forked from root-project/root
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.AUTH
559 lines (424 loc) · 26.2 KB
/
README.AUTH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
Authentication to rootd/proofd servers
======================================
The rootd/proofd daemon servers accept 6 methods of authentication, listed
in Table 1, together with their internal codes and short names.
Method 5 (uidgid) is provided for fast access when security is not an issue.
Method 0 is 'secured' by using a session public key, automatically
generated, which allows to avoid direct exchange of passwords.
Table 1: authentication methods available
+---------------------------------------------------------------------+
| Method | code | short name | in .rootrc | Secure | Sfx |
|---------------------------------------------------------------------|
| (user,password) | 0 | usrpwd | UsrPwd | Yes | up |
| SRP | 1 | srp | SRP | Yes | s |
| Kerberos V | 2 | krb5 | Krb5 | Yes | k |
| Globus GSI | 3 | globus | Globus | Yes | g |
| SSH | 4 | ssh | SSH | Yes | h |
| (uid,gid) | 5 | uidgid | UidGid | No | ug |
+---------------------------------------------------------------------+
By default method 0 (UsrPwd) is used; host equivalence via /etc/hosts.deny
and/or $HOME/.rhosts is tested (by default; it can be disabled).
A specific method can be given priority by adding the suffix shown in the
table (column Sfx) to the specified protocol: for example
TFile *f = TFile::Open("roots://host.doma.in/~fserv/TheFile.root","read")
requires the use of the SRP method, and
gROOT->Proof("proofk://lxplus079.cern.ch")
asks for Kerberos authentication in starting a proof session on node
lxplus079.cern.ch.
Defaults can be changed on {host, user} base via the file $HOME/.rootauthrc;
the header of the file $ROOTSYS/etc/system.rootauthrc, automatically generated
upon configuration with system defaults based on the compilation options,
contains the explanation of the syntax for the available directives and
examples of use.
Defaults specified by directives in the .rootrc family files (in order of
priority: $HOME/.rootrc, /etc/root/system.rootrc and $ROOTSYS/etc/system.rootrc)
are still considered for backward compatibility but with the lowest priority.
It is also possible to specify authentication directives interactively
as explained below.
A test macro TestAuth.C is provided under the tutorials directory. Its use
is explained at the end of this file.
Controlling access
==================
Directives defining the authentication protocols accepted from a given host
are defined in the active <rootdaemonrc> file; this file is by default
$ROOTSYS/etc/system.rootdaemonrc; if existing, $HOME/.rootdaemonrc has
priority; it is also possible to use a generic filename and location.
The two last solutions have the advantage that the file do not get
reset if the ROOT distribution needs to be re-configured.
By default the ROOT daemons accept authentications only via the methods
defined by the directive more closely matching the requesting hosts.
The file $ROOTSYS/etc/system.rootdaemonrc is automatically generated
upon configuration with the list of available secure methods enabled
by default from all the hosts.
The administrator of the daemons has the responsibility to add the relevant
entries to fit the site access policy.
Negotiation
===========
Simple negotiation is supported as follows. The client sends the preferred
method (the first one in the list, see below) to the server; if this is among
the methods accepted by the server (not necessarily the one preferred by the
server) authentication is attempted. In the case the attempt is unsuccessful,
the server sends back the list of the remaining methods accepted (if any); the
client compares the server list with its own list of remaining methods and
makes a new attempt if the overlap of the two lists is not empty; and so on.
Slave/Data servers authentication during a PROOF session
========================================================
During a PROOF session there is the potential problem of Master/Slave or
Slave/Data_Server authentication. For slaves, the list of methods to be tried
is specified in the proof.conf file as a list of methods short names. However,
before build the corresponding entry in THostAuth (see below) TProofServ checks
that the method can be applied, i.e. that there exist valid credentials.
The way the latter are transmitted depends on the method and on the
Client/Master authentication method.
* UsrPwd: to authenticate 'usrpwd' to slaves, the master needs the relevant
entry in the .netrc or .rootnetrc files; however, if the
client/master authentication was also 'usrpwd', the password is
already present on the master process and is used for later clear
authentications.
* SRP: to authenticate 'SRP' to slaves, the master needs the relevant entry
in the .netrc or .rootnetrc files; the syntax is the same as for
'usrpwd' authentication with the keyword 'secure' at the place of
'machine'. However, if the client/master authentication was also
'SRP', the master can receive the password from the client; the
password is sent encrypted with the internal RSA key generated for
the session. To use this option, set 'Proofd.SendSRPPwd 1' in your
.rootrc (default is 0).
* Krb5/Globus to authenticate Krb5/Globus to slaves, the master needs globus
credentials; this is possible (and automatic) only if the
client/master authentication was also Krb5/Globus.
* SSH to authenticate 'SSH' to slaves, the master needs the relevant
private key files in $HOME/.ssh (on the master).
* UidGid to authenticate 'uidgid' to slaves, the user must have the same
(uid,gid) on master and slaves.
Negotiation is active also between master and slaves, so asking for 'uidgid'
first may accelerate the authentication process if the server accepts it.
The method actually used is listed by gProof->Print("a").
If the slaves need to access data servers which are not part of the proof
cluster, the login info vis-a-vis of these may be specified with the proofserv
card in the .rootauthrc files (see below and etc/system.rootauthrc for
details); the collected information is then transmitted to all the active
slaves upon creation.
Entries in .rootrc
==================
The authentication related entries in the .rootrc family of files define
directives applying to all remote host and all remote accounts. The available
directives are the following:
* General switchings
Rootd.Authentication: <code>
Proofd.Authentication <code>
These variables specify the default method to be attempted for remote
authentication for rootd and proofd respectively; <code> is the internal code
given in Table 1; these directives supersede the default ('ssh' for normal
users and 'usrpwd' for anonymous users).
* The <method>.Login directives specify the default login for the method:
UsrPwd.Login, SRP.Login, SSH.Login, UidGid.Login: <username> (e.g.: qwerty)
Krb5.Login: <principal> (e.g.: qwerty@THIS.DOM.AIN)
Globus.Login: cd:<dir_with_my_certs> cf:<my_cert_file> \
kf:<my_key_file> ad:<dir_with_CA_certs>
* The <method>.LoginPrompt directives specify whether root should prompt you
for the login (with default the login specified via <method>.Login; possible
values are 0 or no for no prompt, 1 or yes to have the prompt; valid
examples:
UsrPwd.LoginPrompt: 0
Krb5.LoginPrompt: 1
Globus.LoginPrompt: no
SSH.LoginPrompt: yes
Default is no prompt.
For anonymous 'usrpwd' login, 'UsrPwd.LoginPrompt 0' implies automatic
generation of the password in the form <user>@<local_host_fqdn>, where <user>
is obtained from the variable USER or from ' getpwuid(getuid())->pw_name '.
* The <method>.ReUse directives specify whether root reuse valid authentication
once established; possible values are '0' or 'no' for OFF, '1' or 'yes' for ON.
When this option is active, the client generates a session RSA key pair and
transmits the public key to the server; the server generates a session 'token'
which can be used by the client for later access to the server.
This facility is implemented for all methods except UidGid (for which there would
be no advantage); it is switched ON by default for UsrPwd, SRP, Globus and SSH,
since it allows to speed up repeated access to the same server.
For Krb5 it is implemented but switched OFF by default, since it does not improve
on authentication time.
UsrPwd.ReUse yes
SRP.ReUse 1
Krb5.ReUse 0
Globus.ReUse yes
SSH.ReUse 1
NB: unless 'UsrPwd.Crypt 0' (see below), for UsrPwd the password is always sent
encrypted with the session RSA key, even if UsrPwd.ReUse is OFF.
* The <method>.Valid directives specify the duration validity of the security
context for methods UsrPwd, SRP and SSH; values are passed in the form
<hours>:<min>, the default being 24:00 .
UsrPwd.Valid 16:45
SRP.Valid 13:00
SSH.Valid 0:05
* Other directives
* UsrPwd
* To secure password exchange set (this is the default)
UsrPwd.Crypt 1
A session key pair is generated and used to encrypt the password hash to
be communicated to the server.
* globus
* to change the duration in hours of globus credentials (default is 12) use
Globus.ProxyDuration: <hours>
* to change the number of bits in the key (default 1024)
Globus.ProxyKeyBits: <bits>
where <bits> is 512 or 1024 or 2048 or 4096
* ssh
* to change the path with the 'ssh' executable
SSH.ExecDir <new_path>
(the executable will then be <new_path>/ssh)
.rootauthrc
===========
The .rootauthrc file allow to specify host and user specific instructions; all
the possibilities are explained in etc/system.rootauthrc. The information read
is used to instantiate THostAuth objects; these can be modified during the root
session as explained in the next session.
Modifying/Adding authentication info during the session
=======================================================
Remote authentication in root is controlled by the TAuthenticate class;
TNetFile, TFTP and TSlave create a TAuthenticate object before proceeding to
authentication.
Authentication is (host,user) specific. The dedicated class THostAuth contains
the information for a specific (host,user):
+ remote host FQDN
+ user name
+ number of available methods (n)
+ method internal codes (dimension n)
+ login info for each method (dimension n)
+ list of established authentication
The available methods are listed in order of preference: the first one is the
one preferred, the others are tried in turn upon failure of the previous one,
and if accepted by the remote daemon (see Negotiation below).
THostAuth objects are instantiated by TAuthenticate at first call using
the information found in $HOME/.rootauthrc or $ROOTSYS/etc/system.rootauthrc.
The list of THostAuth is refreshed if any of the relevant file has changed
since last TAuthenticate call, so the best way to change authentication
directives during an interactive session is to edit the $HOME/.rootauthrc.
Nonetheless, a set of methods are available in the TAuthenticate and THostAuth
classes to display/modify/create THostAuth interactively.
* void TAuthenticate::Show(<opt>)
Prints information about authentication environment:
<opt> = "s" list of active security context (default)
"h" the content of the instantiated THostAuth objects in
standard list
"p" the content of the instantiated THostAuth objects in
the proof list
Example:
root [6] TAuthenticate::Show()
Info in <TSecContext::Print>: +------------------------------------------------------+
Info in <TSecContext::Print>: + Host:pceple19.cern.ch Method:0 (UsrPwd) User:'ganis'
Info in <TSecContext::Print>: + OffSet:0 Details: 'pt:0 ru:1 cp:1 us:ganis'
Info in <TSecContext::Print>: + Expiration time: Sat Jan 10 13:18:41 2004
Info in <TSecContext::Print>: +------------------------------------------------------+
root [7] TAuthenticate::Show("h")
Info in <::Print>: +--------------------------- BEGIN --------------------------------+
Info in <::Print>: + +
Info in <::Print>: + List fgAuthInfo has 5 members +
Info in <::Print>: + +
Info in <::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:default - User:* - # of available methods:6
Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:0 Ko:0 Dets:pt:no ru:yes cp:yes us:
Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:yes us:
Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:no us:
Info in <THostAuth::Print>: + Method: 2 (Krb5) Ok:0 Ko:0 Dets:pt:no ru:no us:
Info in <THostAuth::Print>: + Method: 3 (Globus) Ok:0 Ko:0 Dets:pt:no ru:yes
Info in <THostAuth::Print>: + Method: 5 (UidGid) Ok:0 Ko:0 Dets:pt:no us:
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: + Host:default - Number of active sec contexts: 0
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcep*.cern.ch - User:* - # of available methods:2
Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: + Host:pcep*.cern.ch - Number of active sec contexts: 1
Info in <TSecContext::PrintEstblshed>: + 1) h:pceple19.cern.ch met:0 (UsrPwd) us:'ganis'
Info in <TSecContext::PrintEstblshed>: + offset:0 det: 'pt:0 ru:1 cp:1 us:ganis'
Info in <TSecContext::PrintEstblshed>: + expiring: Sat Jan 10 13:18:41 2004
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:lxplus*.cern.ch - User:* - # of available methods:2
Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <THostAuth::PrintEstablished>: + Host:lxplus*.cern.ch - Number of active sec contexts: 0
Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
Info in <::Print>: +---------------------------- END ---------------------------------+
The method THostAuth::PrintEstablished is also called, displaying the
relevant info about the established security context(s) saved in TSecContext.
root [8] TAuthenticate::Show("p")
Info in <::Print>: +--------------------------- BEGIN --------------------------------+
Info in <::Print>: + +
Info in <::Print>: + List fgProofAuthInfo has 1 members +
Info in <::Print>: + +
Info in <::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:lxplus*.cern.ch - User:ganis - # of available methods:2
Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <::Print>: +---------------------------- END ---------------------------------+
This is the list build following the 'proofserv' directives in .rootauthrc
* THostAuth *TAuthenticate::GetHostAuth(<host_fqdn>,<user>,<opt>,<kExact>);
Returns a pointer to the THostAuth object pertaining to (host,user) if it
exist, 0 otherwise. If <opt>="R" (default) the search is performed in the
standard list, if <opt>="P" in the proof list. The last argument <kExact>
is a pointer to an integer: if defined (.ne. 0) the pointed location is
filled with 1 if the match is exact, with 0 if an matching entry with wild
cards was found.
Example:
root [2] THostAuth *ha = TAuthenticate::GetHostAuth("pcepsft43.cern.ch","ganis")
root [3] printf("ha: 0x%x\n",(int)ha);
ha: 0x88df970
root [4] THostAuth *ha = TAuthenticate::GetHostAuth("der.mit.ow","scruno")
root [5] printf("ha: 0x%x\n",(int)ha);
ha: 0x0
root [6]
* void TAuthenticate::RemoveHostAuth(THostAuth *ha)
Removes and destroys the THostAuth object pointed by ha from the static list
in TAuthenticate
* void THostAuth::Print()
Prints the information contained in this THostAuth object
Example:
root [10] ha->Print()
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcep*.cern.ch - User:* - # of available methods:2
Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
The statistics for successful or unsuccessful use of the indicated methods
are shown after "Ok:" and "Ko:", respectively.
* void THostAuth::AddMethod(<code>,<login_inf>)
Add a new method (internal code <code>, login information <login_info>) at
the end of the list of available methods
Example (with respect to above):
root [9] ha->AddMethod(0,"no us:ganis")
root [10] ha->Print()
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 5 Details:pt:yes us:ganis
Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
root [11]
* void THostAuth::RemoveMethod(<code>)
Removes method with internal code <code> from the list of available methods
Example (with respect to above):
root [9] ha->RemoveMethod(5)
root [10] ha->Print()
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
root [11]
* void THostAuth::SetDetails(<code>,<login_inf>)
Changes login info for method with internal code <code> to <login_info>; if
it does not exist, add a this as new method.
Example (with respect to above):
root [11] ha->SetDetails(4,"pt:no ru:1 us:gganis")
root [12] ha->Print()
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:gganis
Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
root [13]
* void THostAuth::SetFirst(<code>)
Set method with internal code <code> as the preferred one, if it exists.
Example (with respect to above):
root [13] ha->SetFirst(1)
root [14] ha->Print()
Info in <THostAuth::Print>: +------------------------------------------------------------------+
Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:gganis
Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
Info in <THostAuth::Print>: +------------------------------------------------------------------+
root [15]
* void THostAuth::AddFirst(<code>,<login_inf>)
Set method with internal code <code> as the preferred one, and changes the
login information to <login_inf>. If it does not exist, add a new method in
first position.
* void THostAuth::ReOrder(nmet,meths)
Reorder the list of the available methods in such a way that the first nmet
methods are the ones listed in meths[nmet].
* Bool_t THostAuth::IsActive() const { return fActive; }
Indicates if this THostAuth instantiation is active
* void THostAuth::DeActivate() { fActive = kFALSE; }
Sets this THostAuth instantiation inactive
* void THostAuth::Activate() { fActive = kTRUE; }
Sets this THostAuth instantiation active
* void THostAuth::Reset();
Resets content of this THostAuth instantiation
TSecContext
============
The class TSecContext contains the relevant details about an established security
context, typically needed for re-usage of the context.
TestAuth.C
==========
This macro is provided to test the authentication methods available.
The macro is located under $ROOTSYS/tutorials.
Before executing it, start a rootd daemon in the background or, to get
some debug printouts, on a separate window with
rootd -d 3 -f
Remember to add "-p <port>" if the default port (1094) cannot be used
for some reason.
Then run
root -q -l $ROOTSYS/tutorials/TestAuth.C
and answer to the requests for passwords or similar to initialize
credentials. Upon success, you should get at the end something like this
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Result of the tests: +
+ +
+ Method: 0 (UsrPwd): successful! (reuse: successful!) +
+ Method: 1 (SRP): successful! (reuse: successful!) +
+ Method: 2 (Krb5): successful! (reuse: successful!) +
+ Method: 3 (Globus): successful! (reuse: successful!) +
+ Method: 4 (SSH): successful! (reuse: successful!) +
+ Method: 5 (UidGid): successful! +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The macro assumes rootd accepting connections on port 1094; if this
is not the case you can pass the port number as the first argument to
the macro.
The macro assumes that you are trying to login as yourself to rootd,
i.e. with the username your are logged in. You may change this passing
a different username "newuser" as second argument. In this case you
have to start rootd from the "newuser" account or as supersuser,
to avoid access problems. Also, for SSH, make sure that "newuser"
can execute $ROOTSYS/bin/ssh2rpd.
The macro assumes that the Kerberos principal is in the form
<current_user>@<DEFAULT_REALM>
where <DEFAULT_REALM> is searched for in the Kerberos conf file
/etc/krb5.conf (or $KRB5_CONFIG). If the principal for the current
user is different, you have to pass it as third argument to TestAuth.C.
Finally, for Globus, if the certificate files and directories are not
standard, you should pass the ones to be used as fourth argument, the
syntax being the same as for $HOME/.rootauthrc .
This is a summary of the arguments to TestAuth.C:
TestAuth.C(<port>,"<user>","<krb5_princ","<globus_det>")
<port> = rootd port (default 1094)
<user> = login user name for the test
(default from getpwuid)
<krb5_princ> = Principal to be used for Krb5 authentication
in the form user@THE.REA.LM
( default: <running_user@Default_Realm with
Default_realm taken from /etc/krb5.conf
or the $KRB5_CONFIG file )
<globus_det> = details for the globus authentication
( default: ad:certificates cd:$HOME/.globus
cf:usercert.pem kf:userkey.pem )
--------------------------------------------------------------------------------------
Last update: September 23, 2004