/usr/include/root/TAuthenticate.h is in libroot-net-auth-dev 5.34.14-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 | // @(#)root/auth:$Id$
// Author: Fons Rademakers 26/11/2000
/*************************************************************************
* Copyright (C) 1995-2000, Rene Brun and Fons Rademakers. *
* All rights reserved. *
* *
* For the licensing terms see $ROOTSYS/LICENSE. *
* For the list of contributors see $ROOTSYS/README/CREDITS. *
*************************************************************************/
#ifndef ROOT_TAuthenticate
#define ROOT_TAuthenticate
//////////////////////////////////////////////////////////////////////////
// //
// TAuthenticate //
// //
// An authentication module for ROOT based network services, like rootd //
// and proofd. //
// //
//////////////////////////////////////////////////////////////////////////
#ifndef ROOT_TObject
#include "TObject.h"
#endif
#ifndef ROOT_TString
#include "TString.h"
#endif
#ifndef ROOT_TList
#include "TList.h"
#endif
#ifndef ROOT_TDatime
#include "TDatime.h"
#endif
#ifndef ROOT_rsafun
#include "rsafun.h"
#endif
#ifndef ROOT_AuthConst
#include "AuthConst.h"
#endif
#ifdef R__SSL
// SSL specific headers for blowfish encryption
#include <openssl/blowfish.h>
#endif
class TAuthenticate;
class THostAuth;
class TPluginHandler;
class TSocket;
class TRootSecContext;
class TVirtualMutex;
typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
const char *remote, TString &det, Int_t version);
R__EXTERN TVirtualMutex *gAuthenticateMutex;
class TAuthenticate : public TObject {
friend class TRootAuth;
friend class TRootSecContext;
friend class TSocket;
public:
enum ESecurity { kClear, kSRP, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication
private:
TString fDetails; // logon details (method dependent ...)
THostAuth *fHostAuth; // pointer to relevant authentication info
TString fPasswd; // user's password
TString fProtocol; // remote service (rootd, proofd)
Bool_t fPwHash; // kTRUE if fPasswd is a passwd hash
TString fRemote; // remote host to which we want to connect
Int_t fRSAKey; // Type of RSA key used
TRootSecContext *fSecContext; // pointer to relevant sec context
ESecurity fSecurity; // actual logon security level
TSocket *fSocket; // connection to remote daemon
Bool_t fSRPPwd; // kTRUE if fPasswd is a SRP passwd
Int_t fVersion; // 0,1,2, ... accordingly to remote daemon version
TString fUser; // user to be authenticated
Int_t fTimeOut; // timeout flag
Int_t GenRSAKeys();
Bool_t GetPwHash() const { return fPwHash; }
Int_t GetRSAKey() const { return fRSAKey; }
ESecurity GetSecurity() const { return fSecurity; }
Bool_t GetSRPPwd() const { return fSRPPwd; }
const char *GetSshUser(TString user) const;
Int_t GetVersion() const { return fVersion; }
Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
Bool_t GetUserPasswd(TString &user, TString &passwd,
Bool_t &pwhash, Bool_t srppwd);
char *GetRandString(Int_t Opt,Int_t Len);
Int_t ProofAuthSetup();
Int_t RfioAuth(TString &user);
void SetEnvironment();
Int_t SshAuth(TString &user);
Int_t SshError(const char *errfile);
static TList *fgAuthInfo;
static TString fgAuthMeth[kMAXSEC];
static Bool_t fgAuthReUse; // kTRUE is ReUse required
static TString fgDefaultUser; // Default user information
static TDatime fgExpDate; // Expiring date for new security contexts
static GlobusAuth_t fgGlobusAuthHook;
static Krb5Auth_t fgKrb5AuthHook;
static TString fgKrb5Principal; // Principal for Krb5 ticket
static TDatime fgLastAuthrc; // Time of last reading of fgRootAuthrc
static TString fgPasswd;
static TPluginHandler *fgPasswdDialog; // Passwd dialog GUI plugin
static Bool_t fgPromptUser; // kTRUE if user prompt required
static TList *fgProofAuthInfo; // Specific lists of THostAuth fro proof
static Bool_t fgPwHash; // kTRUE if fgPasswd is a passwd hash
static Bool_t fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
static TString fgRootAuthrc; // Path to last rootauthrc-like file read
static Int_t fgRSAKey; // Default type of RSA key to be tried
static Int_t fgRSAInit;
static rsa_KEY fgRSAPriKey;
static rsa_KEY fgRSAPubKey;
static rsa_KEY_export fgRSAPubExport[2];
#ifdef R__SSL
static BF_KEY fgBFKey; // Blowfish symmetric key
#endif
static SecureAuth_t fgSecAuthHook;
static Bool_t fgSRPPwd; // kTRUE if fgPasswd is a SRP passwd
static TString fgUser;
static Bool_t fgUsrPwdCrypt; // kTRUE if encryption for UsrPwd is required
static Int_t fgLastError; // Last error code processed by AuthError()
static Int_t fgAuthTO; // if > 0, timeout in sec
static Int_t fgProcessID; // ID of the main thread as unique identifier
static Bool_t CheckHost(const char *Host, const char *host);
static void FileExpand(const char *fin, FILE *ftmp);
static Int_t ProofAuthSetup(TSocket *sock, Bool_t client);
static void RemoveSecContext(TRootSecContext *ctx);
public:
TAuthenticate(TSocket *sock, const char *remote, const char *proto,
const char *user = "");
virtual ~TAuthenticate() { }
Bool_t Authenticate();
Int_t AuthExists(TString User, Int_t method, const char *Options,
Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
void CatchTimeOut();
Bool_t CheckNetrc(TString &user, TString &passwd);
Bool_t CheckNetrc(TString &user, TString &passwd,
Bool_t &pwhash, Bool_t srppwd);
THostAuth *GetHostAuth() const { return fHostAuth; }
const char *GetProtocol() const { return fProtocol; }
const char *GetRemoteHost() const { return fRemote; }
Int_t GetRSAKeyType() const { return fRSAKey; }
TRootSecContext *GetSecContext() const { return fSecContext; }
TSocket *GetSocket() const { return fSocket; }
const char *GetUser() const { return fUser; }
Int_t HasTimedOut() const { return fTimeOut; }
void SetRSAKeyType(Int_t key) { fRSAKey = key; }
void SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }
static void AuthError(const char *where, Int_t error);
static Bool_t CheckProofAuth(Int_t cSec, TString &det);
static Int_t DecodeRSAPublic(const char *rsapubexport, rsa_NUMBER &n,
rsa_NUMBER &d, char **rsassl = 0);
static TList *GetAuthInfo();
static const char *GetAuthMethod(Int_t idx);
static Int_t GetAuthMethodIdx(const char *meth);
static Bool_t GetAuthReUse();
static Int_t GetClientProtocol();
static char *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
static const char *GetDefaultUser();
static TDatime GetGlobalExpDate();
static Bool_t GetGlobalPwHash();
static Bool_t GetGlobalSRPPwd();
static const char *GetGlobalUser();
static GlobusAuth_t GetGlobusAuthHook();
static THostAuth *GetHostAuth(const char *host, const char *user="",
Option_t *opt = "R", Int_t *Exact = 0);
static const char *GetKrb5Principal();
static Bool_t GetPromptUser();
static TList *GetProofAuthInfo();
static Int_t GetRSAInit();
static const char *GetRSAPubExport(Int_t key = 0);
static THostAuth *HasHostAuth(const char *host, const char *user,
Option_t *opt = "R");
static void InitRandom();
static void MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
static char *PromptPasswd(const char *prompt = "Password: ");
static char *PromptUser(const char *remote);
static Int_t ReadRootAuthrc();
static void RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
static Int_t SecureRecv(TSocket *Socket, Int_t dec,
Int_t KeyType, char **Out);
static Int_t SecureSend(TSocket *Socket, Int_t enc,
Int_t KeyType, const char *In);
static Int_t SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
static void SetAuthReUse(Bool_t authreuse);
static void SetDefaultUser(const char *defaultuser);
static void SetGlobalExpDate(TDatime expdate);
static void SetGlobalPasswd(const char *passwd);
static void SetGlobalPwHash(Bool_t pwhash);
static void SetGlobalSRPPwd(Bool_t srppwd);
static void SetGlobalUser(const char *user);
static void SetGlobusAuthHook(GlobusAuth_t func);
static void SetKrb5AuthHook(Krb5Auth_t func);
static void SetPromptUser(Bool_t promptuser);
static void SetDefaultRSAKeyType(Int_t key);
static void SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
static void SetRSAInit(Int_t init = 1);
static Int_t SetRSAPublic(const char *rsapubexport, Int_t klen);
static void SetSecureAuthHook(SecureAuth_t func);
static void SetTimeOut(Int_t to);
static void Show(Option_t *opt="S");
ClassDef(TAuthenticate,0) // Class providing remote authentication service
};
#endif
|