==
'#') {
3858 char *pd1 = strstr(str,
"#");
3859 char *pd2 = pd1 ? strstr(pd1 + 1,
"#") : (
char *)0;
3860 char *pd3 = pd2 ? strstr(pd2 + 1,
"#") : (
char *)0;
3861 if (pd1 && pd2 && pd3) {
3863 int l1 = (int) (pd2 - pd1 - 1);
3864 char *rsa_n_exp =
new char[l1 + 1];
3865 strlcpy(rsa_n_exp, pd1 + 1, l1+1);
3867 ::Info(
"TAuthenticate::DecodeRSAPublic",
3868 "got %ld bytes for rsa_n_exp", (
Long_t)strlen(rsa_n_exp));
3870 int l2 = (int) (pd3 - pd2 - 1);
3871 char *rsa_d_exp =
new char[l2 + 1];
3872 strlcpy(rsa_d_exp, pd2 + 1, 13);
3874 ::Info(
"TAuthenticate::DecodeRSAPublic",
3875 "got %ld bytes for rsa_d_exp", (
Long_t)strlen(rsa_d_exp));
3884 ::Info(
"TAuthenticate::DecodeRSAPublic",
"bad format for input string");
3893 BIO *bpub = BIO_new(BIO_s_mem());
3896 BIO_write(bpub,(
void *)str,strlen(str));
3899 if (!(rsatmp = PEM_read_bio_RSAPublicKey(bpub, 0, 0, 0))) {
3901 ::Info(
"TAuthenticate::DecodeRSAPublic",
3902 "unable to read pub key from bio");
3905 *rsassl = (
char *)rsatmp;
3907 ::Info(
"TAuthenticate::DecodeRSAPublic",
3908 "no space allocated for output variable");
3915 ::Info(
"TAuthenticate::DecodeRSAPublic",
"not compiled with SSL support:" 3916 " you should not have got here!");
3931 ::Info(
"TAuthenticate::SetRSAPublic",
3932 "enter: string length %ld bytes", (
Long_t)strlen(rsaPubExport));
3942 while (rsaPubExport[k0] == 32) k0++;
3951 if (rsaPubExport[k0] ==
'#' && rsaPubExport[k2] ==
'#') {
3952 char *p0 = (
char *)&rsaPubExport[k0];
3953 char *
p2 = (
char *)&rsaPubExport[k2];
3954 char *
p1 = strchr(p0+1,
'#');
3955 if (p1 > p0 && p1 < p2) {
3961 while (c < p1 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
3965 while (c < p2 && ((*c < 58 && *c > 47) || (*c < 91 && *c > 64)))
3974 ::Info(
"TAuthenticate::SetRSAPublic",
" Key type: %d",rsakey);
3978 R__rsa_NUMBER rsa_n, rsa_d;
3989 BF_set_key(&fgBFKey, klen, (
const unsigned char *)rsaPubExport);
3992 ::Info(
"TAuthenticate::SetRSAPublic",
3993 "not compiled with SSL support:" 3994 " you should not have got here!");
4014 ::Info(
"TAuthenticate::SendRSAPublicKey",
4015 "received key from server %ld bytes", (
Long_t)strlen(serverPubKey));
4018 R__rsa_NUMBER rsa_n, rsa_d;
4024 RSA_free((RSA *)tmprsa);
4027 RSA *RSASSLServer = (RSA *)tmprsa;
4035 char buflen[20] = {0};
4036 Int_t slen = fgRSAPubExport[key].len;
4039 strlcpy(buftmp,fgRSAPubExport[key].keys,slen+1);
4042 }
else if (key == 1) {
4044 Int_t lcmax = RSA_size(RSASSLServer) - 11;
4049 Int_t lc = (ns > lcmax) ? lcmax : ns ;
4050 if ((ttmp = RSA_public_encrypt(lc,
4051 (
unsigned char *)&fgRSAPubExport[key].keys[kk],
4052 (
unsigned char *)&buftmp[ke],
4053 RSASSLServer,RSA_PKCS1_PADDING)) < 0) {
4056 ::Info(
"TAuthenticate::SendRSAPublicKey",
"SSL: error: '%s' ",errstr);
4066 ::Info(
"TAuthenticate::SendRSAPublicKey",
"not compiled with SSL support:" 4067 " you should not have got here!");
4072 ::Info(
"TAuthenticate::SendRSAPublicKey",
"unknown key type (%d)",key);
4075 RSA_free(RSASSLServer);
4086 ::Info(
"TAuthenticate::SendRSAPublicKey",
4087 "local: sent %d bytes (expected: %d)", nsen,ttmp);
4090 RSA_free(RSASSLServer);
4108 if (fgReadHomeAuthrc)
4111 if (authrc &&
gDebug > 2)
4112 ::Info(
"TAuthenticate::ReadRootAuthrc",
"Checking file: %s", authrc);
4114 if (authrc &&
gDebug > 1)
4115 ::Info(
"TAuthenticate::ReadRootAuthrc",
4116 "file %s cannot be read (errno: %d)", authrc, errno);
4120 ::Info(
"TAuthenticate::ReadRootAuthrc",
"Checking system file: %s", authrc);
4123 ::Info(
"TAuthenticate::ReadRootAuthrc",
4124 "file %s cannot be read (errno: %d)", authrc, errno);
4132 if (tRootAuthrc == fgRootAuthrc) {
4134 stat(tRootAuthrc, &si);
4135 if ((
UInt_t)si.st_mtime < fgLastAuthrc.Convert()) {
4137 ::Info(
"TAuthenticate::ReadRootAuthrc",
4138 "file %s already read", authrc);
4145 fgRootAuthrc = tRootAuthrc;
4154 TString filetmp =
"rootauthrc";
4157 ::Info(
"TAuthenticate::ReadRootAuthrc",
"got tmp file: %s open at 0x%lx",
4170 fd = fopen(authrc,
"r");
4173 ::Info(
"TAuthenticate::ReadRootAuthrc",
4174 "file %s cannot be open (errno: %d)", authrc, errno);
4185 while (fgets(line,
sizeof(line), fd) != 0) {
4192 if (line[strlen(line) - 1] ==
'\n')
4193 line[strlen(line) - 1] =
'\0';
4200 const size_t tmpSize = strlen(line) + 1;
4201 char *tmp =
new char[tmpSize];
4203 ::Error(
"TAuthenticate::ReadRootAuthrc",
4204 "could not allocate temporary buffer");
4207 strlcpy(tmp, line, tmpSize);
4208 char *nxt = strtok(tmp,
" ");
4210 if (!strcmp(nxt,
"proofserv") || cont) {
4220 proofserv +=
TString((
const char *)ph);
4241 if (server ==
"0" || server.
BeginsWith(
"sock"))
4243 else if (server ==
"1" || server.
BeginsWith(
"root"))
4245 else if (server ==
"2" || server.
BeginsWith(
"proof"))
4252 nxt = strtok(0,
" ");
4253 if (!strncmp(nxt,
"user",4)) {
4254 nxt = strtok(0,
" ");
4255 if (strncmp(nxt,
"list",4) && strncmp(nxt,
"method",6)) {
4257 nxt = strtok(0,
" ");
4262 TIter next(&tmpAuthInfo);
4272 tmpAuthInfo.
Add(ha);
4275 if (!strncmp(nxt,
"list",4)) {
4278 char *mth = strtok(0,
" ");
4281 if (strlen(mth) > 1) {
4283 met = GetAuthMethodIdx(mth);
4284 if (met == -1 &&
gDebug > 2)
4285 ::Info(
"TAuthenticate::ReadRootAuthrc",
4286 "unrecognized method (%s): ", mth);
4290 if (met > -1 && met <
kMAXSEC)
4292 mth = strtok(0,
" ");
4297 }
else if (!strncmp(nxt,
"method",6)) {
4300 char *mth = strtok(0,
" ");
4302 if (strlen(mth) > 1) {
4304 met = GetAuthMethodIdx(mth);
4305 if (met == -1 &&
gDebug > 2)
4306 ::Info(
"TAuthenticate::ReadRootAuthrc",
4307 "unrecognized method (%s): ", mth);
4311 if (met > -1 && met <
kMAXSEC) {
4312 const char *det = 0;
4313 nxt = strtok(0,
" ");
4315 det = (
const char *)strstr(line,nxt);
4324 if (tmp)
delete [] tmp;
4342 TList tmpproofauthinfo;
4343 if (proofserv.
Length() > 0) {
4344 char *tmps =
new char[proofserv.
Length()+1];
4345 strlcpy(tmps,proofserv.
Data(),proofserv.
Length()+1);
4346 char *nxt = strtok(tmps,
" ");
4348 TString tmp((
const char *)nxt);
4352 if ((pdd = tmp.
Index(
":")) == -1) {
4363 if ((pdd = tmp.
Index(
":")) == -1) {
4375 while (tmp.
Length() > 0) {
4377 if ((pdd = tmp.
Index(
":")) > -1)
4381 met = GetAuthMethodIdx(meth.
Data());
4382 if (met == -1 &&
gDebug > 2)
4383 ::Info(
"TAuthenticate::ReadRootAuthrc",
4384 "unrecognized method (%s): ",meth.
Data());
4385 }
else if (meth.
Length() == 1) {
4386 met = atoi(meth.
Data());
4387 if (met > -1 && met <
kMAXSEC)
4410 tmpproofauthinfo.
Add(ha);
4412 nxt = strtok(0,
" ");
4432 const char sshid[3][20] = {
"/.ssh/identity",
"/.ssh/id_dsa",
"/.ssh/id_rsa" };
4433 const char netrc[2][20] = {
"/.netrc",
"/.rootnetrc" };
4443 "not properly logged on (getpwuid unable to find relevant info)!");
4451 for (; i < 2; i++) {
4457 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4463 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4471 out.
Form(
"pt:0 ru:0 us:%s",user.
Data());
4480 if (lApp != 0 && lApp->
Argc() > 9) {
4481 if (
gROOT->IsProofServ()) {
4488 struct shmid_ds shm_ds;
4489 if (shmctl(ShmId, IPC_STAT, &shm_ds) == 0)
4501 Cdir.
Resize(Cdir.Last(
'/')+1);
4503 out.
Form(
"pt=0 ru:0 cd:%s cf:%s kf:%s ad:%s",
4504 Cdir.Data(),Ucer.Data(),Ukey.Data(),Adir.Data());
4514 for (; i < 3; i++) {
4520 out.
Form(
"pt:0 ru:1 us:%s",user.
Data());
4525 out.
Form(
"pt:0 ru:0 us:%s",user.
Data());
4530 if (strlen(out) > 0)
4531 ::
Info(
"CheckProofAuth",
4532 "meth: %d ... is available: details: %s", cSec, out.
Data());
4535 "meth: %d ... is NOT available", cSec);
4553 if (!strcmp(user,ctx->
GetUser()) &&
4554 strncmp(
"AFS", ctx->
GetID(), 3))
4584 while ((hanew = (
THostAuth *)nxnew())) {
4606 while ((hanew = (
THostAuth *)nxnew())) {
4624 TIter nxai(GetAuthInfo());
4637 TIter nxpa(GetProofAuthInfo());
4670 Info(
"ProofAuthSetup",
"Buffer not found: nothing to do");
4684 *mess >> user >> passwd >> pwhash >> srppwd >> rsakey;
4702 Info(
"ProofAuthSetup",
"List of THostAuth not found");
4723 fromProofAI =
kTRUE;
4734 if (!master || fromProofAI) {
4798 if (remoteOffSet > -1 && (upwd || srp))
4802 if ((
gEnv->
GetValue(
"Proofd.SendSRPPwd",0)) && (remoteOffSet > -1))
4805 if (srp && pwdctx) {
4806 if (strcmp(pwdctx->
GetPasswd(),
"") && remoteOffSet > -1)
4811 if ((upwd && pwdctx) || (srp && sndsrp)) {
4822 mess << user << passwd << pwhash << srppwd << keytyp;
4828 char *mbuf = mess.
Buffer();
4833 ::Info(
"ProofAuthSetup",
"sending %d bytes", messb64.
Length());
4836 if (remoteOffSet > -1) {
4838 ::Error(
"ProofAuthSetup",
"problems secure-sending message buffer");
4846 ::Error(
"ProofAuthSetup",
"plain: problems sending message length");
4850 ::Error(
"ProofAuthSetup",
"problems sending message buffer");
4883 Int_t retval = 0, ns = 0;
4886 Error(
"SendHostAuth",
"invalid input: socket undefined");
4901 Info(
"SendHostAuth",
"sent %d bytes (%s)",ns,buf.
Data());
4908 Info(
"SendHostAuth",
"sent %d bytes for closing",ns);
4922 Error(
"RecvHostAuth",
"invalid input: socket undefined");
4937 Error(
"RecvHostAuth",
"received: kind: %d (%d bytes)", kind, nr);
4941 Info(
"RecvHostAuth",
"received %d bytes (%s)",nr,buf);
4943 while (strcmp(buf,
"END")) {
4963 fromProofAI =
kTRUE;
4974 if (!master || fromProofAI) {
5013 Info(
"RecvHostAuth",
"Error: received: kind: %d (%d bytes)", kind, nr);
5017 Info(
"RecvHostAuth",
"received %d bytes (%s)",nr,buf);
5052 if (remoteOffSet > -1 && (upwd || srp))
5056 if ((
gEnv->
GetValue(
"Proofd.SendSRPPwd",0)) && (remoteOffSet > -1))
5059 if (srp && pwdctx) {
5060 if (strcmp(pwdctx->
GetPasswd(),
"") && remoteOffSet > -1)
5065 if ((upwd && pwdctx) || (srp && sndsrp)) {
5069 Error(
"OldAuthSetup",
"failed to send offset in RSA key");
5080 if (remoteOffSet > -1)
5081 Warning(
"OldAuthSetup",
"problems secure-sending pass hash %s",
5082 "- may result in failures");
5085 for (
int i = 0; i < passwd.
Length(); i++) {
5086 char inv = ~passwd(i);
5091 if (sock->
Send(mess) < 0) {
5092 Error(
"OldAuthSetup",
"failed to send inverted password");
5102 Error(
"OldAuthSetup",
"failed to send no offset notification in RSA key");
5109 mess << user << pwhash << srppwd << ord << conf;
5111 if (sock->
Send(mess) < 0) {
5112 Error(
"OldAuthSetup",
"failed to send ordinal and config info");
5116 if (proofdProto > 6) {
5122 Error(
"OldAuthSetup",
"failed to send HostAuth info");
5141 if (sock->
Recv(retval, kind) != 2*
sizeof(
Int_t)) {
5143 Info(
"OldProofServAuthSetup",
5144 "socket has been closed due to protocol mismatch - Exiting");
5161 if ((fKey = fopen(keyfile.
Data(),
"r"))) {
5162 Int_t klen = fread((
void *)pubkey,1,
sizeof(pubkey),fKey);
5164 Error(
"OldProofServAuthSetup",
5165 "failed to read public key from '%s'", keyfile.
Data());
5174 Error(
"OldProofServAuthSetup",
"failed to open '%s'", keyfile.
Data());
5183 Error(
"OldProofServAuthSetup",
"failed to receive password");
5189 }
else if (retval == -1) {
5193 if ((sock->
Recv(mess) <= 0) || !mess) {
5194 Error(
"OldProofServAuthSetup",
"failed to receive inverted password");
5200 for (
Int_t i = 0; i < passwd.Length(); i++) {
5201 char inv = ~passwd(i);
5202 passwd.Replace(i, 1, inv);
5210 if ((sock->
Recv(mess) <= 0) || !mess) {
5211 Error(
"OldProofServAuthSetup",
"failed to receive ordinal and config info");
5219 (*mess) >> user >> pwhash >> srppwd >> conf;
5222 (*mess) >> user >> pwhash >> srppwd >> ord >> conf;
5227 (*mess) >> user >> pwhash >> srppwd >> iord;
5231 (*mess) >> user >> pwhash >> srppwd >> ord >> conf;
5253 Error(
"OldProofServAuthSetup",
"failed to receive HostAuth info");
THostAuth * GetHostAuth() const
void SetDetails(Int_t level, const char *details)
Set authentication details for specified level.
const Int_t kAUTH_SSALT_MSK
static Bool_t GetGlobalSRPPwd()
Static method returning the global SRP password flag.
static void SetKrb5AuthHook(Krb5Auth_t func)
Set kerberos5 authorization function.
virtual Bool_t AccessPathName(const char *path, EAccessMode mode=kFileExists)
Returns FALSE if one can access a file using the specified access mode.
static void SetDefaultUser(const char *defaultuser)
Set default user name.
double read(const std::string &file_name)
reading
static Int_t GetRSAInit()
Static method returning the RSA initialization flag.
void AsString(TString &out) const
Return a static string with all info in a serialized form.
virtual int GetPid()
Get process id.
static Int_t GetClientProtocol()
Static method returning supported client protocol.
static void InitRandom()
Initialize random machine using seed from /dev/urandom (or current time if /dev/urandom not available...
static Bool_t GetAuthReUse()
Static method returning the authentication reuse settings.
static RSA_num_sput_t RSA_num_sput()
const char * GetHostAddress() const
Returns the IP address string "%d.%d.%d.%d".
static Bool_t fgUsrPwdCrypt
void PrintEstablished() const
Print info about established authentication vis-a-vis of this Host.
static void RemoveSecContext(TRootSecContext *ctx)
Tool for removing SecContext ctx from THostAuth listed in fgAuthInfo or fgProofAuthInfo.
R__EXTERN const char * gRootdErrStr[]
Int_t AuthExists(TString User, Int_t method, const char *Options, Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck)
Check if we have a valid established sec context in memory Retrieves relevant info and negotiates wit...
static Bool_t fgPromptUser
Int_t(* GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det)
virtual void Print(Option_t *option="F") const
If opt is "F" (default) print object content.
const char * GetHostName() const
virtual Int_t Send(const TMessage &mess)
Send a TMessage object.
static void SetGlobalUser(const char *user)
Set global user name to be used for authentication to rootd or proofd.
Int_t(* Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version)
TString & ReplaceAll(const TString &s1, const TString &s2)
int GetPathInfo(const char *path, Long_t *id, Long_t *size, Long_t *flags, Long_t *modtime)
Get info about a file: id, size, flags, modification time.
static int auth_rand()
rand() implementation using /udev/random or /dev/random, if available
virtual Int_t Recv(TMessage *&mess)
Receive a TMessage object.
static RSA_decode_t RSA_decode()
Int_t SshAuth(TString &user)
SSH client authentication code.
Int_t OldProofServAuthSetup(TSocket *sock, Bool_t master, Int_t protocol, TString &user, TString &ord, TString &conf)
Authentication related setup in TProofServ run after successful startup.
static void RemoveHostAuth(THostAuth *ha, Option_t *opt="")
Remove THostAuth instance from the list.
This class represents an Internet Protocol (IP) address.
virtual const char * HomeDirectory(const char *userName=0)
Return the user's home directory.
static TString Decode(const char *data)
Decode a base64 string date into a generic TString.
Regular expression class.
const char * GetSshUser(TString user) const
Method returning the user to be used for the ssh login.
This class implements a mutex interface.
static GlobusAuth_t GetGlobusAuthHook()
Static method returning the globus authorization hook.
Ssiz_t Index(const char *pat, Ssiz_t i=0, ECaseCompare cmp=kExact) const
virtual UserGroup_t * GetGroupInfo(Int_t gid)
Returns all group info in the UserGroup_t structure.
virtual int Load(const char *module, const char *entry="", Bool_t system=kFALSE)
Load a shared library.
const char * GetDetails(Int_t level)
Return authentication details for specified level or "" if the specified level does not exist for thi...
Int_t StdCheckSecCtx(const char *, TRootSecContext *)
Standard version of CheckSecCtx to be passed to TAuthenticate::AuthExists Check if User is matches th...
static TList * fgProofAuthInfo
virtual char * Which(const char *search, const char *file, EAccessMode mode=kFileExists)
Find location of file in a search path.
static char * GetDefaultDetails(Int_t method, Int_t opt, const char *user)
Determine default authentication details for method 'sec' and user 'usr'.
static RSA_num_sget_t RSA_num_sget()
static const char * GetKrb5Principal()
Static method returning the principal to be used to init Krb5 tickets.
Bool_t HasMethod(Int_t level, Int_t *pos=0)
Return kTRUE if method 'level' is in the list.
Bool_t Authenticate()
Authenticate to remote rootd or proofd server.
static SecureAuth_t fgSecAuthHook
const Int_t kAUTH_RSATY_MSK
const char * GetUser() const
static void SetReadHomeAuthrc(Bool_t readhomeauthrc)
Set flag controlling the reading of $HOME/.rootauthrc.
Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash)
UsrPwd client authentication code.
Bool_t R_ISREG(Int_t mode)
TString & Replace(Ssiz_t pos, Ssiz_t n, const char *s)
void Print(Option_t *option="F") const
If opt is "F" (default) print object content.
virtual TObject * ReadObject(const TClass *cl)
Read object from I/O buffer.
static TPluginHandler * fgPasswdDialog
static TString Encode(const char *data)
Transform data into a null terminated base64 string.
virtual Int_t SendRaw(const void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Send a raw buffer of specified length.
Bool_t IsActive() const
Check remote OffSet and expiring Date.
static Int_t ReadRootAuthrc()
Read authentication directives from $ROOTAUTHRC, $HOME/.rootauthrc or <Root_etc_dir>/system.rootauthrc and create related THostAuth objects.
static TList * fgAuthInfo
static void SetPromptUser(Bool_t promptuser)
Set global PromptUser flag.
virtual int Unlink(const char *name)
Unlink, i.e. remove, a file.
static char * PromptPasswd(const char *prompt="Password: ")
Static method to prompt for the user's passwd to be used for authentication to rootd or proofd...
static GlobusAuth_t fgGlobusAuthHook
static RSA_assign_t RSA_assign()
static TString Format(const char *fmt,...)
Static method which formats a string using a printf style format descriptor and return a TString...
virtual FILE * TempFileName(TString &base, const char *dir=0)
Create a secure temporary file by appending a unique 6 letter string to base.
virtual void Sleep(UInt_t milliSec)
Sleep milliSec milli seconds.
static double p2(double t, double a, double b, double c)
TList * Established() const
virtual const char * Getenv(const char *env)
Get environment variable.
void Info(const char *location, const char *msgfmt,...)
TString & Append(const char *cs)
Bool_t EndsWith(const char *pat, ECaseCompare cmp=kExact) const
Return true if string ends with the specified string.
std::vector< std::vector< double > > Data
Int_t ProofAuthSetup()
Authentication related stuff setup in TProofServ.
Int_t RfioAuth(TString &user)
UidGid client authentication code.
virtual UserGroup_t * GetUserInfo(Int_t uid)
Returns all user info in the UserGroup_t structure.
static RSA_genprim_t RSA_genprim()
static void SetTimeOut(Int_t to)
Set timeout (active if > 0)
static void SetGlobalSRPPwd(Bool_t srppwd)
Set global SRP passwd flag to be used for authentication to rootd or proofd.
const char * GetPasswd() const
static Bool_t GetPromptUser()
Static method returning the prompt user settings.
Int_t GetRemoteProtocol() const
virtual TInetAddress GetHostByName(const char *server)
Get Internet Protocol (IP) address of host.
void Error(const char *location, const char *msgfmt,...)
TAuthenticate(TSocket *sock, const char *remote, const char *proto, const char *user="")
Create authentication object.
Int_t(* CheckSecCtx_t)(const char *subj, TRootSecContext *ctx)
const Int_t kAUTH_REUSE_MSK
const char * GetUser() const
static Int_t SecureSend(TSocket *Socket, Int_t enc, Int_t KeyType, const char *In)
Encode null terminated str using the session private key indicated by enc and sends it over the netwo...
static R__rsa_KEY_export * fgRSAPubExport
Int_t SshError(const char *errfile)
SSH error parsing: returns 0 : no error or fatal 1 : should retry (eg 'connection closed by remote ho...
TVirtualMutex * gAuthenticateMutex
static void AuthError(const char *where, Int_t error)
Print error string depending on error code.
static RSA_cmp_t RSA_cmp()
static Krb5Auth_t fgKrb5AuthHook
R__EXTERN TSystem * gSystem
Bool_t IsA(const char *methodname)
Checks if this security context is for method named 'methname' Case sensitive.
void inv(rsa_NUMBER *, rsa_NUMBER *, rsa_NUMBER *)
static void SetRSAInit(Int_t init=1)
Static method setting RSA initialization flag.
static R__rsa_KEY fgRSAPubKey
virtual Int_t GetValue(const char *name, Int_t dflt)
Returns the integer value for a resource.
virtual TObject * Remove(TObject *obj)
Remove object from the list.
static TDatime GetGlobalExpDate()
Static method returning default expiring date for new validity contexts.
Bool_t BeginsWith(const char *s, ECaseCompare cmp=kExact) const
Int_t(* SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd, const char *remote, TString &det, Int_t version)
static void SetSecureAuthHook(SecureAuth_t func)
Set secure authorization function.
static R__rsa_KEY fgRSAPriKey
Int_t GenRSAKeys()
Generate a valid pair of private/public RSA keys to protect for authentication token exchange...
void Form(const char *fmt,...)
Formats a string using a printf style format descriptor.
char * Form(const char *fmt,...)
static char * PromptUser(const char *remote)
Static method to prompt for the user name to be used for authentication to rootd or proofd...
static TList * GetProofAuthInfo()
Static method returning the list with authentication directives to be sent to proof.
static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen)
Store RSA public keys from export string rsaPubExport.
Handles synchronous and a-synchronous timer events.
static Bool_t CheckProofAuth(Int_t cSec, TString &det)
Check if the authentication method can be attempted for the client.
virtual Int_t Exec(const char *shellcmd)
Execute a command.
void AddMethod(Int_t level, const char *details=0)
Add method to the list.
static double p1(double t, double a, double b)
void Warning(const char *location, const char *msgfmt,...)
static const char * GetDefaultUser()
Static method returning the default user information.
static TDatime fgLastAuthrc
static void Show(Option_t *opt="S")
Print info about the authentication sector.
char * StrDup(const char *str)
Duplicate the string str.
#define R__LOCKGUARD2(mutex)
static TList * GetAuthInfo()
Static method returning the list with authentication details.
TString & Remove(Ssiz_t pos)
const char * GetID() const
static void SetAuthReUse(Bool_t authreuse)
Set global AuthReUse flag.
void * GetContext() const
virtual Int_t GetEffectiveUid()
Returns the effective user id.
static TString fgKrb5Principal
void CatchTimeOut()
Called in connection with a timer timeout.
Int_t OldSlaveAuthSetup(TSocket *sock, Bool_t master, TString ord, TString conf)
Setup of authetication in PROOF run after successful opening of the socket.
virtual const char * HostName()
Return the system's host name.
Ssiz_t Index(const TString &str, Ssiz_t *len, Ssiz_t start=0) const
Find the first occurrence of the regexp in string and return the position, or -1 if there is no match...
char * DynamicPathName(const char *lib, Bool_t quiet=kFALSE)
Find a dynamic library called lib using the system search paths.
Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash, Bool_t srppwd)
Try to get user name and passwd from several sources.
const char * GetHost() const
void SetEnvironment()
Set default authentication environment.
static void FileExpand(const char *fin, FILE *ftmp)
Expands include directives found in fexp files The expanded, temporary file, is pointed to by 'ftmp' ...
static const TString & GetEtcDir()
Get the sysconfig directory in the installation. Static utility function.
static Int_t SecureRecv(TSocket *Socket, Int_t dec, Int_t KeyType, char **Out)
Receive str from sock and decode it using key indicated by key type Return number of received bytes o...
double func(double *x, double *p)
Bool_t Contains(const char *pat, ECaseCompare cmp=kExact) const
Int_t GetMethod(Int_t idx) const
#define SSL_load_error_strings
static Int_t SendHostAuth(TSocket *s)
Sends the list of the relevant THostAuth objects to the master or to the active slaves, typically data servers external to the proof cluster.
void ReOrder(Int_t nmet, Int_t *fmet)
Reorder nmet methods according fmet[nmet].
virtual void DispatchOneEvent(Bool_t pendingOnly=kFALSE)
Dispatch a single event.
static Bool_t CheckHost(const char *Host, const char *host)
Check if 'host' matches 'href': this means either equal or "containing" it, even with wild cards * in...
static void SetGlobalExpDate(TDatime expdate)
Set default expiring date for new validity contexts.
static TString fgDefaultUser
static void SetGlobusAuthHook(GlobusAuth_t func)
Set Globus authorization function.
static void SetGlobalPwHash(Bool_t pwhash)
Set global passwd hash flag to be used for authentication to rootd or proofd.
static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt="")
Tool for updating fgAuthInfo or fgProofAuthInfo 'nin' contains list of last input information through...
static const char * GetRSAPubExport(Int_t key=0)
Static method returning the RSA public keys.
static TString fgRootAuthrc
Bool_t R_ISDIR(Int_t mode)
TSecContext * GetSecContext() const
static const char * GetGlobalUser()
Static method returning the global user.
virtual void Add(TObject *obj)
virtual Int_t GetEffectiveGid()
Returns the effective group id.
static TString fgAuthMeth[kMAXSEC]
void WriteObject(const TObject *obj)
Write object to message buffer.
void Update(THostAuth *ha)
Update info with the one in ha Remaining methods, if any, get lower priority.
Int_t Atoi() const
Return integer value of string.
static RSA_encode_t RSA_encode()
static Bool_t fgReadHomeAuthrc
static Int_t GetClientProtocol()
Static method returning supported client protocol.
Bool_t IsDigit() const
Returns true if all characters in string are digits (0-9) or white spaces, i.e.
Bool_t CheckNetrc(TString &user, TString &passwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files.
char * GetRandString(Int_t Opt, Int_t Len)
Allocates and fills a 0 terminated buffer of length len+1 with len random characters.
This class creates the ROOT Application Environment that interfaces to the windowing system eventloop...
static RSA_genrsa_t RSA_genrsa()
static void SetDefaultRSAKeyType(Int_t key)
Static method setting the default type of RSA key.
static Bool_t GetGlobalPwHash()
Static method returning the global password hash flag.
R__rsa_KEY_export R__fgRSAPubExport[2]
virtual Int_t GetSize() const
static Bool_t fgAuthReUse
virtual Int_t RecvRaw(void *buffer, Int_t length, ESendRecvOptions opt=kDefault)
Receive a raw buffer of specified length bytes.
virtual void Print(Option_t *option="") const
Print object content.
const Int_t kAUTH_CRYPT_MSK
virtual char * ConcatFileName(const char *dir, const char *name)
Concatenate a directory and a file name. User must delete returned string.
static Int_t GetAuthMethodIdx(const char *meth)
Static method returning the method index (which can be used to find the method in GetAuthMethod())...
static THostAuth * HasHostAuth(const char *host, const char *user, Option_t *opt="R")
Checks if a THostAuth with exact match for {host,user} exists in the fgAuthInfo list If opt = "P" use...
static void SetGlobalPasswd(const char *passwd)
Set global passwd to be used for authentication to rootd or proofd.
static Int_t DecodeRSAPublic(const char *rsapubexport, R__rsa_NUMBER &n, R__rsa_NUMBER &d, char **rsassl=0)
Store RSA public keys from export string rsaPubExport.
void Resize(Ssiz_t n)
Resize the string. Truncate or add blanks as necessary.
static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key=0)
Receives server RSA Public key Sends local RSA public key encoded.
This class stores the date and time with a precision of one second in an unsigned 32 bit word (950130...
static Int_t RecvHostAuth(TSocket *s, Option_t *opt)
Receive from client/master directives for authentications, create related THostAuth and add them to t...
const char * Data() const
static const char * GetAuthMethod(Int_t idx)
Static method returning the method corresponding to idx.