class TAuthenticate: public TObject
TAuthenticate An authentication module for ROOT based network services, like rootd and proofd.
Function Members (Methods)
public:
| TAuthenticate(const TAuthenticate&) | |
| TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "") | |
| virtual | ~TAuthenticate() |
| void | TObject::AbstractMethod(const char* method) const |
| virtual void | TObject::AppendPad(Option_t* option = "") |
| Bool_t | Authenticate() |
| static void | AuthError(const char* where, Int_t error) |
| Int_t | AuthExists(TString User, Int_t method, const char* Options, Int_t* Message, Int_t* Rflag, CheckSecCtx_t funcheck) |
| virtual void | TObject::Browse(TBrowser* b) |
| void | CatchTimeOut() |
| Bool_t | CheckNetrc(TString& user, TString& passwd) |
| Bool_t | CheckNetrc(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd) |
| static Bool_t | CheckProofAuth(Int_t cSec, TString& det) |
| static TClass* | Class() |
| virtual const char* | TObject::ClassName() const |
| virtual void | TObject::Clear(Option_t* = "") |
| virtual TObject* | TObject::Clone(const char* newname = "") const |
| virtual Int_t | TObject::Compare(const TObject* obj) const |
| virtual void | TObject::Copy(TObject& object) const |
| static Int_t | DecodeRSAPublic(const char* rsapubexport, rsa_NUMBER& n, rsa_NUMBER& d, char** rsassl = 0) |
| virtual void | TObject::Delete(Option_t* option = "")MENU |
| virtual Int_t | TObject::DistancetoPrimitive(Int_t px, Int_t py) |
| virtual void | TObject::Draw(Option_t* option = "") |
| virtual void | TObject::DrawClass() constMENU |
| virtual TObject* | TObject::DrawClone(Option_t* option = "") constMENU |
| virtual void | TObject::Dump() constMENU |
| virtual void | TObject::Error(const char* method, const char* msgfmt) const |
| virtual void | TObject::Execute(const char* method, const char* params, Int_t* error = 0) |
| virtual void | TObject::Execute(TMethod* method, TObjArray* params, Int_t* error = 0) |
| virtual void | TObject::ExecuteEvent(Int_t event, Int_t px, Int_t py) |
| virtual void | TObject::Fatal(const char* method, const char* msgfmt) const |
| virtual TObject* | TObject::FindObject(const char* name) const |
| virtual TObject* | TObject::FindObject(const TObject* obj) const |
| static TList* | GetAuthInfo() |
| static const char* | GetAuthMethod(Int_t idx) |
| static Int_t | GetAuthMethodIdx(const char* meth) |
| static Bool_t | GetAuthReUse() |
| static Int_t | GetClientProtocol() |
| static char* | GetDefaultDetails(Int_t method, Int_t opt, const char* user) |
| static const char* | GetDefaultUser() |
| virtual Option_t* | TObject::GetDrawOption() const |
| static Long_t | TObject::GetDtorOnly() |
| static TDatime | GetGlobalExpDate() |
| static Bool_t | GetGlobalPwHash() |
| static Bool_t | GetGlobalSRPPwd() |
| static const char* | GetGlobalUser() |
| static GlobusAuth_t | GetGlobusAuthHook() |
| THostAuth* | GetHostAuth() const |
| static THostAuth* | GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0) |
| virtual const char* | TObject::GetIconName() const |
| static const char* | GetKrb5Principal() |
| virtual const char* | TObject::GetName() const |
| virtual char* | TObject::GetObjectInfo(Int_t px, Int_t py) const |
| static Bool_t | TObject::GetObjectStat() |
| virtual Option_t* | TObject::GetOption() const |
| static Bool_t | GetPromptUser() |
| static TList* | GetProofAuthInfo() |
| const char* | GetProtocol() const |
| const char* | GetRemoteHost() const |
| static Int_t | GetRSAInit() |
| Int_t | GetRSAKeyType() const |
| static const char* | GetRSAPubExport(Int_t key = 0) |
| TRootSecContext* | GetSecContext() const |
| TSocket* | GetSocket() const |
| virtual const char* | TObject::GetTitle() const |
| virtual UInt_t | TObject::GetUniqueID() const |
| const char* | GetUser() const |
| virtual Bool_t | TObject::HandleTimer(TTimer* timer) |
| virtual ULong_t | TObject::Hash() const |
| static THostAuth* | HasHostAuth(const char* host, const char* user, Option_t* opt = "R") |
| Int_t | HasTimedOut() const |
| virtual void | TObject::Info(const char* method, const char* msgfmt) const |
| virtual Bool_t | TObject::InheritsFrom(const char* classname) const |
| virtual Bool_t | TObject::InheritsFrom(const TClass* cl) const |
| static void | InitRandom() |
| virtual void | TObject::Inspect() constMENU |
| void | TObject::InvertBit(UInt_t f) |
| virtual TClass* | IsA() const |
| virtual Bool_t | TObject::IsEqual(const TObject* obj) const |
| virtual Bool_t | TObject::IsFolder() const |
| Bool_t | TObject::IsOnHeap() const |
| virtual Bool_t | TObject::IsSortable() const |
| Bool_t | TObject::IsZombie() const |
| virtual void | TObject::ls(Option_t* option = "") const |
| void | TObject::MayNotUse(const char* method) const |
| static void | MergeHostAuthList(TList* Std, TList* New, Option_t* Opt = "") |
| virtual Bool_t | TObject::Notify() |
| void | TObject::Obsolete(const char* method, const char* asOfVers, const char* removedFromVers) const |
| static void | TObject::operator delete(void* ptr) |
| static void | TObject::operator delete(void* ptr, void* vp) |
| static void | TObject::operator delete[](void* ptr) |
| static void | TObject::operator delete[](void* ptr, void* vp) |
| void* | TObject::operator new(size_t sz) |
| void* | TObject::operator new(size_t sz, void* vp) |
| void* | TObject::operator new[](size_t sz) |
| void* | TObject::operator new[](size_t sz, void* vp) |
| TAuthenticate& | operator=(const TAuthenticate&) |
| virtual void | TObject::Paint(Option_t* option = "") |
| virtual void | TObject::Pop() |
| virtual void | TObject::Print(Option_t* option = "") const |
| static char* | PromptPasswd(const char* prompt = "Password: ") |
| static char* | PromptUser(const char* remote) |
| virtual Int_t | TObject::Read(const char* name) |
| static Int_t | ReadRootAuthrc() |
| virtual void | TObject::RecursiveRemove(TObject* obj) |
| static void | RemoveHostAuth(THostAuth* ha, Option_t* opt = "") |
| void | TObject::ResetBit(UInt_t f) |
| virtual void | TObject::SaveAs(const char* filename = "", Option_t* option = "") constMENU |
| virtual void | TObject::SavePrimitive(ostream& out, Option_t* option = "") |
| static Int_t | SecureRecv(TSocket* Socket, Int_t dec, Int_t KeyType, char** Out) |
| static Int_t | SecureSend(TSocket* Socket, Int_t enc, Int_t KeyType, const char* In) |
| static Int_t | SendRSAPublicKey(TSocket* Socket, Int_t key = 0) |
| static void | SetAuthReUse(Bool_t authreuse) |
| void | TObject::SetBit(UInt_t f) |
| void | TObject::SetBit(UInt_t f, Bool_t set) |
| static void | SetDefaultRSAKeyType(Int_t key) |
| static void | SetDefaultUser(const char* defaultuser) |
| virtual void | TObject::SetDrawOption(Option_t* option = "")MENU |
| static void | TObject::SetDtorOnly(void* obj) |
| static void | SetGlobalExpDate(TDatime expdate) |
| static void | SetGlobalPasswd(const char* passwd) |
| static void | SetGlobalPwHash(Bool_t pwhash) |
| static void | SetGlobalSRPPwd(Bool_t srppwd) |
| static void | SetGlobalUser(const char* user) |
| static void | SetGlobusAuthHook(GlobusAuth_t func) |
| static void | SetKrb5AuthHook(Krb5Auth_t func) |
| static void | TObject::SetObjectStat(Bool_t stat) |
| static void | SetPromptUser(Bool_t promptuser) |
| static void | SetReadHomeAuthrc(Bool_t readhomeauthrc) |
| static void | SetRSAInit(Int_t init = 1) |
| void | SetRSAKeyType(Int_t key) |
| static Int_t | SetRSAPublic(const char* rsapubexport, Int_t klen) |
| void | SetSecContext(TRootSecContext* ctx) |
| static void | SetSecureAuthHook(SecureAuth_t func) |
| static void | SetTimeOut(Int_t to) |
| virtual void | TObject::SetUniqueID(UInt_t uid) |
| static void | Show(Option_t* opt = "S") |
| virtual void | ShowMembers(TMemberInspector&) |
| virtual void | Streamer(TBuffer&) |
| void | StreamerNVirtual(TBuffer& ClassDef_StreamerNVirtual_b) |
| virtual void | TObject::SysError(const char* method, const char* msgfmt) const |
| Bool_t | TObject::TestBit(UInt_t f) const |
| Int_t | TObject::TestBits(UInt_t f) const |
| virtual void | TObject::UseCurrentStyle() |
| virtual void | TObject::Warning(const char* method, const char* msgfmt) const |
| virtual Int_t | TObject::Write(const char* name = 0, Int_t option = 0, Int_t bufsize = 0) |
| virtual Int_t | TObject::Write(const char* name = 0, Int_t option = 0, Int_t bufsize = 0) const |
protected:
| virtual void | TObject::DoError(int level, const char* location, const char* fmt, va_list va) const |
| void | TObject::MakeZombie() |
private:
| static Bool_t | CheckHost(const char* Host, const char* host) |
| Int_t | ClearAuth(TString& user, TString& passwd, Bool_t& pwhash) |
| static void | FileExpand(const char* fin, FILE* ftmp) |
| Int_t | GenRSAKeys() |
| Bool_t | GetPwHash() const |
| char* | GetRandString(Int_t Opt, Int_t Len) |
| Int_t | GetRSAKey() const |
| TAuthenticate::ESecurity | GetSecurity() const |
| Bool_t | GetSRPPwd() const |
| const char* | GetSshUser(TString user) const |
| Bool_t | GetUserPasswd(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd) |
| Int_t | GetVersion() const |
| Int_t | ProofAuthSetup() |
| static Int_t | ProofAuthSetup(TSocket* sock, Bool_t client) |
| static void | RemoveSecContext(TRootSecContext* ctx) |
| Int_t | RfioAuth(TString& user) |
| void | SetEnvironment() |
| Int_t | SshAuth(TString& user) |
| Int_t | SshError(const char* errfile) |
Data Members
public:
| enum ESecurity { | kClear | |
| kSRP | ||
| kKrb5 | ||
| kGlobus | ||
| kSSH | ||
| kRfio | ||
| }; | ||
| enum TObject::EStatusBits { | kCanDelete | |
| kMustCleanup | ||
| kObjInCanvas | ||
| kIsReferenced | ||
| kHasUUID | ||
| kCannotPick | ||
| kNoContextMenu | ||
| kInvalidObject | ||
| }; | ||
| enum TObject::[unnamed] { | kIsOnHeap | |
| kNotDeleted | ||
| kZombie | ||
| kBitMask | ||
| kSingleKey | ||
| kOverwrite | ||
| kWriteDelete | ||
| }; |
private:
| TString | fDetails | logon details (method dependent ...) |
| THostAuth* | fHostAuth | pointer to relevant authentication info |
| TString | fPasswd | user's password |
| TString | fProtocol | remote service (rootd, proofd) |
| Bool_t | fPwHash | kTRUE if fPasswd is a passwd hash |
| Int_t | fRSAKey | Type of RSA key used |
| TString | fRemote | remote host to which we want to connect |
| Bool_t | fSRPPwd | kTRUE if fPasswd is a SRP passwd |
| TRootSecContext* | fSecContext | pointer to relevant sec context |
| TAuthenticate::ESecurity | fSecurity | actual logon security level |
| TSocket* | fSocket | connection to remote daemon |
| Int_t | fTimeOut | timeout flag |
| TString | fUser | user to be authenticated |
| Int_t | fVersion | 0,1,2, ... accordingly to remote daemon version |
| static TList* | fgAuthInfo | |
| static TString | fgAuthMeth[6] | |
| static Bool_t | fgAuthReUse | kTRUE is ReUse required |
| static Int_t | fgAuthTO | if > 0, timeout in sec |
| static TString | fgDefaultUser | Default user information |
| static TDatime | fgExpDate | Expiring date for new security contexts |
| static GlobusAuth_t | fgGlobusAuthHook | |
| static Krb5Auth_t | fgKrb5AuthHook | |
| static TString | fgKrb5Principal | Principal for Krb5 ticket |
| static TDatime | fgLastAuthrc | Time of last reading of fgRootAuthrc |
| static Int_t | fgLastError | Last error code processed by AuthError() |
| static TString | fgPasswd | |
| static TPluginHandler* | fgPasswdDialog | Passwd dialog GUI plugin |
| static Int_t | fgProcessID | ID of the main thread as unique identifier |
| static Bool_t | fgPromptUser | kTRUE if user prompt required |
| static TList* | fgProofAuthInfo | Specific lists of THostAuth fro proof |
| static Bool_t | fgPwHash | kTRUE if fgPasswd is a passwd hash |
| static Int_t | fgRSAInit | |
| static Int_t | fgRSAKey | Default type of RSA key to be tried |
| static rsa_KEY | fgRSAPriKey | |
| static rsa_KEY_export | fgRSAPubExport[2] | |
| static rsa_KEY | fgRSAPubKey | |
| static Bool_t | fgReadHomeAuthrc | kTRUE to look for $HOME/.rootauthrc |
| static TString | fgRootAuthrc | Path to last rootauthrc-like file read |
| static Bool_t | fgSRPPwd | kTRUE if fgPasswd is a SRP passwd |
| static SecureAuth_t | fgSecAuthHook | |
| static TString | fgUser | |
| static Bool_t | fgUsrPwdCrypt | kTRUE if encryption for UsrPwd is required |
Class Charts
Function documentation
TAuthenticate(TSocket* sock, const char* remote, const char* proto, const char* user = "")
Create authentication object.
Bool_t Authenticate()
Authenticate to remote rootd or proofd server. Return kTRUE if authentication succeeded.
void SetEnvironment()
Bool_t GetUserPasswd(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
Try to get user name and passwd from several sources.
Bool_t CheckNetrc(TString& user, TString& passwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files. For more info see the version with 4 arguments. This version is maintained for backward compatability reasons.
Bool_t CheckNetrc(TString& user, TString& passwd, Bool_t& pwhash, Bool_t srppwd)
Try to get user name and passwd from the ~/.rootnetrc or ~/.netrc files. First ~/.rootnetrc is tried, after that ~/.netrc. These files will only be used when their access masks are 0600. Returns kTRUE if user and passwd were found for the machine specified in the URL. If kFALSE, user and passwd are "". If srppwd == kTRUE then a SRP ('secure') pwd is searched for in the files. The boolean pwhash is set to kTRUE if the returned passwd is to be understood as password hash, i.e. if the 'password-hash' keyword is found in the 'machine' lines; not implemented for 'secure' and the .netrc file. The format of these files are: # this is a comment line machine <machine fqdn> login <user> password <passwd> machine <machine fqdn> login <user> password-hash <passwd> and in addition ~/.rootnetrc also supports: secure <machine fqdn> login <user> password <passwd> <machine fqdn> may be a domain name or contain the wild card '*'. for the secure protocols. All lines must start in the first column.
const char * GetKrb5Principal()
Static method returning the principal to be used to init Krb5 tickets.
Int_t GetAuthMethodIdx(const char* meth)
Static method returning the method index (which can be used to find the method in GetAuthMethod()). Returns -1 in case meth is not found.
char * PromptUser(const char* remote)
Static method to prompt for the user name to be used for authentication to rootd or proofd. User is asked to type user name. Returns user name (which must be deleted by caller) or 0. If non-interactive run (eg ProofServ) returns default user.
char * PromptPasswd(const char* prompt = "Password: ")
Static method to prompt for the user's passwd to be used for authentication to rootd or proofd. Uses non-echoing command line to get passwd. Returns passwd (which must de deleted by caller) or 0. If non-interactive run (eg ProofServ) returns -1
TList * GetProofAuthInfo()
Static method returning the list with authentication directives to be sent to proof.
void SetGlobalUser(const char* user)
Set global user name to be used for authentication to rootd or proofd.
void SetGlobalPasswd(const char* passwd)
Set global passwd to be used for authentication to rootd or proofd.
void SetGlobalPwHash(Bool_t pwhash)
Set global passwd hash flag to be used for authentication to rootd or proofd.
void SetGlobalSRPPwd(Bool_t srppwd)
Set global SRP passwd flag to be used for authentication to rootd or proofd.
void SetReadHomeAuthrc(Bool_t readhomeauthrc)
void SetSecureAuthHook(SecureAuth_t func)
Set secure authorization function. Automatically called when libSRPAuth is loaded.
void SetKrb5AuthHook(Krb5Auth_t func)
Set kerberos5 authorization function. Automatically called when libKrb5Auth is loaded.
void SetGlobusAuthHook(GlobusAuth_t func)
Set Globus authorization function. Automatically called when libGlobusAuth is loaded.
Int_t SshError(const char* errfile)
SSH error parsing: returns
0 : no error or fatal
1 : should retry (eg 'connection closed by remote host')
const char * GetSshUser(TString user) const
Method returning the user to be used for the ssh login. Looks first at SSH.Login and finally at env USER. If SSH.LoginPrompt is set to 'yes' it prompts for the 'login name'
Bool_t CheckHost(const char* Host, const char* host)
Check if 'host' matches 'href': this means either equal or "containing" it, even with wild cards * in the first field (in the case 'href' is a name, ie not IP address) Returns kTRUE if the two matches.
Int_t RfioAuth(TString& user)
UidGid client authentication code.
Returns 0 in case authentication failed
1 in case of success
<0 in case of system error
Int_t ClearAuth(TString& user, TString& passwd, Bool_t& pwhash)
UsrPwd client authentication code.
Returns 0 in case authentication failed
1 in case of success
THostAuth * GetHostAuth(const char* host, const char* user = "", Option_t* opt = "R", Int_t* Exact = 0)
Sets fUser=user and search fgAuthInfo for the entry pertaining to (host,user), setting fHostAuth accordingly. If opt = "P" use fgProofAuthInfo list instead If no entry is found fHostAuth is not changed
THostAuth * HasHostAuth(const char* host, const char* user, Option_t* opt = "R")
Checks if a THostAuth with exact match for {host,user} exists in the fgAuthInfo list If opt = "P" use ProofAuthInfo list instead Returns pointer to it or 0
void FileExpand(const char* fin, FILE* ftmp)
Expands include directives found in fexp files The expanded, temporary file, is pointed to by 'ftmp' and should be already open. To be called recursively.
char * GetDefaultDetails(Int_t method, Int_t opt, const char* user)
Determine default authentication details for method 'sec' and user 'usr'. Checks .rootrc family files. Returned string must be deleted by the user.
void Show(Option_t* opt = "S")
Print info about the authentication sector. If 'opt' contains 's' or 'S' prints information about established TSecContext, else prints information about THostAuth (if 'opt' is 'p' or 'P', prints Proof related information)
Int_t AuthExists(TString User, Int_t method, const char* Options, Int_t* Message, Int_t* Rflag, CheckSecCtx_t funcheck)
Check if we have a valid established sec context in memory
Retrieves relevant info and negotiates with server.
options = "Opt,strlen(username),username.Data()"
message = kROOTD_USER, ...
void InitRandom()
Initialize random machine using seed from /dev/urandom (or current time if /dev/urandom not available).
Int_t GenRSAKeys()
Generate a valid pair of private/public RSA keys to protect for authentication token exchange
char * GetRandString(Int_t Opt, Int_t Len)
Allocates and fills a 0 terminated buffer of length len+1 with len random characters. Returns pointer to the buffer (to be deleted by the caller) opt = 0 any non dangerous char 1 letters and numbers (upper and lower case) 2 hex characters (upper and lower case)
Int_t SecureSend(TSocket* Socket, Int_t enc, Int_t KeyType, const char* In)
Encode null terminated str using the session private key indicated by enc and sends it over the network Returns number of bytes sent, or -1 in case of error. enc = 1 for private encoding, enc = 2 for public encoding
Int_t SecureRecv(TSocket* Socket, Int_t dec, Int_t KeyType, char** Out)
Receive str from sock and decode it using key indicated by key type Return number of received bytes or -1 in case of error. dec = 1 for private decoding, dec = 2 for public decoding
Int_t DecodeRSAPublic(const char* rsapubexport, rsa_NUMBER& n, rsa_NUMBER& d, char** rsassl = 0)
Store RSA public keys from export string rsaPubExport.
Int_t SetRSAPublic(const char* rsapubexport, Int_t klen)
Store RSA public keys from export string rsaPubExport. Returns type of stored key, or -1 is not recognized
Int_t SendRSAPublicKey(TSocket* Socket, Int_t key = 0)
Receives server RSA Public key Sends local RSA public key encoded
Bool_t CheckProofAuth(Int_t cSec, TString& det)
Check if the authentication method can be attempted for the client.
void MergeHostAuthList(TList* Std, TList* New, Option_t* Opt = "")
Tool for updating fgAuthInfo or fgProofAuthInfo 'nin' contains list of last input information through (re)reading of a rootauthrc-alike file. 'nin' info has priority. 'std' is cleaned from inactive members. 'nin' members used to update existing members in 'std' are removed from 'nin', do that they do not leak opt = "P" for proofauthinfo.
void RemoveSecContext(TRootSecContext* ctx)
Tool for removing SecContext ctx from THostAuth listed in fgAuthInfo or fgProofAuthInfo
Int_t ProofAuthSetup()
Authentication related stuff setup in TProofServ. This is the place where the buffer send by the client / master is decoded. It contains also password information, if the case requires. Return 0 on success, -1 on failure.
Int_t ProofAuthSetup(TSocket* sock, Bool_t client)
Setup of authetication related stuff in PROOF run after a successful authentication. Return 0 on success, -1 on failure.