"SfR Fresh" - the SfR Freeware/Shareware Archive 
As a special service "SfR Fresh" has tried to format the requested source page into HTML format using source code syntax highlighting with prefixed line numbers.
Alternatively you can here view or download the uninterpreted source code file.
That can be also achieved for any archive member file by clicking within an archive contents listing on the first character of the file(path) respectively on the according byte size field.
1 Authentication to rootd/proofd servers
2 ======================================
3
4 The rootd/proofd daemon servers accept 6 methods of authentication, listed
5 in Table 1, together with their internal codes and short names.
6 Method 5 (uidgid) is provided for fast access when security is not an issue.
7 Method 0 is 'secured' by using a session public key, automatically
8 generated, which allows to avoid direct exchange of passwords.
9
10 Table 1: authentication methods available
11 +---------------------------------------------------------------------+
12 | Method | code | short name | in .rootrc | Secure | Sfx |
13 |---------------------------------------------------------------------|
14 | (user,password) | 0 | usrpwd | UsrPwd | Yes | up |
15 | SRP | 1 | srp | SRP | Yes | s |
16 | Kerberos V | 2 | krb5 | Krb5 | Yes | k |
17 | Globus GSI | 3 | globus | Globus | Yes | g |
18 | SSH | 4 | ssh | SSH | Yes | h |
19 | (uid,gid) | 5 | uidgid | UidGid | No | ug |
20 +---------------------------------------------------------------------+
21
22 By default method 0 (UsrPwd) is used; host equivalence via /etc/hosts.deny
23 and/or $HOME/.rhosts is tested (by default; it can be disabled).
24
25 A specific method can be given priority by adding the suffix shown in the
26 table (column Sfx) to the specified protocol: for example
27
28 TFile *f = TFile::Open("roots://host.doma.in/~fserv/TheFile.root","read")
29
30 requires the use of the SRP method, and
31
32 gROOT->Proof("proofk://lxplus079.cern.ch")
33
34 asks for Kerberos authentication in starting a proof session on node
35 lxplus079.cern.ch.
36
37 Defaults can be changed on {host, user} base via the file $HOME/.rootauthrc;
38 the header of the file $ROOTSYS/etc/system.rootauthrc, automatically generated
39 upon configuration with system defaults based on the compilation options,
40 contains the explanation of the syntax for the available directives and
41 examples of use.
42 Defaults specified by directives in the .rootrc family files (in order of
43 priority: $HOME/.rootrc, /etc/root/system.rootrc and $ROOTSYS/etc/system.rootrc)
44 are still considered for backward compatibility but with the lowest priority.
45 It is also possible to specify authentication directives interactively
46 as explained below.
47
48 A test macro TestAuth.C is provided under the tutorials directory. Its use
49 is explained at the end of this file.
50
51 Controlling access
52 ==================
53
54 Directives defining the authentication protocols accepted from a given host
55 are defined in the active <rootdaemonrc> file; this file is by default
56 $ROOTSYS/etc/system.rootdaemonrc; if existing, $HOME/.rootdaemonrc has
57 priority; it is also possible to use a generic filename and location.
58 The two last solutions have the advantage that the file do not get
59 reset if the ROOT distribution needs to be re-configured.
60
61 By default the ROOT daemons accept authentications only via the methods
62 defined by the directive more closely matching the requesting hosts.
63 The file $ROOTSYS/etc/system.rootdaemonrc is automatically generated
64 upon configuration with the list of available secure methods enabled
65 by default from all the hosts.
66 The administrator of the daemons has the responsibility to add the relevant
67 entries to fit the site access policy.
68
69
70 Negotiation
71 ===========
72
73 Simple negotiation is supported as follows. The client sends the preferred
74 method (the first one in the list, see below) to the server; if this is among
75 the methods accepted by the server (not necessarily the one preferred by the
76 server) authentication is attempted. In the case the attempt is unsuccessful,
77 the server sends back the list of the remaining methods accepted (if any); the
78 client compares the server list with its own list of remaining methods and
79 makes a new attempt if the overlap of the two lists is not empty; and so on.
80
81
82 Slave/Data servers authentication during a PROOF session
83 ========================================================
84
85 During a PROOF session there is the potential problem of Master/Slave or
86 Slave/Data_Server authentication. For slaves, the list of methods to be tried
87 is specified in the proof.conf file as a list of methods short names. However,
88 before build the corresponding entry in THostAuth (see below) TProofServ checks
89 that the method can be applied, i.e. that there exist valid credentials.
90 The way the latter are transmitted depends on the method and on the
91 Client/Master authentication method.
92
93 * UsrPwd: to authenticate 'usrpwd' to slaves, the master needs the relevant
94 entry in the .netrc or .rootnetrc files; however, if the
95 client/master authentication was also 'usrpwd', the password is
96 already present on the master process and is used for later clear
97 authentications.
98
99 * SRP: to authenticate 'SRP' to slaves, the master needs the relevant entry
100 in the .netrc or .rootnetrc files; the syntax is the same as for
101 'usrpwd' authentication with the keyword 'secure' at the place of
102 'machine'. However, if the client/master authentication was also
103 'SRP', the master can receive the password from the client; the
104 password is sent encrypted with the internal RSA key generated for
105 the session. To use this option, set 'Proofd.SendSRPPwd 1' in your
106 .rootrc (default is 0).
107
108 * Krb5/Globus to authenticate Krb5/Globus to slaves, the master needs globus
109 credentials; this is possible (and automatic) only if the
110 client/master authentication was also Krb5/Globus.
111
112 * SSH to authenticate 'SSH' to slaves, the master needs the relevant
113 private key files in $HOME/.ssh (on the master).
114
115 * UidGid to authenticate 'uidgid' to slaves, the user must have the same
116 (uid,gid) on master and slaves.
117
118 Negotiation is active also between master and slaves, so asking for 'uidgid'
119 first may accelerate the authentication process if the server accepts it.
120
121 The method actually used is listed by gProof->Print("a").
122
123 If the slaves need to access data servers which are not part of the proof
124 cluster, the login info vis-a-vis of these may be specified with the proofserv
125 card in the .rootauthrc files (see below and etc/system.rootauthrc for
126 details); the collected information is then transmitted to all the active
127 slaves upon creation.
128
129
130 Entries in .rootrc
131 ==================
132
133 The authentication related entries in the .rootrc family of files define
134 directives applying to all remote host and all remote accounts. The available
135 directives are the following:
136
137 * General switchings
138
139 Rootd.Authentication: <code>
140 Proofd.Authentication <code>
141
142 These variables specify the default method to be attempted for remote
143 authentication for rootd and proofd respectively; <code> is the internal code
144 given in Table 1; these directives supersede the default ('ssh' for normal
145 users and 'usrpwd' for anonymous users).
146
147 * The <method>.Login directives specify the default login for the method:
148
149 UsrPwd.Login, SRP.Login, SSH.Login, UidGid.Login: <username> (e.g.: qwerty)
150 Krb5.Login: <principal> (e.g.: qwerty@THIS.DOM.AIN)
151 Globus.Login: cd:<dir_with_my_certs> cf:<my_cert_file> \
152 kf:<my_key_file> ad:<dir_with_CA_certs>
153
154 * The <method>.LoginPrompt directives specify whether root should prompt you
155 for the login (with default the login specified via <method>.Login; possible
156 values are 0 or no for no prompt, 1 or yes to have the prompt; valid
157 examples:
158
159 UsrPwd.LoginPrompt: 0
160 Krb5.LoginPrompt: 1
161 Globus.LoginPrompt: no
162 SSH.LoginPrompt: yes
163
164 Default is no prompt.
165
166 For anonymous 'usrpwd' login, 'UsrPwd.LoginPrompt 0' implies automatic
167 generation of the password in the form <user>@<local_host_fqdn>, where <user>
168 is obtained from the variable USER or from ' getpwuid(getuid())->pw_name '.
169
170 * The <method>.ReUse directives specify whether root reuse valid authentication
171 once established; possible values are '0' or 'no' for OFF, '1' or 'yes' for ON.
172 When this option is active, the client generates a session RSA key pair and
173 transmits the public key to the server; the server generates a session 'token'
174 which can be used by the client for later access to the server.
175 This facility is implemented for all methods except UidGid (for which there would
176 be no advantage); it is switched ON by default for UsrPwd, SRP, Globus and SSH,
177 since it allows to speed up repeated access to the same server.
178 For Krb5 it is implemented but switched OFF by default, since it does not improve
179 on authentication time.
180
181 UsrPwd.ReUse yes
182 SRP.ReUse 1
183 Krb5.ReUse 0
184 Globus.ReUse yes
185 SSH.ReUse 1
186
187 NB: unless 'UsrPwd.Crypt 0' (see below), for UsrPwd the password is always sent
188 encrypted with the session RSA key, even if UsrPwd.ReUse is OFF.
189
190 * The <method>.Valid directives specify the duration validity of the security
191 context for methods UsrPwd, SRP and SSH; values are passed in the form
192 <hours>:<min>, the default being 24:00 .
193
194 UsrPwd.Valid 16:45
195 SRP.Valid 13:00
196 SSH.Valid 0:05
197
198 * Other directives
199
200 * UsrPwd
201
202 * To secure password exchange set (this is the default)
203
204 UsrPwd.Crypt 1
205
206 A session key pair is generated and used to encrypt the password hash to
207 be communicated to the server.
208
209 * globus
210
211 * to change the duration in hours of globus credentials (default is 12) use
212 Globus.ProxyDuration: <hours>
213
214 * to change the number of bits in the key (default 1024)
215 Globus.ProxyKeyBits: <bits>
216 where <bits> is 512 or 1024 or 2048 or 4096
217
218 * ssh
219
220 * to change the path with the 'ssh' executable
221 SSH.ExecDir <new_path>
222 (the executable will then be <new_path>/ssh)
223
224
225 .rootauthrc
226 ===========
227
228 The .rootauthrc file allow to specify host and user specific instructions; all
229 the possibilities are explained in etc/system.rootauthrc. The information read
230 is used to instantiate THostAuth objects; these can be modified during the root
231 session as explained in the next session.
232
233
234 Modifying/Adding authentication info during the session
235 =======================================================
236
237 Remote authentication in root is controlled by the TAuthenticate class;
238 TNetFile, TFTP and TSlave create a TAuthenticate object before proceeding to
239 authentication.
240
241 Authentication is (host,user) specific. The dedicated class THostAuth contains
242 the information for a specific (host,user):
243
244 + remote host FQDN
245 + user name
246 + number of available methods (n)
247 + method internal codes (dimension n)
248 + login info for each method (dimension n)
249 + list of established authentication
250
251 The available methods are listed in order of preference: the first one is the
252 one preferred, the others are tried in turn upon failure of the previous one,
253 and if accepted by the remote daemon (see Negotiation below).
254
255 THostAuth objects are instantiated by TAuthenticate at first call using
256 the information found in $HOME/.rootauthrc or $ROOTSYS/etc/system.rootauthrc.
257 The list of THostAuth is refreshed if any of the relevant file has changed
258 since last TAuthenticate call, so the best way to change authentication
259 directives during an interactive session is to edit the $HOME/.rootauthrc.
260 Nonetheless, a set of methods are available in the TAuthenticate and THostAuth
261 classes to display/modify/create THostAuth interactively.
262
263 * void TAuthenticate::Show(<opt>)
264
265 Prints information about authentication environment:
266
267 <opt> = "s" list of active security context (default)
268 "h" the content of the instantiated THostAuth objects in
269 standard list
270 "p" the content of the instantiated THostAuth objects in
271 the proof list
272
273 Example:
274
275 root [6] TAuthenticate::Show()
276 Info in <TSecContext::Print>: +------------------------------------------------------+
277 Info in <TSecContext::Print>: + Host:pceple19.cern.ch Method:0 (UsrPwd) User:'ganis'
278 Info in <TSecContext::Print>: + OffSet:0 Details: 'pt:0 ru:1 cp:1 us:ganis'
279 Info in <TSecContext::Print>: + Expiration time: Sat Jan 10 13:18:41 2004
280 Info in <TSecContext::Print>: +------------------------------------------------------+
281
282
283 root [7] TAuthenticate::Show("h")
284 Info in <::Print>: +--------------------------- BEGIN --------------------------------+
285 Info in <::Print>: + +
286 Info in <::Print>: + List fgAuthInfo has 5 members +
287 Info in <::Print>: + +
288 Info in <::Print>: +------------------------------------------------------------------+
289 Info in <THostAuth::Print>: +------------------------------------------------------------------+
290 Info in <THostAuth::Print>: + Host:default - User:* - # of available methods:6
291 Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:0 Ko:0 Dets:pt:no ru:yes cp:yes us:
292 Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:yes us:
293 Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:no us:
294 Info in <THostAuth::Print>: + Method: 2 (Krb5) Ok:0 Ko:0 Dets:pt:no ru:no us:
295 Info in <THostAuth::Print>: + Method: 3 (Globus) Ok:0 Ko:0 Dets:pt:no ru:yes
296 Info in <THostAuth::Print>: + Method: 5 (UidGid) Ok:0 Ko:0 Dets:pt:no us:
297 Info in <THostAuth::Print>: +------------------------------------------------------------------+
298 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
299 Info in <THostAuth::PrintEstablished>: + Host:default - Number of active sec contexts: 0
300 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
301 Info in <THostAuth::Print>: +------------------------------------------------------------------+
302 Info in <THostAuth::Print>: + Host:pcep*.cern.ch - User:* - # of available methods:2
303 Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis
304 Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis
305 Info in <THostAuth::Print>: +------------------------------------------------------------------+
306 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
307 Info in <THostAuth::PrintEstablished>: + Host:pcep*.cern.ch - Number of active sec contexts: 1
308 Info in <TSecContext::PrintEstblshed>: + 1) h:pceple19.cern.ch met:0 (UsrPwd) us:'ganis'
309 Info in <TSecContext::PrintEstblshed>: + offset:0 det: 'pt:0 ru:1 cp:1 us:ganis'
310 Info in <TSecContext::PrintEstblshed>: + expiring: Sat Jan 10 13:18:41 2004
311 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
312 Info in <THostAuth::Print>: +------------------------------------------------------------------+
313 Info in <THostAuth::Print>: + Host:lxplus*.cern.ch - User:* - # of available methods:2
314 Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
315 Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
316 Info in <THostAuth::Print>: +------------------------------------------------------------------+
317 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
318 Info in <THostAuth::PrintEstablished>: + Host:lxplus*.cern.ch - Number of active sec contexts: 0
319 Info in <THostAuth::PrintEstablished>: +------------------------------------------------------------------------------+
320 Info in <::Print>: +---------------------------- END ---------------------------------+
321
322 The method THostAuth::PrintEstablished is also called, displaying the
323 relevant info about the established security context(s) saved in TSecContext.
324
325 root [8] TAuthenticate::Show("p")
326 Info in <::Print>: +--------------------------- BEGIN --------------------------------+
327 Info in <::Print>: + +
328 Info in <::Print>: + List fgProofAuthInfo has 1 members +
329 Info in <::Print>: + +
330 Info in <::Print>: +------------------------------------------------------------------+
331 Info in <THostAuth::Print>: +------------------------------------------------------------------+
332 Info in <THostAuth::Print>: + Host:lxplus*.cern.ch - User:ganis - # of available methods:2
333 Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
334 Info in <THostAuth::Print>: + Method: 4 (SSH) Ok:0 Ko:0 Dets:pt:no ru:1 us:ganis
335 Info in <THostAuth::Print>: +------------------------------------------------------------------+
336 Info in <::Print>: +---------------------------- END ---------------------------------+
337
338 This is the list build following the 'proofserv' directives in .rootauthrc
339
340 * THostAuth *TAuthenticate::GetHostAuth(<host_fqdn>,<user>,<opt>,<kExact>);
341
342 Returns a pointer to the THostAuth object pertaining to (host,user) if it
343 exist, 0 otherwise. If <opt>="R" (default) the search is performed in the
344 standard list, if <opt>="P" in the proof list. The last argument <kExact>
345 is a pointer to an integer: if defined (.ne. 0) the pointed location is
346 filled with 1 if the match is exact, with 0 if an matching entry with wild
347 cards was found.
348
349 Example:
350
351 root [2] THostAuth *ha = TAuthenticate::GetHostAuth("pcepsft43.cern.ch","ganis")
352 root [3] printf("ha: 0x%x\n",(int)ha);
353 ha: 0x88df970
354 root [4] THostAuth *ha = TAuthenticate::GetHostAuth("der.mit.ow","scruno")
355 root [5] printf("ha: 0x%x\n",(int)ha);
356 ha: 0x0
357 root [6]
358
359 * void TAuthenticate::RemoveHostAuth(THostAuth *ha)
360
361 Removes and destroys the THostAuth object pointed by ha from the static list
362 in TAuthenticate
363
364 * void THostAuth::Print()
365
366 Prints the information contained in this THostAuth object
367
368 Example:
369
370 root [10] ha->Print()
371 Info in <THostAuth::Print>: +------------------------------------------------------------------+
372 Info in <THostAuth::Print>: + Host:pcep*.cern.ch - User:* - # of available methods:2
373 Info in <THostAuth::Print>: + Method: 0 (UsrPwd) Ok:1 Ko:0 Dets:pt:no ru:1 us:ganis
374 Info in <THostAuth::Print>: + Method: 1 (SRP) Ok:1 Ko:0 Dets:pt:yes ru:no us:ganis
375 Info in <THostAuth::Print>: +------------------------------------------------------------------+
376
377 The statistics for successful or unsuccessful use of the indicated methods
378 are shown after "Ok:" and "Ko:", respectively.
379
380
381 * void THostAuth::AddMethod(<code>,<login_inf>)
382
383 Add a new method (internal code <code>, login information <login_info>) at
384 the end of the list of available methods
385
386 Example (with respect to above):
387
388 root [9] ha->AddMethod(0,"no us:ganis")
389 root [10] ha->Print()
390 Info in <THostAuth::Print>: +------------------------------------------------------------------+
391 Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
392 Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
393 Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:ganis
394 Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
395 Info in <THostAuth::Print>: + Method: 5 Details:pt:yes us:ganis
396 Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
397 Info in <THostAuth::Print>: +------------------------------------------------------------------+
398 root [11]
399
400 * void THostAuth::RemoveMethod(<code>)
401
402 Removes method with internal code <code> from the list of available methods
403
404 Example (with respect to above):
405
406 root [9] ha->RemoveMethod(5)
407 root [10] ha->Print()
408 Info in <THostAuth::Print>: +------------------------------------------------------------------+
409 Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
410 Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
411 Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:ganis
412 Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
413 Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
414 Info in <THostAuth::Print>: +------------------------------------------------------------------+
415 root [11]
416
417 * void THostAuth::SetDetails(<code>,<login_inf>)
418
419 Changes login info for method with internal code <code> to <login_info>; if
420 it does not exist, add a this as new method.
421
422 Example (with respect to above):
423
424 root [11] ha->SetDetails(4,"pt:no ru:1 us:gganis")
425 root [12] ha->Print()
426 Info in <THostAuth::Print>: +------------------------------------------------------------------+
427 Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
428 Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
429 Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:gganis
430 Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
431 Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
432 Info in <THostAuth::Print>: +------------------------------------------------------------------+
433 root [13]
434
435 * void THostAuth::SetFirst(<code>)
436
437 Set method with internal code <code> as the preferred one, if it exists.
438
439 Example (with respect to above):
440
441 root [13] ha->SetFirst(1)
442 root [14] ha->Print()
443 Info in <THostAuth::Print>: +------------------------------------------------------------------+
444 Info in <THostAuth::Print>: + Host:pcepsft43.cern.ch - User:ganis - # of available methods:4
445 Info in <THostAuth::Print>: + Method: 1 Details:pt:no ru:1 us:ganis
446 Info in <THostAuth::Print>: + Method: 3 Details:pt:no cd:~/.globus cf:usercert.pem kf:userkey.pem ad:certificates
447 Info in <THostAuth::Print>: + Method: 4 Details:pt:no ru:1 us:gganis
448 Info in <THostAuth::Print>: + Method: 0 Details:pt:no us:ganis
449 Info in <THostAuth::Print>: +------------------------------------------------------------------+
450 root [15]
451
452 * void THostAuth::AddFirst(<code>,<login_inf>)
453
454 Set method with internal code <code> as the preferred one, and changes the
455 login information to <login_inf>. If it does not exist, add a new method in
456 first position.
457
458 * void THostAuth::ReOrder(nmet,meths)
459
460 Reorder the list of the available methods in such a way that the first nmet
461 methods are the ones listed in meths[nmet].
462
463 * Bool_t THostAuth::IsActive() const { return fActive; }
464
465 Indicates if this THostAuth instantiation is active
466
467 * void THostAuth::DeActivate() { fActive = kFALSE; }
468
469 Sets this THostAuth instantiation inactive
470
471 * void THostAuth::Activate() { fActive = kTRUE; }
472
473 Sets this THostAuth instantiation active
474
475 * void THostAuth::Reset();
476
477 Resets content of this THostAuth instantiation
478
479 TSecContext
480 ============
481
482 The class TSecContext contains the relevant details about an established security
483 context, typically needed for re-usage of the context.
484
485 TestAuth.C
486 ==========
487
488 This macro is provided to test the authentication methods available.
489 The macro is located under $ROOTSYS/tutorials.
490 Before executing it, start a rootd daemon in the background or, to get
491 some debug printouts, on a separate window with
492
493 rootd -d 3 -f
494
495 Remember to add "-p <port>" if the default port (1094) cannot be used
496 for some reason.
497
498 Then run
499
500 root -q -l $ROOTSYS/tutorials/TestAuth.C
501
502 and answer to the requests for passwords or similar to initialize
503 credentials. Upon success, you should get at the end something like this
504
505
506 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
507 + +
508 + Result of the tests: +
509 + +
510 + Method: 0 (UsrPwd): successful! (reuse: successful!) +
511 + Method: 1 (SRP): successful! (reuse: successful!) +
512 + Method: 2 (Krb5): successful! (reuse: successful!) +
513 + Method: 3 (Globus): successful! (reuse: successful!) +
514 + Method: 4 (SSH): successful! (reuse: successful!) +
515 + Method: 5 (UidGid): successful! +
516 + +
517 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
518
519 The macro assumes rootd accepting connections on port 1094; if this
520 is not the case you can pass the port number as the first argument to
521 the macro.
522
523 The macro assumes that you are trying to login as yourself to rootd,
524 i.e. with the username your are logged in. You may change this passing
525 a different username "newuser" as second argument. In this case you
526 have to start rootd from the "newuser" account or as supersuser,
527 to avoid access problems. Also, for SSH, make sure that "newuser"
528 can execute $ROOTSYS/bin/ssh2rpd.
529
530 The macro assumes that the Kerberos principal is in the form
531
532 <current_user>@<DEFAULT_REALM>
533
534 where <DEFAULT_REALM> is searched for in the Kerberos conf file
535 /etc/krb5.conf (or $KRB5_CONFIG). If the principal for the current
536 user is different, you have to pass it as third argument to TestAuth.C.
537
538 Finally, for Globus, if the certificate files and directories are not
539 standard, you should pass the ones to be used as fourth argument, the
540 syntax being the same as for $HOME/.rootauthrc .
541
542 This is a summary of the arguments to TestAuth.C:
543
544 TestAuth.C(<port>,"<user>","<krb5_princ","<globus_det>")
545
546 <port> = rootd port (default 1094)
547 <user> = login user name for the test
548 (default from getpwuid)
549 <krb5_princ> = Principal to be used for Krb5 authentication
550 in the form user@THE.REA.LM
551 ( default: <running_user@Default_Realm with
552 Default_realm taken from /etc/krb5.conf
553 or the $KRB5_CONFIG file )
554 <globus_det> = details for the globus authentication
555 ( default: ad:certificates cd:$HOME/.globus
556 cf:usercert.pem kf:userkey.pem )
557
558 --------------------------------------------------------------------------------------
559 Last update: September 23, 2004