From 61846a45ccfd29e7be13845a3a853c6dc6ca7c52 Mon Sep 17 00:00:00 2001 From: Jakob Blomer Date: Thu, 21 May 2026 22:38:57 +0200 Subject: [PATCH 1/4] remove unused .rootdaemonrc --- CMakeLists.txt | 1 - cmake/modules/RootConfiguration.cmake | 2 - config/rootdaemonrc.in | 70 ----------- man/man1/system.rootdaemonrc.1 | 171 -------------------------- 4 files changed, 244 deletions(-) delete mode 100644 config/rootdaemonrc.in delete mode 100644 man/man1/system.rootdaemonrc.1 diff --git a/CMakeLists.txt b/CMakeLists.txt index a6a98375b39a7..aa891ff501a28 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -638,7 +638,6 @@ if(NOT CMAKE_SOURCE_DIR STREQUAL CMAKE_INSTALL_PREFIX) PATTERN "notebook/JsMVA" EXCLUDE PATTERN "system.rootrc" EXCLUDE PATTERN "system.rootauthrc" EXCLUDE - PATTERN "system.rootdaemonrc" EXCLUDE PATTERN "root.mimes" EXCLUDE PATTERN "*.in" EXCLUDE) install(DIRECTORY fonts/ DESTINATION ${CMAKE_INSTALL_FONTDIR} ${DIR_PERMISSIONS}) diff --git a/cmake/modules/RootConfiguration.cmake b/cmake/modules/RootConfiguration.cmake index 62e96dd9e9851..2c73266712e02 100644 --- a/cmake/modules/RootConfiguration.cmake +++ b/cmake/modules/RootConfiguration.cmake @@ -570,7 +570,6 @@ execute_Process(COMMAND hostname OUTPUT_VARIABLE BuildNodeInfo OUTPUT_STRIP_TRAI configure_file(${CMAKE_SOURCE_DIR}/config/rootrc.in ${CMAKE_BINARY_DIR}/etc/system.rootrc @ONLY NEWLINE_STYLE UNIX) configure_file(${CMAKE_SOURCE_DIR}/config/rootauthrc.in ${CMAKE_BINARY_DIR}/etc/system.rootauthrc @ONLY NEWLINE_STYLE UNIX) -configure_file(${CMAKE_SOURCE_DIR}/config/rootdaemonrc.in ${CMAKE_BINARY_DIR}/etc/system.rootdaemonrc @ONLY NEWLINE_STYLE UNIX) # file used in TROOT.cxx, not need in include/ dir and not need to install configure_file(${CMAKE_SOURCE_DIR}/config/RConfigOptions.in ginclude/RConfigOptions.h NEWLINE_STYLE UNIX) @@ -805,7 +804,6 @@ install(FILES ${CMAKE_BINARY_DIR}/ginclude/RConfigOptions.h install(FILES ${CMAKE_BINARY_DIR}/etc/root.mimes ${CMAKE_BINARY_DIR}/etc/system.rootrc ${CMAKE_BINARY_DIR}/etc/system.rootauthrc - ${CMAKE_BINARY_DIR}/etc/system.rootdaemonrc DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}) endfunction() diff --git a/config/rootdaemonrc.in b/config/rootdaemonrc.in deleted file mode 100644 index 62e45c22b1e38..0000000000000 --- a/config/rootdaemonrc.in +++ /dev/null @@ -1,70 +0,0 @@ -# -# $ROOTSYS/etc/system.rootdaemonrc, $HOME/.rootdaemonrc -# This files describe the names of the hosts for which -# the allowed authentication methods are not the default ones -# as specified in system.rootrc (if any). -# This file is used by servers run from ROOT interactive sessions -# via the TServerSocket class. -# -# If existing, $HOME/.rootdaemonrc has priority over -# $ROOTSYS/etc/system.rootdaemonrc -# -# Format: -# - lines starting with '#' are comment lines. -# -# - hosts can specified either with their name (eg. pcepsft43), -# their FQDN (eg, pcepsft43.cern.ch) or their IP address -# (eg 137.138.99.73). -# -# - directives applying to all host can be specified either by -# 'default' or '*' -# -# - the '*' character can be used in any field of the name to indicate -# a set of machines or domains, e.g. pcepsft*.cern.ch applies to all -# 'pcepsft' machines in the domain 'cern.ch'. (to indicate all -# 'lxplus' machines you should use 'lxplus*.cern.ch' because -# internally the generic lxplus machine has a real name of the form -# lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care -# about domain name checking). -# -# - a whole domain can be indicated by its name, eg 'cern.ch', -# 'cnaf.infn.it' or '.ch' -# - truncated IP address can also be used to indicate a set of -# machines; they are interpreted as the very first or very last -# part of the address; for example, to select 137.138.99.73, -# any of these is valid: '137.138.99', '137.138', '137', '99.73'; -# or with wild cards: '137.13*' or '*.99.73'; however, '138.99' -# is invalid because ambiguous. -# -# - the information following the name or IP address indicates, in order -# of preference, the short names or the internal codes of authentication -# methods accepted for requests coming from the specified host(s); the -# ones implemented so far are: -# -# Method short name code -# -# UsrPwd usrpwd 0 -# -# (The insecure method is intended to speed up access within a cluster -# protected by other means from outside attacks; should not be used for -# inter-cluster or inter-domain authentication). -# Methods non specified explicitly are not accepted. -# -# - Lines ending with '\' are followed by additional information for the -# host on the next line; the name of the host should not be repeated. -# -# Example of allowing machines in the cern.ch domain to authenticate. -# The accepted methods will be communicated to the client and an automatic -# retry is attempted if the client can use any of them (negotiation). -# -# Valid examples: -# -# default none -# lxplus*.cern.ch 0:qwerty:uytre 2 - -# Everything allowed from the local host (for testing) -# -127.0.0.1 0 2 -# -# secure methods allowed by default -default usrpwd diff --git a/man/man1/system.rootdaemonrc.1 b/man/man1/system.rootdaemonrc.1 deleted file mode 100644 index 9e481ccdd8ff3..0000000000000 --- a/man/man1/system.rootdaemonrc.1 +++ /dev/null @@ -1,171 +0,0 @@ -.\" -.\" $Id: system.rootdaemonrc.1,v 1.1 2004/12/15 12:37:43 rdm Exp $ -.\" -.TH SYSTEM.ROOTDAEMONRC 1 "Version 4" "ROOT" -.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection -.\" other parms are allowed: see man(7), man(1) -.SH NOTA BENE -.B Usage of this file is deprecated and will be removed in future versions of ROOT. -.PP -Please contact the ROOT team at -.UR http://root.cern/ -.I http://root.cern -in the unlikely event this change is disruptive for your workflow. -.SH NAME -system.rootdaemonrc, .rootdaemonrc \- access control directives for ROOT daemons -.SH LOCATIONS -.nf -.B ROOTDAEMORC, $HOME/.rootdaemonrc -.B /etc/root/system.rootdaemonrc, $ROOTSYS/etc/system.rootdaemonrc -.fi -.SH "DESCRIPTION" -This manual page documents the format of directives specifying access control -directives for ROOT daemons. These directives are read from a text file whose -full path is taken from the environment variable \fBROOTDAEMONRC\fR. -If such a variable in undefined, the daemon looks for a file named -\fB.rootdaemonrc\fR in the $HOME directory of the user starting the daemon; -if this file does not exists either, the file -\fBsystem.rootdaemonrc\fR, located under \fB/etc/root\fR or \fB$ROOTSYS/etc\fR, is used. -If none of these file exists (or is readable), the daemon makes use of a default -built-in directive derived from the configuration options of the installation. - -.SH "FORMAT" -.TP -.B * -lines starting with '#' are comment lines. -.TP -.B * -hosts can specified either with their name (e.g. pcepsft43), their FQDN (e.g. pcepsft43.cern.ch) or their IP address (e.g. 137.138.99.73). -.TP -.B * -directives applying to all host can be specified either by 'default' or '*' -.TP -.B * -the '*' character can be used in any field of the name to indicate a set of machines or domains, e.g. pcepsft*.cern.ch applies to all 'pcepsft' machines in the domain 'cern.ch'. (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch' because internally the generic lxplus machine has a real name of the form lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care about domain name checking). -.TP -.B * -a whole domain can be indicated by its name, e.g. 'cern.ch', 'cnaf.infn.it' or '.ch' -.TP -.B * -truncated IP address can also be used to indicate a set of machines; they are interpreted as the very first or very last part of the address; for example, to select 137.138.99.73, any of these is valid: '137.138.99', '137.138', '137`, '99.73'; or with wild cards: '137.13*' or '*.99.73`; however, '138.99' is invalid because ambiguous. -.TP -.B * -the information following the name or IP address indicates, in order of preference, the short names or the internal codes of authentication methods accepted for requests coming from the specified host(s); the ones implemented so far are: - - Method nickname code - - UsrPwd usrpwd 0 - -Methods not specified explicitly are not accepted. - -.TP -.B * -Lines ending with '\' are followed by additional information for the host on the next line; the name of the host should not be repeated. - -.SH "EXAMPLES" -Valid examples: - -.TP -.B default none -All requests are denied unless specified by dedicated directives. - -.TP -.B default 0 -Authentication mechanisms allowed by default are 'usrpwd' (code 0) - -.TP -.B 137.138. 0 -Authentication mechanisms allowed from host in the domain 137.138. (cern.ch) are 'usrpwd' (code 0) - -.TP -.B lxplus*.cern.ch 0:qwerty:uytre -Requests from the lxplus cluster from users 'qwerty' and 'uytre' can authenticate using 'usrpwd'. - -.TP -.B pcep*.cern.ch 0:-qwerty -Requests from the pcep*.cern.ch nodes can authenticate using 'usrpwd' when accessing the 'rootd' daemon ; user 'qwerty' cannot use 'usrpwd'. - -.PP -For more information on the \fBROOT\fR system, please refer to -\fIhttp://root.cern/\fR . - -.SH "ORIGINAL AUTHORS" -The ROOT team (see web page above): -.RS -.B Rene Brun -and -.B Fons Rademakers -.RE -.SH "COPYRIGHT" -This library is free software; you can redistribute it and/or modify -it under the terms of the GNU Lesser General Public License as -published by the Free Software Foundation; either version 2.1 of the -License, or (at your option) any later version. -.P -This library is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Lesser General Public License for more details. -.P -You should have received a copy of the GNU Lesser General Public -License along with this library; if not, write to the Free Software -Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -.SH AUTHOR -This manual page was written by G. Ganis . -.\" -.\" $Log: system.rootdaemonrc.1,v $ -.\" Revision 1.1 2004/12/15 12:37:43 rdm -.\" From Gerri: -.\" 1) New files: -.\" .1 build/package/rpm/root-rootd.spec.in -.\" -.\" skeleton for the rootd RPM specs file -.\" -.\" .2 build/package/common/root-rootd.dscr -.\" -.\" short and long descriptions used in the previous file -.\" -.\" .3 config/rootd.in -.\" -.\" Skeleton for the startup script to be created under etc; the -.\" variable which depends on the configuration directives is -.\" the location of the executable to run (i.e the installation -.\" prefix). This file is to be moved to /etc/rc.d/init.d/ on RH -.\" (or equivalent position on other versions of Linux). -.\" -.\" .4 man/man1/system.rootdaemonrc.1 -.\" -.\" man page for system.rootdaemonrc and related files -.\" -.\" -.\" 2) Patched files: -.\" -.\" .1 Makefile -.\" -.\" add new target 'rootdrpm' with the rules to create the specs file -.\" -.\" .2 configure -.\" -.\" add creation of etc/rootd from the skeleton in config/rootd.in -.\" -.\" .3 config/Makefile.in -.\" -.\" add variable ROOTDRPMREL with the RPM release version (default 1); -.\" this can be changed on command line whn creating the spec file -.\" -.\" .4 config/rootdaemonrc.in -.\" -.\" update fir 'sockd' and correct a few typos -.\" -.\" .5 man/man1/rootd.1 -.\" -.\" significant updates; typo corrections -.\" -.\" Revision 1.1 2001/08/15 13:30:48 rdm -.\" move man files to new subdir man1. This makes it possible to add -.\" $ROOTSYS/man to MANPATH and have "man root" work. -.\" -.\" Revision 1.1 2000/12/08 17:41:01 rdm -.\" man pages of all ROOT executables provided by Christian Holm. -.\" -.\" From bab20358e45178b14439f16cc9a41b3b2a2f8aec Mon Sep 17 00:00:00 2001 From: Jakob Blomer Date: Thu, 21 May 2026 22:51:36 +0200 Subject: [PATCH 2/4] remove unused .rootauthrc --- CMakeLists.txt | 1 - cmake/modules/RootConfiguration.cmake | 2 - config/rootauthrc.in | 135 -------------------------- 3 files changed, 138 deletions(-) delete mode 100644 config/rootauthrc.in diff --git a/CMakeLists.txt b/CMakeLists.txt index aa891ff501a28..effcc4d954025 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -637,7 +637,6 @@ if(NOT CMAKE_SOURCE_DIR STREQUAL CMAKE_INSTALL_PREFIX) ${DIR_PERMISSIONS} PATTERN "notebook/JsMVA" EXCLUDE PATTERN "system.rootrc" EXCLUDE - PATTERN "system.rootauthrc" EXCLUDE PATTERN "root.mimes" EXCLUDE PATTERN "*.in" EXCLUDE) install(DIRECTORY fonts/ DESTINATION ${CMAKE_INSTALL_FONTDIR} ${DIR_PERMISSIONS}) diff --git a/cmake/modules/RootConfiguration.cmake b/cmake/modules/RootConfiguration.cmake index 2c73266712e02..d2c4161c40b5e 100644 --- a/cmake/modules/RootConfiguration.cmake +++ b/cmake/modules/RootConfiguration.cmake @@ -569,7 +569,6 @@ install(FILES ${CMAKE_BINARY_DIR}/ginclude/RConfigure.h DESTINATION ${CMAKE_INST execute_Process(COMMAND hostname OUTPUT_VARIABLE BuildNodeInfo OUTPUT_STRIP_TRAILING_WHITESPACE ) configure_file(${CMAKE_SOURCE_DIR}/config/rootrc.in ${CMAKE_BINARY_DIR}/etc/system.rootrc @ONLY NEWLINE_STYLE UNIX) -configure_file(${CMAKE_SOURCE_DIR}/config/rootauthrc.in ${CMAKE_BINARY_DIR}/etc/system.rootauthrc @ONLY NEWLINE_STYLE UNIX) # file used in TROOT.cxx, not need in include/ dir and not need to install configure_file(${CMAKE_SOURCE_DIR}/config/RConfigOptions.in ginclude/RConfigOptions.h NEWLINE_STYLE UNIX) @@ -803,7 +802,6 @@ install(FILES ${CMAKE_BINARY_DIR}/ginclude/RConfigOptions.h install(FILES ${CMAKE_BINARY_DIR}/etc/root.mimes ${CMAKE_BINARY_DIR}/etc/system.rootrc - ${CMAKE_BINARY_DIR}/etc/system.rootauthrc DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}) endfunction() diff --git a/config/rootauthrc.in b/config/rootauthrc.in deleted file mode 100644 index a7aef25af3374..0000000000000 --- a/config/rootauthrc.in +++ /dev/null @@ -1,135 +0,0 @@ -# -# etc/system.rootauthrc -# -# NB: this file contains system defaults read only in the case the -# $HOME/.rootauthrc is non-existing or non-readable. Its content -# can be included in the private $HOME/.rootauthrc using the -# include directive (see below). The location of the private file -# can be changed by setting the environment variable ROOTAUTHRC -# to the appropriate absolute file pathname. -# -# This file contains information about authentication methods available for -# authentication vis-a-vis of a given host. It allows to define host specific -# methods and defaults for the info (username, certificates, ...) to be used. -# The information specified here superseeds the one found in .rootrc. -# -# Format: -# - lines starting with '#' are comment lines. -# -# - lines of the form 'include ' allow to include other files -# of this kind which are expanded exactly at the point where the -# 'include' appears; environment variables are supported, eg -# include $ROOTSYS/etc/system.rootauthrc -# -# - lines of the form: -# -# [user ] -# -# where is the host(s) identifier (see below), is an -# option key and is the relevant info whose format depends -# on ; 'user' indicates the username to whom the information -# applies; if absent, the info applies to all users. -# -# : -# - hosts can specified either with their name (e.g. pcepsft43), -# their FQDN (e.g. pcepsft43.cern.ch) or their IP address -# (e.g. 137.138.99.73). -# - if =default or ='*' the following -# applies to all hosts, unless host-specific entries are found. -# - the '*' character can be used in the any field of the name to -# indicate a set of machines or domains, e.g. pcepsft*.cern.ch -# applies to all 'pcepsft' machines in the domain 'cern.ch' -# (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch' -# because internally the generic lxplus machine has a real name of -# the form lxplusnnn.cern.ch; you can also use 'lxplus' if you -# don't care about domain name checking) -# - a whole domain can be indicated by its name, eg 'cern.ch', -# 'cnaf.infn.it' or '.ch' -# - truncated IP address can also be used to indicate a set of -# machines; they are interpreted as the very first or very last -# part of the address; for example, to select 137.138.99.73, -# any of these is valid: '137.138.99', '137.138', '137`, '99.73'; -# or with wild cards: '137.13*' or '*.99.73`; however, '138.99' -# is invalid because ambigous. -# -# : -# - valid keys are 'list' and 'method'; -# - if =list, contains the list of codes or short names for -# methods that can/should be tried for authentication wrt to , -# in order of preference. -# Available methods are: -# -# Method short name code -# -# UsrPwd usrpwd 0 -# -# Example of a valid 'list' line: -# -# default list 0 -# lxplus*.cern.ch list usrpwd -# -# The first line defines as default method UsrPwd. -# -# Having a line 'list' for a host is non mandatory: methods can -# also be defined directly via 'method' lines (see below); in -# such a case the first 'method' line will define the preferred -# method and so on. -# -# - if =method, contains -# + a method code --> mandatory, must be in the valid range -# + a prompt flag --> optional, identified by the key 'pt:', -# e.g. pt:yes -# values: 'yes' or 1, 'no' or '0' -# + a reuse flag --> optional, identified by the key 'ru:', -# e.g. ru:no -# values: 'yes' or 1, 'no' or '0' -# + some relevant information for authentication (optional, -# see below) -# -# The 'prompt' flag defines whether the user should be prompted -# for the relevant authentication details each time an -# authentication with the corresponding method is attempted. -# Default is 'yes', superseeded by the related entry in '.rootrc' . -# The 'reuse' flag determines if a successful authentication will -# be later re-used without prompting (e.g. when the user tries -# to access the same host with same method during the same -# session: this allows to speed up operation in case of multiple -# access). Default is 'yes' for methods 0 (UsrPwd), superseeded -# by the related entries in '.rootrc'. -# 'reuse' will be af no advantage and 'prompt' is not allowed for -# security reasons. The format for the default info depends on -# the method: -# -# Method Format info -# -# UsrPwd us: cp: -# -# The key 'us' allows to specify a target username different from -# the local username (which is the default target username); the -# value specified via 'us' is superseeded by any user information -# passed through the constructor, e.g. in TFTP("@"). -# -# The additional keys for UsrPwd specify: -# 'cp' whether to encrypt the password with a public key (default) -# or not (slighty faster), values are 'yes' or '1' for YES, -# 'no' or '0' for NO (case sensitive); -# -# Example of valid 'method' lines: -# -# default list 0 -# default user asdfgh method usrpwd pt:1 ru:no -# include local/myrootauthrc -# include $ROOTSYS/etc/system.rootauthrc -# -# The first line states that, unless differently specified, -# the first method to be tried for autentication is UsrPwd. -# The second line specifies that, for UsrPwd authentication, user -# 'asdfgh' will get a prompt with default username 'asdfgh' and -# that a successful authentication will not be reused -# The third directive includes the content of the file -# myrootauthrc located in the subdirectory local of the -# directory where the intercative root session was started. -# The fourth directive includes the content of the system -# defaults. -# -default list usrpwd From 6920fa6f0612bf7744fb0db5e3b477b302338d0f Mon Sep 17 00:00:00 2001 From: Jakob Blomer Date: Thu, 21 May 2026 22:52:08 +0200 Subject: [PATCH 3/4] remove auth options from .rootrc --- config/rootrc.in | 53 ------------------------------------------------ 1 file changed, 53 deletions(-) diff --git a/config/rootrc.in b/config/rootrc.in index cfe6c060503b9..b4982e1efefaa 100644 --- a/config/rootrc.in +++ b/config/rootrc.in @@ -369,59 +369,6 @@ ACLiC.Linkdef: _linkdef # Add extra options to rootcling invocation by ACLiC #ACLiC.ExtraRootclingFlags: [-optA ... -optZ] -# Connection is shutdown at timeout expiration. Timeout is in seconds. -# Negotiation cannot be attempted at low level (i.e. inside -# TAuthenticate::Authenticate()) because of synchronization -# problems with the server. -# At higher level, TAuthenticate::HasTimedOut() gives information -# about timeout: 0 = no timeout; 1 = timeout, no methods left; -# 2 = timeout, still methods to be tried . -# Caller should decide about an additional attempt. -# Timeout disabled (< 0) by default. Can be changed on-the-fly -# with the static method TAuthenticate::SetTimeOut(to_value) -# -# Auth.Timeout: -1 - -# Password dialog box. -# Set to 0 if you do not want a dialog box to be popped-up -# when a password is requested. -# Default is 1. -# -# Auth.UsePasswdDialogBox: 0 - -# Default login name (if not defined is taken from $(HOME)). -#UsrPwd.Login: qwerty - -# To be prompted for login information. -#UsrPwd.LoginPrompt: yes - -# To reuse established security context. -UsrPwd.ReUse: yes - -# Duration validity of the security context. -# Format: : (default 24:00) -#UsrPwd.Valid: 24:00 - -# To control password encryption for UsrPwd authentication. -UsrPwd.Crypt: yes - -# Type of key to be used for RSA encryption: -# 0 = local; 1 = SSL (default if openssl available). -RSA.KeyType: 1 - -# In case of 'RSA.KeyType: 1' this specifies the number of bits to -# be used for the Blowfish key used to encrypt the exchanged information -# Default 256, minimum 128, maximum 15912. -#SSL.BFBits: 256 - -# Server authentication in TServerSocket. -# -# General: file with server access rules -#SrvAuth.DaemonRc: /etc/root/system.daemonrc -# -# UsrPwd: check of host equivalence via /etc/hosts.equiv or $HOME/.rhosts. -#SrvAuth.CheckHostsEquivalence: 1 - # Force file opening via TNetXNGFile if a hostname is specified # in the Url. # By default, for local files TFile::Open() invokes directly TFile From 27f42a663a268e1dd234d8fb7afa64766a4bb375 Mon Sep 17 00:00:00 2001 From: Jakob Blomer Date: Thu, 21 May 2026 22:53:30 +0200 Subject: [PATCH 4/4] remove README.AUTH following auth deprecation --- README/README.AUTH | 433 --------------------------------------------- 1 file changed, 433 deletions(-) delete mode 100644 README/README.AUTH diff --git a/README/README.AUTH b/README/README.AUTH deleted file mode 100644 index 77a9545e4713c..0000000000000 --- a/README/README.AUTH +++ /dev/null @@ -1,433 +0,0 @@ -# NOTE: The auth package is depcreated and will be remove in v6.42. -ROOT will not provide socket authentication anymore but assumes that TSocket connections are between trusted processes. -Consider using SSH tunneling if you need secure network connections. - -Authentication to ROOT servers (TServerSocket) -============================================== - -Servers based on TServerSocket accept 5 methods of authentication, listed -in Table 1, together with their internal codes and short names. -Method 5 (uidgid) is provided for fast access when security is not an issue. -Method 0 is 'secured' by using a session public key, automatically -generated, which allows to avoid direct exchange of passwords. - - Table 1: authentication methods available - +---------------------------------------------------------------------+ - | Method | code | short name | in .rootrc | Secure | Sfx | - |---------------------------------------------------------------------| - | (user,password) | 0 | usrpwd | UsrPwd | Yes | up | - | SRP | 1 | srp | SRP | Yes | s | - | Kerberos V | 2 | krb5 | Krb5 | Yes | k | - | Globus GSI | 3 | globus | Globus | Yes | g | - | (uid,gid) | 5 | uidgid | UidGid | No | ug | - +---------------------------------------------------------------------+ - -By default method 0 (UsrPwd) is used; host equivalence via /etc/hosts.deny -and/or $HOME/.rhosts is tested (by default; it can be disabled). - -A specific method can be given priority by adding the suffix shown in the -table (column Sfx) to the specified protocol: for example - - TFile *f = TFile::Open("roots://host.doma.in/~fserv/TheFile.root","read") - -requires the use of the SRP method. - -Defaults can be changed on {host, user} base via the file $HOME/.rootauthrc; -the header of the file $ROOTSYS/etc/system.rootauthrc, automatically generated -upon configuration with system defaults based on the compilation options, -contains the explanation of the syntax for the available directives and -examples of use. -Defaults specified by directives in the .rootrc family files (in order of -priority: $HOME/.rootrc, /etc/root/system.rootrc and $ROOTSYS/etc/system.rootrc) -are still considered for backward compatibility but with the lowest priority. -It is also possible to specify authentication directives interactively -as explained below. - -A test macro TestAuth.C is provided under the tutorials directory. Its use -is explained at the end of this file. - -Controlling access -================== - -Directives defining the authentication protocols accepted from a given host -are defined in the active file; this file is by default -$ROOTSYS/etc/system.rootdaemonrc; if existing, $HOME/.rootdaemonrc has -priority; it is also possible to use a generic filename and location. -The two last solutions have the advantage that the file do not get -reset if the ROOT distribution needs to be re-configured. - -By default the ROOT daemons accept authentications only via the methods -defined by the directive more closely matching the requesting hosts. -The file $ROOTSYS/etc/system.rootdaemonrc is automatically generated -upon configuration with the list of available secure methods enabled -by default from all the hosts. -The administrator of the daemons has the responsibility to add the relevant -entries to fit the site access policy. - - -Negotiation -=========== - -Simple negotiation is supported as follows. The client sends the preferred -method (the first one in the list, see below) to the server; if this is among -the methods accepted by the server (not necessarily the one preferred by the -server) authentication is attempted. In the case the attempt is unsuccessful, -the server sends back the list of the remaining methods accepted (if any); the -client compares the server list with its own list of remaining methods and -makes a new attempt if the overlap of the two lists is not empty; and so on. - -Entries in .rootrc -================== - -The authentication related entries in the .rootrc family of files define -directives applying to all remote host and all remote accounts. The available -directives are the following: - -* The .Login directives specify the default login for the method: - - UsrPwd.Login, SRP.Login, UidGid.Login: (e.g.: qwerty) - Krb5.Login: (e.g.: qwerty@THIS.DOM.AIN) - Globus.Login: cd: cf: \ - kf: ad: - -* The .LoginPrompt directives specify whether root should prompt you - for the login (with default the login specified via .Login; possible - values are 0 or no for no prompt, 1 or yes to have the prompt; valid - examples: - - UsrPwd.LoginPrompt: 0 - Krb5.LoginPrompt: 1 - Globus.LoginPrompt: no - - Default is no prompt. - - For anonymous 'usrpwd' login, 'UsrPwd.LoginPrompt 0' implies automatic - generation of the password in the form @, where - is obtained from the variable USER or from ' getpwuid(getuid())->pw_name '. - -* The .ReUse directives specify whether root reuse valid authentication - once established; possible values are '0' or 'no' for OFF, '1' or 'yes' for ON. - When this option is active, the client generates a session RSA key pair and - transmits the public key to the server; the server generates a session 'token' - which can be used by the client for later access to the server. - This facility is implemented for all methods except UidGid (for which there would - be no advantage); it is switched ON by default for UsrPwd, SRP and Globus, - since it allows to speed up repeated access to the same server. - For Krb5 it is implemented but switched OFF by default, since it does not improve - on authentication time. - - UsrPwd.ReUse yes - SRP.ReUse 1 - Krb5.ReUse 0 - Globus.ReUse yes - - NB: unless 'UsrPwd.Crypt 0' (see below), for UsrPwd the password is always sent - encrypted with the session RSA key, even if UsrPwd.ReUse is OFF. - -* The .Valid directives specify the duration validity of the security - context for methods UsrPwd and SRP; values are passed in the form - :, the default being 24:00 . - - UsrPwd.Valid 16:45 - SRP.Valid 13:00 - -* Other directives - - * UsrPwd - - * To secure password exchange set (this is the default) - - UsrPwd.Crypt 1 - - A session key pair is generated and used to encrypt the password hash to - be communicated to the server. - - * globus - - * to change the duration in hours of globus credentials (default is 12) use - Globus.ProxyDuration: - - * to change the number of bits in the key (default 1024) - Globus.ProxyKeyBits: - where is 512 or 1024 or 2048 or 4096 - -.rootauthrc -=========== - -The .rootauthrc file allow to specify host and user specific instructions; all -the possibilities are explained in etc/system.rootauthrc. The information read -is used to instantiate THostAuth objects; these can be modified during the root -session as explained in the next session. - - -Modifying/Adding authentication info during the session -======================================================= - -Remote authentication in root is controlled by the TAuthenticate class; -TNetFile and TSlave create a TAuthenticate object before proceeding to -authentication. - -Authentication is (host,user) specific. The dedicated class THostAuth contains -the information for a specific (host,user): - - + remote host FQDN - + user name - + number of available methods (n) - + method internal codes (dimension n) - + login info for each method (dimension n) - + list of established authentication - -The available methods are listed in order of preference: the first one is the -one preferred, the others are tried in turn upon failure of the previous one, -and if accepted by the remote daemon (see Negotiation below). - -THostAuth objects are instantiated by TAuthenticate at first call using -the information found in $HOME/.rootauthrc or $ROOTSYS/etc/system.rootauthrc. -The list of THostAuth is refreshed if any of the relevant file has changed -since last TAuthenticate call, so the best way to change authentication -directives during an interactive session is to edit the $HOME/.rootauthrc. -Nonetheless, a set of methods are available in the TAuthenticate and THostAuth -classes to display/modify/create THostAuth interactively. - - * void TAuthenticate::Show() - - Prints information about authentication environment: - - = "s" list of active security context (default) - "h" the content of the instantiated THostAuth objects in - standard list - - Example: - -root [6] TAuthenticate::Show() -Info in : +------------------------------------------------------+ -Info in : + Host:pceple19.cern.ch Method:0 (UsrPwd) User:'ganis' -Info in : + OffSet:0 Details: 'pt:0 ru:1 cp:1 us:ganis' -Info in : + Expiration time: Sat Jan 10 13:18:41 2004 -Info in : +------------------------------------------------------+ - - -root [7] TAuthenticate::Show("h") -Info in <::Print>: +--------------------------- BEGIN --------------------------------+ -Info in <::Print>: + + -Info in <::Print>: + List fgAuthInfo has 5 members + -Info in <::Print>: + + -Info in <::Print>: +------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------+ -Info in : + Host:default - User:* - # of available methods:6 -Info in : + Method: 0 (UsrPwd) Ok:0 Ko:0 Dets:pt:no ru:yes cp:yes us: -Info in : + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:no us: -Info in : + Method: 2 (Krb5) Ok:0 Ko:0 Dets:pt:no ru:no us: -Info in : + Method: 3 (Globus) Ok:0 Ko:0 Dets:pt:no ru:yes -Info in : + Method: 5 (UidGid) Ok:0 Ko:0 Dets:pt:no us: -Info in : +------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------------------+ -Info in : + Host:default - Number of active sec contexts: 0 -Info in : +------------------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------+ -Info in : + Host:pcep*.cern.ch - User:* - # of available methods:2 -Info in : + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis -Info in : + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis -Info in : +------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------------------+ -Info in : + Host:pcep*.cern.ch - Number of active sec contexts: 1 -Info in : + 1) h:pceple19.cern.ch met:0 (UsrPwd) us:'ganis' -Info in : + offset:0 det: 'pt:0 ru:1 cp:1 us:ganis' -Info in : + expiring: Sat Jan 10 13:18:41 2004 -Info in : +------------------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------+ -Info in : + Host:lxplus*.cern.ch - User:* - # of available methods:2 -Info in : + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis -Info in : +------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------------------+ -Info in : + Host:lxplus*.cern.ch - Number of active sec contexts: 0 -Info in : +------------------------------------------------------------------------------+ -Info in <::Print>: +---------------------------- END ---------------------------------+ - - The method THostAuth::PrintEstablished is also called, displaying the - relevant info about the established security context(s) saved in TSecContext. - -root [8] TAuthenticate::Show("p") -Info in <::Print>: +--------------------------- BEGIN --------------------------------+ -Info in <::Print>: + + -Info in <::Print>: + List fgProofAuthInfo has 1 members + -Info in <::Print>: + + -Info in <::Print>: +------------------------------------------------------------------+ -Info in : +------------------------------------------------------------------+ -Info in : + Host:lxplus*.cern.ch - User:ganis - # of available methods:2 -Info in : + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis -Info in : +------------------------------------------------------------------+ -Info in <::Print>: +---------------------------- END ---------------------------------+ - - This is the list build following the directives in .rootauthrc - - * THostAuth *TAuthenticate::GetHostAuth(,,,); - - Returns a pointer to the THostAuth object pertaining to (host,user) if it - exist, 0 otherwise. If ="R" (default) the search is performed in the - standard list. The last argument - is a pointer to an integer: if defined (.ne. 0) the pointed location is - filled with 1 if the match is exact, with 0 if an matching entry with wild - cards was found. - - Example: - - root [2] THostAuth *ha = TAuthenticate::GetHostAuth("pcepsft43.cern.ch","ganis") - root [3] printf("ha: 0x%x\n",(int)ha); - ha: 0x88df970 - root [4] THostAuth *ha = TAuthenticate::GetHostAuth("der.mit.ow","scruno") - root [5] printf("ha: 0x%x\n",(int)ha); - ha: 0x0 - root [6] - - * void TAuthenticate::RemoveHostAuth(THostAuth *ha) - - Removes and destroys the THostAuth object pointed by ha from the static list - in TAuthenticate - - * void THostAuth::Print() - - Prints the information contained in this THostAuth object - - Example: - -root [10] ha->Print() -Info in : +------------------------------------------------------------------+ -Info in : + Host:pcep*.cern.ch - User:* - # of available methods:2 -Info in : + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis -Info in : + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis -Info in : +------------------------------------------------------------------+ - - The statistics for successful or unsuccessful use of the indicated methods - are shown after "Ok:" and "Ko:", respectively. - - - * void THostAuth::AddMethod(,) - - Add a new method (internal code , login information ) at - the end of the list of available methods - - Example (with respect to above): - - root [9] ha->AddMethod(0,"no us:ganis") - root [10] ha->Print() - Info in : +------------------------------------------------------------------+ - Info in : + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4 - Info in : + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates - Info in : + Method: 4 Details:pt:no ru:1 us:ganis - Info in : + Method: 1 Details:pt:no ru:1 us:ganis - Info in : + Method: 5 Details:pt:yes us:ganis - Info in : + Method: 0 Details:pt:no us:ganis - Info in : +------------------------------------------------------------------+ - root [11] - - * void THostAuth::RemoveMethod() - - Removes method with internal code from the list of available methods - - Example (with respect to above): - - root [9] ha->RemoveMethod(5) - root [10] ha->Print() - Info in : +------------------------------------------------------------------+ - Info in : + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4 - Info in : + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates - Info in : + Method: 4 Details:pt:no ru:1 us:ganis - Info in : + Method: 1 Details:pt:no ru:1 us:ganis - Info in : + Method: 0 Details:pt:no us:ganis - Info in : +------------------------------------------------------------------+ - root [11] - - * void THostAuth::SetDetails(,) - - Changes login info for method with internal code to ; if - it does not exist, add a this as new method. - - Example (with respect to above): - - root [11] ha->SetDetails(4,"pt:no ru:1 us:gganis") - root [12] ha->Print() - Info in : +------------------------------------------------------------------+ - Info in : + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4 - Info in : + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates - Info in : + Method: 4 Details:pt:no ru:1 us:gganis - Info in : + Method: 1 Details:pt:no ru:1 us:ganis - Info in : + Method: 0 Details:pt:no us:ganis - Info in : +------------------------------------------------------------------+ - root [13] - - * void THostAuth::SetFirst() - - Set method with internal code as the preferred one, if it exists. - - Example (with respect to above): - - root [13] ha->SetFirst(1) - root [14] ha->Print() - Info in : +------------------------------------------------------------------+ - Info in : + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4 - Info in : + Method: 1 Details:pt:no ru:1 us:ganis - Info in : + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates - Info in : + Method: 4 Details:pt:no ru:1 us:gganis - Info in : + Method: 0 Details:pt:no us:ganis - Info in : +------------------------------------------------------------------+ - root [15] - - * void THostAuth::AddFirst(,) - - Set method with internal code as the preferred one, and changes the - login information to . If it does not exist, add a new method in - first position. - - * void THostAuth::ReOrder(nmet,meths) - - Reorder the list of the available methods in such a way that the first nmet - methods are the ones listed in meths[nmet]. - - * Bool_t THostAuth::IsActive() const { return fActive; } - - Indicates if this THostAuth instantiation is active - - * void THostAuth::DeActivate() { fActive = kFALSE; } - - Sets this THostAuth instantiation inactive - - * void THostAuth::Activate() { fActive = kTRUE; } - - Sets this THostAuth instantiation active - - * void THostAuth::Reset(); - - Resets content of this THostAuth instantiation - -TSecContext -============ - -The class TSecContext contains the relevant details about an established security -context, typically needed for re-usage of the context. - -authserv.C, authclient.C -======================== - -These macros must be run together to test authentication between two remote -ROOT sessions. -Run first the authserv.C within a ROOT session on the server -machine, eg. "srv.machi.ne": - - root[] .x authserv.C(3000) - -authserv accepts as argument the port where it starts listening -(default 3000). -You can then run authclient.c in a ROOT session on the client machine: - - root[] .x authclient.C("srv.machi.ne:3000") - -and you should get prompted for the credentials, if the case. -To start a parallel socket of size, for example, 5, enter the -size as second argument, ie - - root[] .x authclient.C("srv.machi.ne:3000",5) - - --------------------------------------------------------------------------------------- -Last update: November 19, 2018