diff --git a/etc/rpdauth.allow b/etc/rpdauth.allow
index 6d71dd05c65e5d6b3f5b031bccfd409319594cd8..0ec4822236fb9e8c55fde57ff410119003a1b427 100644
--- a/etc/rpdauth.allow
+++ b/etc/rpdauth.allow
@@ -71,9 +71,12 @@
#
# default none
# default ssh 0 uidgid
-# 127.0.0.1 4 0 3 1 2 5
# 137.138. 4 0
# pceple19.cern.ch 4 1 3 2 5 0
# lxplus*.cern.ch 4 1 globus 0:ganis:gganis 5
# pcepsft43.cern.ch 4 3 1 5 2 0
# afal57.cern.ch 0 5 4
+#
+# Everything allowed from the local host (for testing)
+#
+127.0.0.1 4 0 3 1 2 5
diff --git a/globusauth/src/GlobusAuth.cxx b/globusauth/src/GlobusAuth.cxx
index 18ca6573f3ac3669d67a6422ab1b1edb9b10c666..cefdb6ebb6328f591271be5ecf6ba9848cfb5b50 100644
--- a/globusauth/src/GlobusAuth.cxx
+++ b/globusauth/src/GlobusAuth.cxx
@@ -1,4 +1,4 @@
-// @(#)root/globus:$Name:$:$Id:$
+// @(#)root/globus:$Name: $:$Id: GlobusAuth.cxx,v 1.1 2003/08/29 10:38:19 rdm Exp $
// Author: Gerardo Ganis 15/01/2003
/*************************************************************************
@@ -159,7 +159,7 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
if (gDebug > 2)
Info("GlobusAuthenticate", " Issuer name is %s (%d)", isuj,
strlen(isuj));
- SafeDelete(stmp);
+ if (stmp) delete[] stmp;
// Get credential handle ... either genuine or delegated
if (GlobusGetCredHandle(gLocalCallEnv, &GlbCredHandle)) {
@@ -214,11 +214,11 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
gDetails, Options, &kind,
&retval)) == 1) {
// A valid authentication exists: we are done ...
- SafeDelete(Options);
+ if (Options) delete[] Options;
return 1;
}
if (rc == -2) {
- SafeDelete(Options);
+ if (Options) delete[] Options;
return rc;
}
// If server does not support Globus authentication we can't continue ...
@@ -237,7 +237,7 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
bsnd - 1, strlen(buf));
return 0;
}
- SafeDelete(buf);
+ if (buf) delete[] buf;
// Now we send it to the server daemon
if ((bsnd = sock->Send(isuj, kMESS_STRING)) != (int) (strlen(isuj) + 1)) {
Error("GlobusAuthenticate",
@@ -304,7 +304,7 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
GSS_S_COMPLETE) {
GlobusError("GlobusAuthenticate: gss_assist_init_sec_context",
MajStat, MinStat, GlbTokenStatus);
- SafeDelete(host_subj);
+ if (host_subj) delete[] host_subj;
return 0;
} else {
GlobusStoreSecContext((char *) hostFQDN, GlbContextHandle, ssuj);
@@ -318,7 +318,7 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
}
// Now we have the subject and we can release some resources ...
- SafeDelete(host_subj);
+ if (host_subj) delete[] host_subj;
// Receive username used for login or key request info and type of key
int nrec = sock->Recv(retval, type); // returns user
@@ -399,11 +399,11 @@ Int_t GlobusAuthenticate(TAuthenticate * Auth, TString & user,
" it looks like server did not authenticate ");
// free allocated memory ...
- SafeDelete(isuj);
- SafeDelete(ssuj);
- SafeDelete(rfrm);
- SafeDelete(lUser);
- SafeDelete(Token);
+ if (isuj) delete[] isuj;
+ if (ssuj) delete[] ssuj;
+ if (rfrm) delete[] rfrm;
+ if (lUser) delete[] lUser;
+ if (Token) delete[] Token;
// return result
return auth;
@@ -447,7 +447,7 @@ int GlobusGetDelCred()
"Globus Credentials successfully imported (0x%x)",
GlbDelCredHandle);
- SafeDelete(credential);
+ if (credential) delete[] credential;
// Detach from shared memory segment
int rc = shmdt((const void *) databuf);
@@ -492,7 +492,7 @@ void GlobusError(char *mess, OM_uint32 majs, OM_uint32 mins, int toks)
Error(":Error: %s (majst=%d,minst=%d,tokst:%d)", GlbErr, majs, mins,
toks);
- SafeDelete(GlbErr);
+ if (GlbErr) delete[] GlbErr;
}
//______________________________________________________________________________
@@ -529,9 +529,9 @@ int GlobusStoreSecContext(char *host, gss_ctx_id_t context_handle,
subjGlbSecCont[NumGlbSecCont - 1] = strdup(client_name);
sptrGlbSecCont[NumGlbSecCont - 1] = context_handle;
- SafeDelete(tmph);
- SafeDelete(tmpc);
- SafeDelete(tmps);
+ if (tmph) delete[] tmph;
+ if (tmpc) delete[] tmpc;
+ if (tmps) delete[] tmps;
} else {
@@ -671,13 +671,13 @@ int GlobusGetNames(int LocalEnv, char **IssuerName, char **SubjectName)
Error("GlobusGetNames", "requested file %s does not exist",
cert_file);
// retval= 2;
- SafeDelete(cert_file);
+ if (cert_file) delete[] cert_file;
return 2;
} else if (access(cert_file, R_OK)) {
Error("GlobusGetNames", "no permission to read requested file %s",
cert_file);
// retval= 4;
- SafeDelete(cert_file);
+ if (cert_file) delete[] cert_file;
return 4;
} else if (gDebug > 3) {
Info("GlobusGetNames", "File with certificate: %s", cert_file);
@@ -686,7 +686,7 @@ int GlobusGetNames(int LocalEnv, char **IssuerName, char **SubjectName)
FILE *fcert = fopen(cert_file, "r");
if (fcert == 0 || !PEM_read_X509(fcert, &xcert, 0, 0)) {
Error("GlobusGetNames", "Unable to load user certificate ");
- SafeDelete(cert_file);
+ if (cert_file) delete[] cert_file;
return 5;
}
fclose(fcert);
@@ -703,7 +703,7 @@ int GlobusGetNames(int LocalEnv, char **IssuerName, char **SubjectName)
Info("GlobusGetNames", "Subject Name: %s", *SubjectName);
}
- SafeDelete(cert_file);
+ if (cert_file) delete[] cert_file;
// Now check if there is a proxy file associated with this user
int nProxy = 1;
@@ -737,8 +737,8 @@ int GlobusGetNames(int LocalEnv, char **IssuerName, char **SubjectName)
if (strstr(ProxyIssuerName, *SubjectName) == ProxyIssuerName) {
gNeedProxy = 0;
setenv("X509_USER_PROXY", proxy_file, 1);
- SafeDelete(ProxyIssuerName);
- SafeDelete(ProxySubjectName);
+ if (ProxyIssuerName) delete[] ProxyIssuerName;
+ if (ProxySubjectName) delete[] ProxySubjectName;
if (gDebug > 3)
Info("GlobusGetNames", "Using Proxy file:%s (gNeedProxy:%d)",
getenv("X509_USER_PROXY"), gNeedProxy);
@@ -747,8 +747,8 @@ int GlobusGetNames(int LocalEnv, char **IssuerName, char **SubjectName)
} else {
sprintf(proxy_file, "/tmp/x509up_u%d.%d", getuid(), nProxy);
nProxy++;
- SafeDelete(ProxyIssuerName);
- SafeDelete(ProxySubjectName);
+ if (ProxyIssuerName) delete[] ProxyIssuerName;
+ if (ProxySubjectName) delete[] ProxySubjectName;
goto again;
}
} else {
@@ -992,9 +992,9 @@ int GlobusUpdateSecContInfo(int entry)
}
// Update reference table
- SafeDelete(hostGlbSecCont);
- SafeDelete(subjGlbSecCont);
- SafeDelete(sptrGlbSecCont);
+ if (hostGlbSecCont) delete[] hostGlbSecCont;
+ if (subjGlbSecCont) delete[] subjGlbSecCont;
+ if (sptrGlbSecCont) delete[] sptrGlbSecCont;
NumGlbSecCont = nGoodCont;
if (NumGlbSecCont > 0) {
@@ -1123,32 +1123,28 @@ void GlobusSetCertificates(int LocalEnv)
|| !strncmp(tmpvar[i], "Cd:", 3)
|| !strncmp(tmpvar[i], "cD:", 3)
|| !strncmp(tmpvar[i], "CD:", 3)) {
- if (ddir != 0)
- SafeDelete(ddir);
+ if (ddir) delete[] ddir;
ddir = StrDup(tmpvar[i] + 3);
}
if (!strncmp(tmpvar[i], "cf:", 3)
|| !strncmp(tmpvar[i], "Cf:", 3)
|| !strncmp(tmpvar[i], "cF:", 3)
|| !strncmp(tmpvar[i], "CF:", 3)) {
- if (dcer != 0)
- SafeDelete(dcer);
+ if (dcer) delete[] dcer;
dcer = StrDup(tmpvar[i] + 3);
}
if (!strncmp(tmpvar[i], "kf:", 3)
|| !strncmp(tmpvar[i], "Kf:", 3)
|| !strncmp(tmpvar[i], "kF:", 3)
|| !strncmp(tmpvar[i], "KF:", 3)) {
- if (dkey != 0)
- SafeDelete(dkey);
+ if (dkey) delete[] dkey;
dkey = StrDup(tmpvar[i] + 3);
}
if (!strncmp(tmpvar[i], "ad:", 3)
|| !strncmp(tmpvar[i], "Ad:", 3)
|| !strncmp(tmpvar[i], "aD:", 3)
|| !strncmp(tmpvar[i], "AD:", 3)) {
- if (dadi != 0)
- SafeDelete(dadi);
+ if (dadi) delete[] dadi;
dadi = StrDup(tmpvar[i] + 3);
}
}
@@ -1163,53 +1159,45 @@ void GlobusSetCertificates(int LocalEnv)
if (!strncmp(ddir, "~/", 2)) {
temp[0] = '\0';
sprintf(temp, "%s%s", userhome, ddir + 1);
- if (ddir != 0)
- SafeDelete(ddir);
+ if (ddir) delete[] ddir;
ddir = StrDup(temp);
} else if (strncmp(ddir, "/", 1)) {
temp[0] = '\0';
sprintf(temp, "%s/%s/%s", userhome, globusdef, ddir);
- if (ddir != 0)
- SafeDelete(ddir);
+ if (ddir) delete[] ddir;
ddir = StrDup(temp);
}
if (!strncmp(dcer, "~/", 2)) {
temp[0] = '\0';
sprintf(temp, "%s%s", userhome, dcer + 1);
- if (dcer != 0)
- SafeDelete(dcer);
+ if (dcer) delete[] dcer;
dcer = StrDup(temp);
} else if (strncmp(dcer, "/", 1)) {
temp[0] = '\0';
sprintf(temp, "%s/%s", ddir, dcer);
- if (dcer != 0)
- SafeDelete(dcer);
+ if (dcer) delete[] dcer;
dcer = StrDup(temp);
}
if (!strncmp(dkey, "~/", 2)) {
temp[0] = '\0';
sprintf(temp, "%s%s", userhome, dkey + 1);
- if (dkey != 0)
- SafeDelete(dkey);
+ if (dkey) delete[] dkey;
dkey = StrDup(temp);
} else if (strncmp(dkey, "/", 1)) {
temp[0] = '\0';
sprintf(temp, "%s/%s", ddir, dkey);
- if (dkey != 0)
- SafeDelete(dkey);
+ if (dkey) delete[] dkey;
dkey = StrDup(temp);
}
if (!strncmp(dadi, "~/", 2)) {
temp[0] = '\0';
sprintf(temp, "%s%s", userhome, dadi + 1);
- if (dadi != 0)
- SafeDelete(dadi);
+ if (dadi) delete[] dadi;
dadi = StrDup(temp);
} else if (strncmp(dadi, "/", 1)) {
temp[0] = '\0';
sprintf(temp, "%s/%s/%s", userhome, globusdef, dadi);
- if (dadi != 0)
- SafeDelete(dadi);
+ if (dadi) delete[] dadi;
dadi = StrDup(temp);
}
if (gDebug > 3)
@@ -1222,14 +1210,10 @@ void GlobusSetCertificates(int LocalEnv)
setenv("X509_USER_KEY", dkey, 1);
// Release allocated memory
- if (ddir != 0)
- SafeDelete(ddir);
- if (dcer != 0)
- SafeDelete(dcer);
- if (dkey != 0)
- SafeDelete(dkey);
- if (dadi != 0)
- SafeDelete(dadi);
+ if (ddir) delete[] ddir;
+ if (dcer) delete[] dcer;
+ if (dkey) delete[] dkey;
+ if (dadi) delete[] dadi;
}
@@ -1269,9 +1253,9 @@ void GlobusCleanup()
}
// Release memory allocated for security contexts ...
- SafeDelete(hostGlbSecCont);
- SafeDelete(subjGlbSecCont);
- SafeDelete(sptrGlbSecCont);
+ if (hostGlbSecCont) delete[] hostGlbSecCont;
+ if (subjGlbSecCont) delete[] subjGlbSecCont;
+ if (sptrGlbSecCont) delete[] sptrGlbSecCont;
NumGlbSecCont = 0;
// Finally check if the shm for imported stuff has not yet been destroyed ...
diff --git a/krb5auth/src/Krb5Auth.cxx b/krb5auth/src/Krb5Auth.cxx
index fface105bd5bcb322e98e3d4a30cdc100b35c654..c14a270e9df93ffb0f99b45ac829a80b265509d5 100644
--- a/krb5auth/src/Krb5Auth.cxx
+++ b/krb5auth/src/Krb5Auth.cxx
@@ -1,4 +1,4 @@
-// @(#)root/krb5auth:$Name: $:$Id: Krb5Auth.cxx,v 1.3 2003/08/29 10:41:27 rdm Exp $
+// @(#)root/krb5auth:$Name: $:$Id: Krb5Auth.cxx,v 1.4 2003/09/07 22:54:13 rdm Exp $
// Author: Johannes Muelmenstaedt 17/03/2002
/*************************************************************************
@@ -161,7 +161,7 @@ Int_t Krb5Authenticate(TAuthenticate *auth, TString &user, TString &det, Int_t v
return -1;
}
}
- SafeDelete(ClientPrincipal);
+ if (ClientPrincipal) delete[] ClientPrincipal;
// Get a normal string for user
char User[64];
@@ -203,11 +203,11 @@ Int_t Krb5Authenticate(TAuthenticate *auth, TString &user, TString &det, Int_t v
int rc = 0;
if ((rc = TAuthenticate::AuthExists(auth,(Int_t)TAuthenticate::kKrb5,Details,Options,&kind,&retval)) == 1) {
// A valid authentication exists: we are done ...
- SafeDelete(Options);
+ if (Options) delete[] Options;
return 1;
}
if (rc == -2) {
- SafeDelete(Options);
+ if (Options) delete[] Options;
return rc;
}
@@ -374,8 +374,8 @@ Int_t Krb5Authenticate(TAuthenticate *auth, TString &user, TString &det, Int_t v
// Create and save AuthDetails object
TAuthenticate::SaveAuthDetails(auth,(Int_t)TAuthenticate::kKrb5,OffSet,ReUse,Details,lUser,gRSAKey,Token);
det = Details;
- SafeDelete(Token);
- SafeDelete(lUser);
+ if (Token) delete[] Token;
+ if (lUser) delete[] lUser;
} else {
sock->Recv(answer, 100, type); // returns user
user = answer;
diff --git a/net/inc/TAuthenticate.h b/net/inc/TAuthenticate.h
index ae198e093bf791e95fceea21d69ba58bdb17e8c9..419d1f3f20ef55a31d696b67c46fb158ad467faf 100644
--- a/net/inc/TAuthenticate.h
+++ b/net/inc/TAuthenticate.h
@@ -1,4 +1,4 @@
-// @(#)root/net:$Name: $:$Id: TAuthenticate.h,v 1.8 2003/09/03 07:46:49 rdm Exp $
+// @(#)root/net:$Name: $:$Id: TAuthenticate.h,v 1.9 2003/09/07 18:25:46 rdm Exp $
// Author: Fons Rademakers 26/11/2000
/*************************************************************************
@@ -45,6 +45,7 @@ const Int_t kMAXSEC = 6;
const Int_t kMAXSECBUF = 2048;
const Int_t kAUTH_REUSE_MSK = 0x1;
const Int_t kAUTH_CRYPT_MSK = 0x2;
+const Int_t kAUTH_SSALT_MSK = 0x4;
class TSocket;
class TAuthenticate;
@@ -63,6 +64,7 @@ public:
private:
TString fUser; // user to be authenticated
TString fPasswd; // user's password
+ Bool_t fPwHash; // kTRUE if fPasswd is a passwd hash
TString fProtocol; // remote service (rootd, proofd)
TString fRemote; // remote host to which we want to connect
TSocket *fSocket; // connection to remote daemon
@@ -74,6 +76,7 @@ private:
static TString fgUser;
static TString fgPasswd;
+ static Bool_t fgPwHash; // kTRUE if fgPasswd is a passwd hash
static TString fgAuthMeth[kMAXSEC];
static SecureAuth_t fgSecAuthHook;
static Krb5Auth_t fgKrb5AuthHook;
@@ -87,13 +90,12 @@ private:
static rsa_KEY_export fgRSAPubExport;
void SetEnvironment();
- Bool_t GetUserPasswd(TString &user, TString &passwd);
- Int_t ClearAuth(TString &user, TString &passwd);
+ Bool_t GetUserPasswd(TString &user, TString &passwd, Bool_t &pwhash);
+ Int_t ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
Int_t RfioAuth(TString &user);
Int_t SshAuth(TString &user);
char *GetRandString(Int_t Opt,Int_t Len);
- Int_t ProveId();
static Int_t CheckRootAuthrc(const char *Host, char ***user,
Int_t **nmeth, Int_t **authmeth, char ***det);
@@ -110,12 +112,14 @@ public:
virtual ~TAuthenticate() { }
Bool_t Authenticate();
- Bool_t CheckNetrc(TString &user, TString &passwd);
+ Bool_t CheckNetrc(TString &user, TString &passwd, Bool_t &pwhash);
const char *GetUser() const { return fUser; }
const char *GetPasswd() const { return fPasswd; }
+ Bool_t GetPwHash() const { return fPwHash; }
const char *GetProtocol() const { return fProtocol; }
const char *GetSshUser() const;
void SetUser(const char *user) { fUser = user; }
+ void SetPwHash(Bool_t pwhash) { fPwHash = pwhash; }
void SetHostAuth(const char *host, const char *user);
void SetSecurity(Int_t fSec) { fSecurity = (ESecurity)fSec; }
ESecurity GetSecurity() const { return fSecurity; }
@@ -138,8 +142,10 @@ public:
static const char *GetGlobalUser();
static const char *GetGlobalPasswd();
+ static Bool_t GetGlobalPwHash();
static void SetGlobalUser(const char *user);
static void SetGlobalPasswd(const char *passwd);
+ static void SetGlobalPwHash(Bool_t pwhash);
static char *PromptUser(const char *remote);
static char *PromptPasswd(const char *prompt = "Password: ");
@@ -150,6 +156,7 @@ public:
static void SetGlobusAuthHook(GlobusAuth_t func);
static GlobusAuth_t GetGlobusAuthHook();
static const char *GetRSAPubExport();
+ static void SetRSAPublic(const char *rsapubexport);
static Int_t GetRSAInit();
static void SetRSAInit();
diff --git a/net/src/TAuthenticate.cxx b/net/src/TAuthenticate.cxx
index 04aae9ee6b3abcccc01cd449b22c34d93efa2006..9a03f19b42266802930676a7f1ed8caf22919a29 100644
--- a/net/src/TAuthenticate.cxx
+++ b/net/src/TAuthenticate.cxx
@@ -1,4 +1,4 @@
-// @(#)root/net:$Name: $:$Id: TAuthenticate.cxx,v 1.16 2003/09/09 09:43:27 rdm Exp $
+// @(#)root/net:$Name: $:$Id: TAuthenticate.cxx,v 1.17 2003/09/09 12:37:25 rdm Exp $
// Author: Fons Rademakers 26/11/2000
/*************************************************************************
@@ -29,7 +29,6 @@
#include "TError.h"
#include "Getline.h"
#include "TROOT.h"
-#include "TApplication.h"
#include "TEnv.h"
#include "TList.h"
#include "NetErrors.h"
@@ -56,6 +55,7 @@ rsa_KEY_export TAuthenticate::fgRSAPubExport = { 0, 0 };
TString TAuthenticate::fgUser;
TString TAuthenticate::fgPasswd;
+Bool_t TAuthenticate::fgPwHash;
SecureAuth_t TAuthenticate::fgSecAuthHook;
Krb5Auth_t TAuthenticate::fgKrb5AuthHook;
GlobusAuth_t TAuthenticate::fgGlobusAuthHook;
@@ -79,10 +79,9 @@ TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
fVersion = 2; // The latest, by default
fRSAKey = 0;
-
if (gDebug > 2)
- Info("TAuthenticate", "Enter: local host:%s: user is: %s (proto:%s)",
- gSystem->Getenv("HOST"), user, proto);
+ Info("TAuthenticate", "Enter: local host: %s, user is: %s (proto: %s)",
+ gSystem->HostName(), user, proto);
// Set protocol string.
// Check if version should be different ...
@@ -108,10 +107,8 @@ TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
Info("TAuthenticate",
"service: %s (remote protocol: %d): fVersion: %d", sproto,
rproto, fVersion);
-
- fProtocol = sproto;
}
- SafeDelete(sproto);
+ fProtocol = sproto;
}
// Check or get user name
@@ -123,6 +120,8 @@ TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
fUser = u->fUser;
delete u;
}
+ fPasswd = "";
+ fPwHash = kFALSE;
// Check and save the host FQDN ...
TString fqdn;
@@ -154,10 +153,10 @@ TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
// If we did not find a good THostAuth instantiation, create one
if (fHostAuth == 0) {
// Determine applicable auth methods from client choices
- Int_t *nmeth; //not cleaned up? (rdm)
+ Int_t *nmeth;
Int_t *security[kMAXSEC];
char **details[kMAXSEC];
- char **usr = new char *[1]; //not cleaned up? (rdm)
+ char **usr = new char *[1];
usr[0] = StrDup(fUser);
GetAuthMeth(fqdn, fProtocol, &usr, &nmeth, security, details);
@@ -187,10 +186,12 @@ TAuthenticate::TAuthenticate(TSocket *sock, const char *remote,
if (gDebug > 3)
fHostAuth->Print();
for (i = 0; i < nmeth[0]; i++) { // what if nu > 0? (rdm)
- SafeDelete(security[i]);
- SafeDelete(details[i][0]);
- SafeDelete(det[i]);
+ if (security[i]) delete[] security[i];
+ if (details[i][0]) delete[] details[i][0];
+ if (det[i]) delete[] det[i];
}
+ if (nmeth) delete nmeth;
+ if (usr[0]) delete[] usr[0];
}
// This is what we have in memory
@@ -213,6 +214,7 @@ Bool_t TAuthenticate::Authenticate()
char NoSupport[80] = { 0 };
TString user, passwd;
+ Bool_t pwhash;
Int_t ntry = 0;
if (gDebug > 2)
@@ -228,6 +230,7 @@ Bool_t TAuthenticate::Authenticate()
user = "";
passwd = "";
+ pwhash = kFALSE;
// Security level from the list (if not in cleanup mode ...)
fSecurity = (ESecurity) fHostAuth->GetMethods(meth);
@@ -256,10 +259,10 @@ Bool_t TAuthenticate::Authenticate()
|| !strcmp(gSystem->Getenv("PROMPTUSER"), "no")) {
user = gSystem->Getenv("DEFAULTUSER");
}
- if (GetUserPasswd(user, passwd))
+ if (GetUserPasswd(user, passwd, pwhash))
return kFALSE;
if (fUser != "root")
- st = ClearAuth(user, passwd);
+ st = ClearAuth(user, passwd, pwhash);
} else if (fSecurity == kSRP) {
@@ -267,7 +270,7 @@ Bool_t TAuthenticate::Authenticate()
if (!strcmp(gSystem->Getenv("PROMPTUSER"), "0")) {
user = gSystem->Getenv("DEFAULTUSER");
}
- if (GetUserPasswd(user, passwd))
+ if (GetUserPasswd(user, passwd, pwhash))
return kFALSE;
if (!fgSecAuthHook) {
char *p;
@@ -591,27 +594,32 @@ void TAuthenticate::SetEnvironment()
}
// Build UserDefaults
if (fSecurity == kGlobus) {
+ UsDef[0] = '\0';
if (Cd != 0) {
- sprintf(UsDef, "%s %s", UsDef, Cd);
- SafeDelete(Cd);
+ strcat(UsDef," ");
+ strcat(UsDef,Cd);
+ delete[] Cd;
}
if (Cf != 0) {
- sprintf(UsDef, "%s %s", UsDef, Cf);
- SafeDelete(Cf);
+ strcat(UsDef," ");
+ strcat(UsDef,Cf);
+ delete[] Cf;
}
if (Kf != 0) {
- sprintf(UsDef, "%s %s", UsDef, Kf);
- SafeDelete(Kf);
+ strcat(UsDef," ");
+ strcat(UsDef,Kf);
+ delete[] Kf;
}
if (Ad != 0) {
- sprintf(UsDef, "%s %s", UsDef, Ad);
- SafeDelete(Ad);
+ strcat(UsDef," ");
+ strcat(UsDef,Ad);
+ delete[] Ad;
}
} else {
if (fUser == "") {
if (Us != 0) {
sprintf(UsDef, "%s", Us);
- SafeDelete(Us);
+ delete[] Us;
}
} else {
if (fSecurity == kKrb5) {
@@ -638,34 +646,40 @@ void TAuthenticate::SetEnvironment()
}
//______________________________________________________________________________
-Bool_t TAuthenticate::GetUserPasswd(TString & user, TString & passwd)
+Bool_t TAuthenticate::GetUserPasswd(TString & user, TString & passwd, Bool_t & pwhash)
{
// Try to get user name and passwd from several sources
+ if (gDebug > 3)
+ Info("GetUserPasswd", "Enter: User: '%s' Hash:%d",
+ user.Data(),(Int_t)pwhash);
// Get user and passwd set via static functions SetUser and SetPasswd.
-// if ( user =="" && fgUser != "" )
-// user = fgUser;
-// if ( passwd=="" && fgPasswd != "" )
-// passwd = fgPasswd;
-
-
if (user == "") {
if (fgUser != "")
user = fgUser;
- if (passwd == "" && fgPasswd != "")
+ if (passwd == "" && fgPasswd != "") {
passwd = fgPasswd;
+ pwhash = fgPwHash;
+ }
} else {
if (fgUser != "" && user == fgUser) {
- if (passwd == "" && fgPasswd != "")
- passwd = fgPasswd;
+ if (passwd == "" && fgPasswd != "") {
+ passwd = fgPasswd;
+ pwhash = fgPwHash;
+ }
}
}
-
// Check ~/.rootnetrc and ~/.netrc files if user was not set via
// the static SetUser() method.
- if (user == "" || passwd == "")
- CheckNetrc(user, passwd);
+ if (user == "" || passwd == "") {
+ if (gDebug > 3)
+ Info("GetUserPasswd", "Checking .netrc family ...");
+ CheckNetrc(user, passwd, pwhash);
+ }
+ if (gDebug > 3)
+ Info("GetUserPasswd", "From .netrc family: User: '%s' Hash:%d",
+ user.Data(),(Int_t)pwhash);
// If user also not set via ~/.rootnetrc or ~/.netrc ask user.
if (user == "") {
@@ -678,26 +692,32 @@ Bool_t TAuthenticate::GetUserPasswd(TString & user, TString & passwd)
// Fill present user info ...
fUser = user;
fPasswd = passwd;
+ fPwHash = pwhash;
// For potential later use in Proof
fgUser = fUser;
fgPasswd = fPasswd;
+ fgPwHash = fPwHash;
return 0;
}
//______________________________________________________________________________
-Bool_t TAuthenticate::CheckNetrc(TString & user, TString & passwd)
+Bool_t TAuthenticate::CheckNetrc(TString & user, TString & passwd, Bool_t & pwhash)
{
// Try to get user name and passwd from the ~/.rootnetrc or
// ~/.netrc files. First ~/.rootnetrc is tried, after that ~/.netrc.
// These files will only be used when their access masks are 0600.
// Returns kTRUE if user and passwd were found for the machine
// specified in the URL. If kFALSE, user and passwd are "".
+ // The boolean pwhash is set to kTRUE if passwd is to be understood as
+ // password hash, ie if the 'password-hash' keyword is used in the
+ // 'machine' lines; not implemented for 'secure'.
// The format of these files are:
//
// # this is a comment line
// machine <machine fqdn> login <user> password <passwd>
+ // machine <machine fqdn> login <user> password-hash <passwd>
//
// and in addition ~/.rootnetrc also supports:
//
@@ -710,6 +730,7 @@ Bool_t TAuthenticate::CheckNetrc(TString & user, TString & passwd)
TString remote = fRemote;
passwd = "";
+ pwhash = kFALSE;
char *net =
gSystem->ConcatFileName(gSystem->HomeDirectory(), ".rootnetrc");
@@ -752,18 +773,27 @@ Bool_t TAuthenticate::CheckNetrc(TString & user, TString & passwd)
continue;
if (strcmp(word[2], "login"))
continue;
- if (strcmp(word[4], "password"))
+ if (fSecurity == kSRP && strcmp(word[4], "password"))
+ continue;
+ if (fSecurity == kClear &&
+ strcmp(word[4], "password") && strcmp(word[4], "password-hash"))
continue;
if (!strcmp(word[1], remote)) {
+ // Possible solution to Fons wish ... (10/9/2003)
+ // if (!strstr(remote,word[1]) {
if (user == "") {
user = word[3];
passwd = word[5];
+ if (!strcmp(word[4], "password-hash"))
+ pwhash = kTRUE;
result = kTRUE;
break;
} else {
if (!strcmp(word[3], user.Data())) {
passwd = word[5];
+ if (!strcmp(word[4], "password-hash"))
+ pwhash = kTRUE;
result = kTRUE;
break;
}
@@ -802,6 +832,14 @@ const char *TAuthenticate::GetGlobalPasswd()
return fgPasswd;
}
+//______________________________________________________________________________
+Bool_t TAuthenticate::GetGlobalPwHash()
+{
+ // Static method returning the global password hash flag.
+
+ return fgPwHash;
+}
+
//______________________________________________________________________________
const char *TAuthenticate::GetAuthMethod(Int_t idx)
{
@@ -838,8 +876,6 @@ char *TAuthenticate::PromptUser(const char *remote)
// Returns user name (which must be deleted by caller) or 0.
// If non-interactive run (eg ProofServ) returns default user.
- TApplication *lApp = gROOT->GetApplication();
-
const char *user;
if (gSystem->Getenv("DEFAULTUSER") != 0
&& strlen(gSystem->Getenv("DEFAULTUSER")) > 0)
@@ -850,9 +886,9 @@ char *TAuthenticate::PromptUser(const char *remote)
if (!user)
user = gSystem->Getenv("USERNAME");
#endif
- if (strstr(lApp->Argv()[1], "proof") != 0) {
+ if (!strcmp(gROOT->GetName(), "proofserv")) {
::Warning("TAuthenticate::PromptUser",
- "proofserv: cannot prompt for user: returning default");
+ "proofserv: cannot prompt for user, returning default");
if (strlen(user))
return StrDup(user);
else
@@ -878,8 +914,7 @@ char *TAuthenticate::PromptPasswd(const char *prompt)
// to get passwd. Returns passwd (which must de deleted by caller) or 0.
// If non-interactive run (eg ProofServ) returns -1
- TApplication *lApp = gROOT->GetApplication();
- if (strstr(lApp->Argv()[1], "proof") != 0) {
+ if (!strcmp(gROOT->GetName(), "proofserv")) {
::Warning("TAuthenticate::PromptPasswd",
"proofserv: cannot prompt for passwd: returning -1");
return StrDup("-1");
@@ -969,6 +1004,16 @@ void TAuthenticate::SetGlobalPasswd(const char *passwd)
fgPasswd = passwd;
}
+//______________________________________________________________________________
+void TAuthenticate::SetGlobalPwHash(Bool_t pwhash)
+{
+ // Set global passwd hash flag to be used for authentication to rootd or proofd.
+
+ fgPwHash = kFALSE;
+ if (pwhash)
+ fgPwHash = pwhash;
+}
+
//______________________________________________________________________________
void TAuthenticate::SetSecureAuthHook(SecureAuth_t func)
{
@@ -1016,13 +1061,13 @@ Int_t TAuthenticate::SshAuth(TString & User)
// Still allow for client definition of the ssh location ...
if (strcmp(gEnv->GetValue("Ssh.ExecDir", "-1"), "-1")) {
- SafeDelete(gSshExe);
+ if (gSshExe) delete[] gSshExe;
gSshExe =
StrDup(Form
("%s/ssh", (char *) gEnv->GetValue("Ssh.ExecDir", "")));
if (gSystem->AccessPathName(gSshExe, kExecutePermission)) {
Info("SshAuth", "%s not executable", gSshExe);
- SafeDelete(gSshExe);
+ if (gSshExe) delete[] gSshExe;
return -1;
}
}
@@ -1065,11 +1110,11 @@ Int_t TAuthenticate::SshAuth(TString & User)
AuthExists(this, (Int_t) TAuthenticate::kSSH, fDetails, Options,
&kind, &retval)) == 1) {
// A valid authentication exists: we are done ...
- SafeDelete(Options);
+ if (Options) delete[] Options;
return 1;
}
if (rc == -2) {
- SafeDelete(Options);
+ if (Options) delete[] Options;
return rc;
}
// Check return flags
@@ -1194,7 +1239,7 @@ Int_t TAuthenticate::SshAuth(TString & User)
// Receive Token
char *Token = 0;
if (ReUse == 1 && OffSet > -1) {
- if (SecureRecv(fSocket, fRSAKey, &Token) == -1) {
+ if (SecureRecv(fSocket, 1, &Token) == -1) {
Warning("SshAuth",
"problems secure-receiving token - may result in corrupted token");
}
@@ -1209,9 +1254,9 @@ Int_t TAuthenticate::SshAuth(TString & User)
fDetails, lUser, fRSAKey, Token);
// Release allocated memory ...
- SafeDelete(answer);
- SafeDelete(lUser);
- SafeDelete(Token);
+ if (answer) delete[] answer;
+ if (lUser) delete[] lUser;
+ if (Token) delete[] Token;
// Get and Analyse the reply
fSocket->Recv(retval, kind);
@@ -1344,7 +1389,7 @@ Int_t TAuthenticate::GetAuthMeth(const char *Host, const char *Proto,
char *usr = StrDup((*User)[j]);
// Check env variables for more details, if any ...
Details[i][j] = GetDefaultDetails(am[i][j], 0, usr);
- SafeDelete(usr);
+ if (usr) delete[] usr;
} else {
Details[i][j] = det[i][j];
}
@@ -1472,11 +1517,11 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
if (strstr(Temp, Host) == 0) {
if ((strlen(Temp) + hlen + 2) > tlen) {
char *NewTemp = StrDup(Temp);
- SafeDelete(Temp);
+ if (Temp) delete[] Temp;
tlen += kMAXPATHLEN;
Temp = new char[tlen];
strcpy(Temp, NewTemp);
- SafeDelete(NewTemp);
+ if (NewTemp) delete[] NewTemp;
}
sprintf(Temp, "%s %s", Temp, Host);
Nuser++;
@@ -1487,11 +1532,11 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
if (strstr(Temp, usrtmp) == 0) {
if ((strlen(Temp) + strlen(usrtmp) + 2) > tlen) {
char *NewTemp = StrDup(Temp);
- SafeDelete(Temp);
+ if (Temp) delete[] Temp;
tlen += kMAXPATHLEN;
Temp = new char[tlen];
strcpy(Temp, NewTemp);
- SafeDelete(NewTemp);
+ if (NewTemp) delete[] NewTemp;
}
sprintf(Temp, "%s %s", Temp, usrtmp);
Nuser++;
@@ -1500,14 +1545,12 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
}
}
}
- if (Temp != 0)
- SafeDelete(Temp);
+ if (Temp) delete[] Temp;
if (gDebug > 3)
::Info("CheckRootAuthrc",
"found %d different entries for host %s", Nuser, Host);
- if ((*user)[0] != 0)
- SafeDelete((*user)[0]);
+ if ((*user)[0]) delete[] (*user)[0];
(*user) = new char *[Nuser];
*nh = new int[Nuser];
int i;
@@ -1601,8 +1644,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
} else {
ju = 0;
nu = 1;
- if ((*user)[ju] != 0)
- SafeDelete((*user)[ju]);
+ if ((*user)[ju]) delete[] (*user)[ju];
}
(*user)[ju] = StrDup(usr);
(*nh)[ju] = 0;
@@ -1611,8 +1653,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
det[i][ju] = 0;
}
}
- if (usr != 0)
- SafeDelete(usr);
+ if (usr) delete[] usr;
// Now reposition opt and rest ...
sscanf(rest, "%s %s", opt, rest);
strcpy(rest, strstr(line, opt) + strlen(opt) + 1);
@@ -1634,8 +1675,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
} else {
ju = 0;
nu = 1;
- if ((*user)[ju] != 0)
- SafeDelete((*user)[ju]);
+ if ((*user)[ju]) delete[] (*user)[ju];
}
(*user)[ju] = StrDup("-1");
(*nh)[ju] = 0;
@@ -1693,7 +1733,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
for (k = 0; k < (*nh)[ju]; k++) {
if (tmp_am[k] == mth[i]) {
det[i][ju] = StrDup(tmp_det[k]);
- SafeDelete(tmp_det[k]);
+ if (tmp_det[k]) delete[] tmp_det[k];
tmp_det[k] = 0;
}
}
@@ -1704,17 +1744,15 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
j++;
am[i][ju] = mth[k];
det[i][ju] = StrDup(tmp_det[k]);
- SafeDelete(tmp_det[k]);
+ delete[] tmp_det[k];
tmp_det[k] = 0;
}
k++;
}
}
}
- if (tmp_am != 0)
- SafeDelete(tmp_am);
- if (tmp_det != 0)
- SafeDelete(tmp_det);
+ if (tmp_am) delete[] tmp_am;
+ if (tmp_det) delete[] tmp_det;
(*nh)[ju] = nmeth;
} else {
@@ -1776,7 +1814,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
if (gDebug > 0)
::Warning("CheckRootAuthrc",
"output am badly filled: %s", ostr);
- SafeDelete(ostr);
+ if (ostr) delete[] ostr;
}
}
if (gDebug > 3)
@@ -1795,7 +1833,7 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
if (CheckUser == 1 && nu == 1) {
if (!strcmp((*user)[0], "-1")) {
- SafeDelete((*user)[0]);
+ if ((*user)[0]) delete[] (*user)[0];
(*user)[0] = StrDup(UserRq);
}
}
@@ -1836,8 +1874,8 @@ Int_t TAuthenticate::CheckRootAuthrc(const char *Host, char ***user,
}
fclose(fd);
- SafeDelete(net);
- SafeDelete(UserRq);
+ if (net) delete[] net;
+ if (UserRq) delete[] UserRq;
if (expand == 1)
gSystem->Unlink(filetmp);
@@ -1925,7 +1963,7 @@ Bool_t TAuthenticate::CheckHost(const char *Host, const char *host)
::Info("CheckHost", "info for host found in table ");
exit:
- SafeDelete(IP);
+ if (IP) delete[] IP;
return retval;
}
@@ -2001,9 +2039,9 @@ Bool_t TAuthenticate::CheckHostWild(const char *Host, const char *host)
exit:
// Release allocated memory ...
- SafeDelete(fH);
- SafeDelete(sH);
- SafeDelete(dum);
+ if (fH) delete[] fH;
+ if (sH) delete[] sH;
+ if (dum) delete[] dum;
return rc;
}
@@ -2018,12 +2056,15 @@ Int_t TAuthenticate::RfioAuth(TString & User)
if (gDebug > 2)
Info("RfioAuth", "enter ... User %s", User.Data());
- User = gSystem->Getenv("USER");
- fDetails = TString("pt:0 ru:0 us:") + User;
-
- // Now check that we are not root ...
+ // Get user info ... ...
UserGroup_t *pw = gSystem->GetUserInfo();
if (pw) {
+
+ // These are the details to be saved in case of success ...
+ User = pw->fUser;
+ fDetails = TString("pt:0 ru:0 us:") + User;
+
+ // Check that we are not root ...
if (strcmp(pw->fUser, "root")) {
// Get group ID associated with the current process ...
@@ -2073,17 +2114,17 @@ Int_t TAuthenticate::RfioAuth(TString & User)
}
//______________________________________________________________________________
-Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
+Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd, Bool_t & PwHash)
{
// Clear-like authentication code.
// Returns 0 in case authentication failed
// 1 in case of success
if (gDebug > 2)
- Info("ClearAuth", "enter: User: %s", User.Data());
+ Info("ClearAuth", "enter: User: %s (passwd hashed?: %d)", User.Data(),(Int_t)PwHash);
// Check ReUse
- Int_t ReUse = 1, Prompt = 0, Crypt = 1;
+ Int_t ReUse = 1, Prompt = 0, Crypt = 1, NeedSalt = 1;
char PromptReUse[40];
if (gSystem->Getenv("AUTHREUSE") != 0 &&
!strcmp(gSystem->Getenv("AUTHREUSE"), "0"))
@@ -2094,6 +2135,8 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
if (gSystem->Getenv("CLEARCRYPT") != 0 &&
!strcmp(gSystem->Getenv("CLEARCRYPT"), "0"))
Crypt = 0;
+ if (PwHash)
+ NeedSalt = 0;
#ifdef R__WIN32
Crypt = 0;
#endif
@@ -2113,7 +2156,8 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
// Create Options string
char *Options = new char[strlen(User.Data()) + 40];
- int Opt = (ReUse * kAUTH_REUSE_MSK) + (Crypt * kAUTH_CRYPT_MSK);
+ int Opt = (ReUse * kAUTH_REUSE_MSK) + (Crypt * kAUTH_CRYPT_MSK) +
+ (NeedSalt * kAUTH_SSALT_MSK);
sprintf(Options, "%d %ld %s", Opt, (Long_t)strlen(User), User.Data());
// Check established authentications
@@ -2124,13 +2168,13 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
AuthExists(this, (Int_t) TAuthenticate::kClear, fDetails,
Options, &kind, &stat)) == 1) {
// A valid authentication exists: we are done ...
- SafeDelete(Options);
+ if (Options) delete[] Options;
if (gDebug > 3)
Info("ClearAuth", "valid authentication exists: return 1");
return 1;
}
if (rc == -2) {
- SafeDelete(Options);
+ if (Options) delete[] Options;
return rc;
}
@@ -2166,15 +2210,26 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
fgRSAPubExport.keys);
fSocket->Send(fgRSAPubExport.keys, kROOTD_RSAKEY);
- // Receive password salt
- if (SecureRecv(fSocket, fRSAKey, &Salt) == -1) {
- Warning("ClearAuth",
- "problems secure-receiving salt - may result in corrupted salt");
- Warning("ClearAuth", "switch off reuse for this session");
- Crypt = 0;
+ if (NeedSalt) {
+ // Receive password salt
+ if (SecureRecv(fSocket, 1, &Salt) == -1) {
+ Warning("ClearAuth",
+ "problems secure-receiving salt - may result in corrupted salt");
+ Warning("ClearAuth", "switch off reuse for this session");
+ Crypt = 0;
+ }
+ if (gDebug > 2)
+ Info("ClearAuth", "got salt: '%s'", Salt);
+ } else {
+ if (gDebug > 2)
+ Info("ClearAuth", "Salt not required");
+ fSocket->Recv(stat, kind);
+ if (kind != kMESS_ANY || stat != 0) {
+ Warning("ClearAuth",
+ "Potential problems: got msg type: %d value: %d (expecting: %d 0)",
+ kind,stat,(Int_t)kMESS_ANY);
+ }
}
- if (gDebug > 2)
- Info("ClearAuth", "got salt: '%s'", Salt);
}
// Now get the password either from prompt or from memory, if saved already
if (Anon == 1 && Prompt == 0) {
@@ -2196,7 +2251,7 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
Info("ClearAuth",
"automatically generated anonymous passwd: %s",
Passwd.Data());
- SafeDelete(LocalUser);
+ if (LocalUser) delete[] LocalUser;
} else {
@@ -2206,14 +2261,15 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
Passwd = PromptPasswd();
if (Passwd == "") {
Error("ClearAuth", "password not set");
- SafeDelete(PasHash);
- SafeDelete(Salt);
+ if (PasHash) delete[] PasHash;
+ if (Salt) delete[] Salt;
return 0;
}
}
if (Crypt == 1) {
// Get hash (only if not already hashed ...)
- if (strncmp(Passwd,Salt,strlen(Salt))) {
+ //if (strncmp(Passwd,Salt,strlen(Salt))) {
+ if (!PwHash) {
#ifndef R__WIN32
PasHash = StrDup(crypt(Passwd, Salt));
#endif
@@ -2232,17 +2288,29 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
}
}
- fgPasswd = Passwd;
- fPasswd = Passwd;
// Send it to server
if (Anon == 0 && Crypt == 1) {
+
+ // Store for later use
+ fgPasswd = PasHash;
+ fPasswd = PasHash;
+ fgPwHash = kTRUE;
+ fPwHash = kTRUE;
+
fSocket->Send("\0", kROOTD_PASS); // Needs this for consistency
- if (SecureSend(fSocket, fRSAKey, PasHash) == -1) {
+ if (SecureSend(fSocket, 1, PasHash) == -1) {
Warning("ClearAuth",
"problems secure-sending pass hash - may result in authentication failure");
}
} else {
+
+ // Store for later use
+ fgPasswd = Passwd;
+ fPasswd = Passwd;
+ fgPwHash = kFALSE;
+ fPwHash = kFALSE;
+
// Standard technique: invert passwd
if (Passwd != "") {
for (int i = 0; i < Passwd.Length(); i++) {
@@ -2295,7 +2363,7 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
if (ReUse == 1) {
// Receive Token
if (Crypt == 1) {
- if (SecureRecv(fSocket, fRSAKey, &Token) == -1) {
+ if (SecureRecv(fSocket, 1, &Token) == -1) {
Warning("ClearAuth",
"problems secure-receiving token - may result in corrupted token");
}
@@ -2323,12 +2391,12 @@ Int_t TAuthenticate::ClearAuth(TString & User, TString & Passwd)
// This from remote login
fSocket->Recv(stat, kind);
- SafeDelete(answer);
- SafeDelete(lUser);
+ if (answer) delete[] answer;
+ if (lUser) delete[] lUser;
}
// Release allocated memory ...
- SafeDelete(Salt);
- SafeDelete(PasHash);
+ if (Salt) delete[] Salt;
+ if (PasHash) delete[] PasHash;
if (kind == kROOTD_AUTH && stat >= 1) {
@@ -2479,7 +2547,7 @@ Int_t TAuthenticate::GetOffSet(TAuthenticate * Auth, Int_t Method,
::Info("GetOffSet", "returning: %d", OffSet);
for (i = 0; i < Nw; i++) {
if (Wd[i] != 0)
- SafeDelete(Wd[i]);
+ delete[] Wd[i];
}
if (*Token == 0) {
Auth->SetRSAKey(0);
@@ -2555,7 +2623,7 @@ char *TAuthenticate::GetRemoteLogin(THostAuth * HostAuth, Int_t Method,
for (i = 0; i < Nw; i++) {
if (Wd[i] != 0)
- SafeDelete(Wd[i]);
+ delete[] Wd[i];
}
return rlogin;
}
@@ -2619,7 +2687,7 @@ void TAuthenticate::DecodeDetails(char *details, char *Pt, char *Ru,
}
if (gDebug > 3)
::Info("DecodeDetails", "Pt:%s, Ru:%s, Us:%s", Pt, Ru, *Us);
- SafeDelete(Temp);
+ if (Temp) delete[] Temp;
}
}
@@ -2674,7 +2742,7 @@ void TAuthenticate::DecodeDetailsGlobus(char *details, char *Pt, char *Ru,
::Info("DecodeDetailsGlobus", "Pt:%s, Ru:%s, %s, %s, %s, %s", Pt,
Ru, *Cd, *Cf, *Kf, *Ad);
- SafeDelete(Temp);
+ if (Temp) delete[] Temp;
}
}
@@ -2968,24 +3036,24 @@ void TAuthenticate::ReadAuthRc(const char *host, const char *user)
hostAuth->Print();
for (i = 0; i < nm; i++) {
if (det[i] != 0)
- SafeDelete(det[i]);
+ delete[] det[i];
}
}
for (i = 0; i < kMAXSEC; i++) {
if (security[i] != 0)
- SafeDelete(security[i]);
+ delete[] security[i];
if (details[i] != 0) {
for (j = 0; j < nu; j++) {
if (details[i][j] != 0)
- SafeDelete(details[i][j]);
+ delete[] details[i][j];
}
}
}
for (i = 0; i < nu; i++) {
- SafeDelete(usr[i]);
+ if (usr[i]) delete[] usr[i];
}
- SafeDelete(nmeth);
- SafeDelete(usr);
+ if (nmeth) delete[] nmeth;
+ if (usr) delete[] usr;
}
//______________________________________________________________________________
@@ -3048,7 +3116,7 @@ Int_t TAuthenticate::AuthExists(TAuthenticate *Auth, Int_t Sec,
if (RSAKey > 0) {
// Send Token encrypted
- if (SecureSend(Socket, RSAKey, Token) == -1) {
+ if (SecureSend(Socket, 1, Token) == -1) {
::Warning("AuthExists",
"problems secure-sending Token - may trigger problems in proofing Id ");
}
@@ -3060,12 +3128,10 @@ Int_t TAuthenticate::AuthExists(TAuthenticate *Auth, Int_t Sec,
Socket->Send(Token, kMESS_STRING);
}
- // Answer to server question to prove your id
- // Auth->ProveId();
}
// Release allocated memory
- SafeDelete(Token);
- SafeDelete(sstr);
+ if (Token) delete[] Token;
+ if (sstr) delete[] sstr;
Int_t stat, kind;
Socket->Recv(stat, kind);
@@ -3187,7 +3253,7 @@ Int_t TAuthenticate::GenRSAKeys()
int lout = rsa_fun::fg_rsa_encode(buf, lTes, rsa_n, rsa_e);
if (gDebug > 3)
Info("GenRSAKeys",
- "local: length of crypted string: %d bytes '%s'", lout, buf);
+ "local: length of crypted string: %d bytes", lout);
// Try decryption with public key
rsa_fun::fg_rsa_decode(buf, lout, rsa_n, rsa_d);
@@ -3322,6 +3388,7 @@ Int_t TAuthenticate::SecureSend(TSocket *Socket, Int_t Key, char *Str)
// Encode null terminated Str using the session private key indcated by Key
// and sends it over the network
// Returns number of bytes sent.or -1 in case of error.
+ // Key = 1 for private encoding, Key = 2 for public encoding
char BufTmp[kMAXSECBUF];
char BufLen[20];
@@ -3344,8 +3411,19 @@ Int_t TAuthenticate::SecureSend(TSocket *Socket, Int_t Key, char *Str)
Nsen = Socket->SendRaw(BufTmp, Ttmp);
if (gDebug > 3)
::Info("SecureSend",
- "local: sent %d bytes (expected: %d) (buffer '%s')", Nsen,
- Ttmp, BufTmp);
+ "local: sent %d bytes (expected: %d)", Nsen,Ttmp);
+ } else if (Key == 2) {
+ strncpy(BufTmp, Str, sLen);
+ BufTmp[sLen] = 0;
+ Ttmp =
+ rsa_fun::fg_rsa_encode(BufTmp, sLen, fgRSAPubKey.n,
+ fgRSAPubKey.e);
+ sprintf(BufLen, "%d", Ttmp);
+ Socket->Send(BufLen, kROOTD_ENCRYPT);
+ Nsen = Socket->SendRaw(BufTmp, Ttmp);
+ if (gDebug > 3)
+ ::Info("SecureSend",
+ "local: sent %d bytes (expected: %d)", Nsen,Ttmp);
} else {
::Info("SecureSend", "unknown key option (%d) - return", Key);
}
@@ -3357,6 +3435,7 @@ Int_t TAuthenticate::SecureRecv(TSocket *Socket, Int_t Key, char **Str)
{
// Receive Len bytes from Socket and decode them in Str using key indicated by Key type
// Return number of received bytes or -1 in case of error.
+ // Key = 1 for private decoding, Key = 2 for public decoding
char BufTmp[kMAXSECBUF];
char BufLen[20];
@@ -3381,6 +3460,11 @@ Int_t TAuthenticate::SecureRecv(TSocket *Socket, Int_t Key, char **Str)
rsa_fun::fg_rsa_decode(BufTmp, Len, fgRSAPriKey.n, fgRSAPriKey.e);
if (gDebug > 3)
::Info("SecureRecv", "local: decoded string: '%s' ", BufTmp);
+ } else if (Key == 2) {
+ Nrec = Socket->RecvRaw(BufTmp, Len);
+ rsa_fun::fg_rsa_decode(BufTmp, Len, fgRSAPubKey.n, fgRSAPubKey.e);
+ if (gDebug > 3)
+ ::Info("SecureRecv", "local: decoded string: '%s' ", BufTmp);
} else {
::Info("SecureRecv", "unknown key option (%d) - return", Key);
}
@@ -3392,33 +3476,59 @@ Int_t TAuthenticate::SecureRecv(TSocket *Socket, Int_t Key, char **Str)
}
//______________________________________________________________________________
-Int_t TAuthenticate::ProveId()
+void TAuthenticate::SetRSAPublic(const char *RSAPubExport)
{
- // Answer to server requests to prove ID.
-
-#if 0
- //crypt not available on windows (rdm)
- char *Question = 0;
- // Send Answer encrypted
-// if (SecureRecv(fSocket,fRSAKey,&Question) == -1){
-// Warning("ProveId","problems secure-receiving Question - may result in corrupted Question");
-// }
-// if (gDebug > 3) Info("ProveId","got question '%s'",Question);
-
- Question = GetRandString(2, 6);
-
- // Prepare answer
- char Answer[kMAXPATHLEN];
- sprintf(Answer, "%s$%s", Question, crypt(Question, Question));
- if (gDebug > 3)
- Info("ProveId", "our Answer '%s' ", Answer);
+ // Store RSA public keys from export string RSAPubExport.
+
+ if (gDebug > 2)
+ ::Info("SetRSAPublic","enter: string '%s'", RSAPubExport);
+
+ if (!RSAPubExport)
+ return;
+
+ char Str[kMAXPATHLEN] = { 0 };
+ strcpy(Str, RSAPubExport);
+
+ if (strlen(Str) > 0) {
+ // The format is #<hex_n>#<hex_d>#
+ char *pd1 = strstr(Str, "#");
+ char *pd2 = strstr(pd1 + 1, "#");
+ char *pd3 = strstr(pd2 + 1, "#");
+ if (pd1 && pd2 && pd3) {
+ // Get <hex_n> ...
+ int l1 = (int) (pd2 - pd1 - 1);
+ char *RSA_n_exp = new char[l1 + 1];
+ strncpy(RSA_n_exp, pd1 + 1, l1);
+ RSA_n_exp[l1] = 0;
+ if (gDebug > 2)
+ ::Info("SetRSAPublic","got RSA_n_exp '%s' ", RSA_n_exp);
+ // Now <hex_d>
+ int l2 = (int) (pd3 - pd2 - 1);
+ char *RSA_d_exp = new char[l2 + 1];
+ strncpy(RSA_d_exp, pd2 + 1, l2);
+ RSA_d_exp[l2] = 0;
+ if (gDebug > 2)
+ ::Info("SetRSAPublic","got RSA_d_exp '%s' ", RSA_d_exp);
+
+ rsa_NUMBER RSA_n, RSA_d;
+
+ rsa_fun::fg_rsa_num_sget(&RSA_n, RSA_n_exp);
+ rsa_fun::fg_rsa_num_sget(&RSA_d, RSA_d_exp);
+
+ // Save Public key
+ rsa_fun::fg_rsa_assign(&fgRSAPubKey.n, &RSA_n);
+ rsa_fun::fg_rsa_assign(&fgRSAPubKey.e, &RSA_d);
- // Send Answer encrypted
- if (SecureSend(fSocket, fRSAKey, Answer) == -1) {
- Warning("ProveId",
- "problems secure-sending Answer - may trigger problems in proofing Id ");
+ if (RSA_n_exp)
+ if (RSA_n_exp) delete[] RSA_n_exp;
+ if (RSA_d_exp)
+ if (RSA_d_exp) delete[] RSA_d_exp;
+
+ } else
+ ::Info("SetRSAPublic","keys not saved correctly ");
}
- SafeDelete(Question);
-#endif
- return 0;
+
+ return;
+
}
+
diff --git a/proof/inc/TProof.h b/proof/inc/TProof.h
index c849ac6d3ad24ccfc2983903c89fe3b9e5a78a1b..e3e6b1a45778269271cdf5e61eac170d6b5cfabd 100644
--- a/proof/inc/TProof.h
+++ b/proof/inc/TProof.h
@@ -1,4 +1,4 @@
-// @(#)root/proof:$Name: $:$Id: TProof.h,v 1.36 2003/06/27 11:02:33 rdm Exp $
+// @(#)root/proof:$Name: $:$Id: TProof.h,v 1.37 2003/08/29 10:41:28 rdm Exp $
// Author: Fons Rademakers 13/02/97
/*************************************************************************
@@ -104,6 +104,7 @@ private:
Int_t fLogLevel; //server debug logging level
Int_t fStatus; //remote return status (part of kPROOF_LOGDONE)
Int_t fParallel; //number of active slaves (only set on client, on server use fActiveSlaves)
+ Bool_t fPwHash; //true if fPasswd is a passwd hash
Bool_t fMasterServ; //true if we are a master server
Bool_t fSendGroupView; //if true send new group view
TList *fSlaves; //list of all slave servers as in config file
diff --git a/proof/inc/TProofServ.h b/proof/inc/TProofServ.h
index 534b68f0420066a4af1b2de47bfc7eec38f352d5..5ab7d499fcd4b923a97c21e0202dfc22ba587850 100644
--- a/proof/inc/TProofServ.h
+++ b/proof/inc/TProofServ.h
@@ -1,4 +1,4 @@
-// @(#)root/proof:$Name: $:$Id: TProofServ.h,v 1.14 2003/06/27 11:02:33 rdm Exp $
+// @(#)root/proof:$Name: $:$Id: TProofServ.h,v 1.15 2003/08/29 10:41:28 rdm Exp $
// Author: Fons Rademakers 16/02/97
/*************************************************************************
@@ -68,8 +68,9 @@ private:
Int_t fGroupId; //slave unique id in the active slave group
Int_t fGroupSize; //size of the active slave group
Int_t fLogLevel; //debug logging level
- Bool_t fMasterServ; //true if we are a master server
Int_t fNcmd; //command history number
+ Bool_t fPwHash; //true if fPasswd is a passwd hash
+ Bool_t fMasterServ; //true if we are a master server
Bool_t fInterrupt; //if true macro execution will be stopped
Float_t fRealTime; //real time spent executing commands
Float_t fCpuTime; //CPU time spent executing commands
diff --git a/proof/src/TProof.cxx b/proof/src/TProof.cxx
index ec9d56afe5b0aae49e623b4852b03fa6b8316088..73905a4c959c95028cb6ddb3a884d79d4c310a10 100644
--- a/proof/src/TProof.cxx
+++ b/proof/src/TProof.cxx
@@ -1,4 +1,4 @@
-// @(#)root/proof:$Name: $:$Id: TProof.cxx,v 1.51 2003/09/02 15:10:17 rdm Exp $
+// @(#)root/proof:$Name: $:$Id: TProof.cxx,v 1.52 2003/09/07 18:25:46 rdm Exp $
// Author: Fons Rademakers 13/02/97
/*************************************************************************
@@ -347,6 +347,24 @@ Int_t TProof::Init(const char *masterurl, const char *conffile,
}
}
+ // Make sure that UidGid is always in the list
+ if (AuthAvailable[(int)TAuthenticate::kRfio] == 1) {
+ int newu = 1, i = 0;
+ for (i = 0; i < nSecs; i++) {
+ if (fSecs[i] == (int)TAuthenticate::kRfio) {
+ newu = 0;
+ break;
+ }
+ }
+ if (newu == 1) {
+ fSecs[nSecs] = (int)TAuthenticate::kRfio;
+ fDets[nSecs] = StrDup(AuthDet[(int)TAuthenticate::kRfio]);
+ nSecs++;
+ PDB(kGlobal,3)
+ Info("Init","added UidGid ... sec:%d det:%s",
+ fSecs[nSecs-1],fDets[nSecs-1]);
+ }
+ }
// Get slave FQDN ...
TString SlaveFqdn;
@@ -392,8 +410,10 @@ Int_t TProof::Init(const char *masterurl, const char *conffile,
// 'security' is redefined to make sure of backwards compatibility
Int_t lSecurity = 0;
- if (nSecs == 1 && fSecs[0] == (int)TAuthenticate::kSRP) lSecurity=(int)TAuthenticate::kSRP;
- if (nSecs == 1 && fSecs[0] == (int)TAuthenticate::kKrb5) lSecurity=(int)TAuthenticate::kKrb5;
+ if (nSecs == 1 && fSecs[0] == (int)TAuthenticate::kSRP)
+ lSecurity=(int)TAuthenticate::kSRP;
+ if (nSecs == 1 && fSecs[0] == (int)TAuthenticate::kKrb5)
+ lSecurity=(int)TAuthenticate::kKrb5;
// CleanUp memory
int ks;
@@ -431,7 +451,8 @@ Int_t TProof::Init(const char *masterurl, const char *conffile,
fImage = fCondor->GetImage(gSystem->HostName());
if (fImage.Length() == 0) {
- Error("Init", "no appropriate node line found in %s", fconf);
+ Error("Init", "no appropriate node line found in %s for system %s",
+ fconf, gSystem->HostName());
return 0;
}
@@ -450,11 +471,42 @@ Int_t TProof::Init(const char *masterurl, const char *conffile,
if (AuthAvailable[i] == 1) security = i;
}
}
+
+ int nSecs = 0;
+ int fSecs[kMAXSEC] ={0};
+ char *fDets[kMAXSEC] ={0};
if (security == -1) {
Error("Init", "no available security method found");
return 0;
+ } else {
+ fSecs[0] = security;
+ fDets[0] = StrDup(AuthDet[security]);
+ nSecs = 1;
+ PDB(kGlobal,3)
+ Info("Init","Dynamic Slaves: added method:%d det:%s",
+ fSecs[nSecs-1],fDets[nSecs-1]);
}
+ // Make sure that UidGid is always in the list
+ if (AuthAvailable[(int)TAuthenticate::kRfio] == 1) {
+ int newu = 1, i = 0;
+ for (i = 0; i < nSecs; i++) {
+ if (fSecs[i] == (int)TAuthenticate::kRfio) {
+ newu = 0;
+ break;
+ }
+ }
+ if (newu == 1) {
+ fSecs[nSecs] = (int)TAuthenticate::kRfio;
+ fDets[nSecs] = StrDup(AuthDet[(int)TAuthenticate::kRfio]);
+ nSecs++;
+ PDB(kGlobal,3)
+ Info("Init","added UidGid ... sec:%d det:%s",
+ fSecs[nSecs-1],fDets[nSecs-1]);
+ }
+ }
+
+
TIter next(claims);
TCondorSlave *c;
Int_t ord = 0;
@@ -474,16 +526,47 @@ Int_t TProof::Init(const char *masterurl, const char *conffile,
if (hostAuth == 0) {
// Create HostAuth object ...
- hostAuth = new THostAuth(SlaveFqdn.Data(),fUser.Data(),security,AuthDet[security]);
+ //hostAuth = new THostAuth(SlaveFqdn.Data(),fUser.Data(),security,AuthDet[security]);
+ hostAuth = new THostAuth(SlaveFqdn.Data(),fUser.Data(),nSecs,fSecs,(char **)fDets);
// ... and add it to the list (static in TAuthenticate)
if (gDebug > 3) hostAuth->Print();
authInfo->Add(hostAuth);
} else {
- // Add or redefine this method and set it as preferred ...
- hostAuth->SetFirst(security,AuthDet[security]);
+ int nold = hostAuth->NumMethods();
+ int i, j;
+ for (i = 0; i < nSecs; i++) {
+ int jm = -1;
+ for (j = 0; j < nold; j++) {
+ if (fSecs[i] == hostAuth->GetMethods(j)) {
+ jm = j;
+ break;
+ }
+ }
+ if (jm == -1) {
+ // Add a method ...
+ hostAuth->AddMethod(fSecs[i], fDets[i]);
+ } else {
+ // Set a new details string ...
+ hostAuth->SetDetails(fSecs[i], fDets[i]);
+ }
+ }
+ // Put them in the order defined in proof.conf
+ hostAuth->ReOrder(nSecs,fSecs);
PDB(kGlobal,3) hostAuth->Print();
}
+ // CleanUp memory
+ int ks;
+ for (ks = 0; ks < nSecs; ks++) {
+ if (fDets[ks]) delete[] fDets[ks];
+ }
+
+// } else {
+// // Add or redefine this method and set it as preferred ...
+// hostAuth->SetFirst(security,AuthDet[security]);
+// PDB(kGlobal,3) hostAuth->Print();
+// }
+
TSlave *slave = new TSlave(c->fHostname, c->fPort, ord++,
c->fPerfIdx, c->fImage, security, this);
fSlaves->Add(slave);
@@ -2265,7 +2348,7 @@ Int_t TProof::CheckAuth(Int_t cSec, char **Det)
#ifdef R__GLBS
TApplication *lApp = gROOT->GetApplication();
if (lApp != 0) {
- if (strstr(lApp->Argv()[1],"proof") != 0) {
+ if (!strcmp(gROOT->GetName(), "proofserv")) {
// Delegated Credentials
int ShmId = (lApp->Argc() == 11) ? atoi(lApp->Argv()[7]) : -1 ;
if (ShmId != -1) {
diff --git a/proof/src/TProofServ.cxx b/proof/src/TProofServ.cxx
index 3852b0626d959fba12aef84152e4cfd4a7630781..d445ba207d074eebb2784adb11dca4c51fd38071 100644
--- a/proof/src/TProofServ.cxx
+++ b/proof/src/TProofServ.cxx
@@ -1,4 +1,4 @@
-// @(#)root/proof:$Name: $:$Id: TProofServ.cxx,v 1.45 2003/07/01 14:18:27 rdm Exp $
+// @(#)root/proof:$Name: $:$Id: TProofServ.cxx,v 1.46 2003/08/29 10:41:28 rdm Exp $
// Author: Fons Rademakers 16/02/97
/*************************************************************************
@@ -315,6 +315,7 @@ TProofServ::TProofServ(int *argc, char **argv)
TAuthenticate::SetGlobalUser(fUser);
TAuthenticate::SetGlobalPasswd(fPasswd);
+ TAuthenticate::SetGlobalPwHash(fPwHash);
// Read info transmitted from the client ...
ReadProofAuth();
@@ -1437,6 +1438,8 @@ void TProofServ::Setup()
fSocket->Recv(fProtocol, what);
fSocket->Send(kPROOF_Protocol, kROOTD_PROTOCOL);
+#if 0
+
TMessage *mess;
fSocket->Recv(mess);
@@ -1452,6 +1455,39 @@ void TProofServ::Setup()
delete mess;
+#else
+
+ // First receive, decode and store the public part of RSA key
+ TMessage *pubkey;
+ fSocket->Recv(pubkey);
+
+ TString PubKey;
+ (*pubkey) >> PubKey;
+
+ TAuthenticate::SetRSAPublic(PubKey.Data());
+
+ delete pubkey;
+
+ // Receive passwd
+ char *Passwd = 0;
+ TAuthenticate::SecureRecv(fSocket, 2, &Passwd);
+ fPasswd = Passwd;
+ delete[] Passwd;
+
+ // Receive user and passwd information
+ TMessage *mess;
+
+ fSocket->Recv(mess);
+
+ if (IsMaster())
+ (*mess) >> fUser >> fPwHash >> fConfFile;
+ else
+ (*mess) >> fUser >> fPwHash >> fOrdinal;
+
+ delete mess;
+
+#endif
+
// deny write access for group and world
gSystem->Umask(022);
@@ -1739,7 +1775,7 @@ void TProofServ::ReadProofAuth()
if (jm == -1) {
// Add a method ...
hostAuth->AddMethod(meth[i], det[i]);
- } else {
+ } else {
// Set a new details string ...
hostAuth->SetDetails(meth[i], det[i]);
}
@@ -1754,7 +1790,7 @@ void TProofServ::ReadProofAuth()
det[i] = 0; meth[i] = -1;
}
nmet = 0;
- }
+ }
// Close the file
fclose(fpa);
// Unlink (=delete) the file
diff --git a/proof/src/TSlave.cxx b/proof/src/TSlave.cxx
index 0a7587b6d3f43ba108fb49b85867da460402cd07..b71e4549cdfda2363e053e62654c63e695ce46cf 100644
--- a/proof/src/TSlave.cxx
+++ b/proof/src/TSlave.cxx
@@ -1,4 +1,4 @@
-// @(#)root/proof:$Name: $:$Id: TSlave.cxx,v 1.14 2003/08/30 18:24:52 rdm Exp $
+// @(#)root/proof:$Name: $:$Id: TSlave.cxx,v 1.15 2003/09/07 18:25:46 rdm Exp $
// Author: Fons Rademakers 14/02/97
/*************************************************************************
@@ -68,7 +68,12 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
fSocket->Send(kROOTD_PROTOCOL);
Int_t ProofdProto, what;
fSocket->Recv(ProofdProto, what);
- if (ProofdProto <= 0 || ProofdProto > 7) ProofdProto = 7;
+ if (ProofdProto <= 0) {
+ Warning("TSlave",
+ "got negative protocol from proofd (%d) ... may indicate problems",ProofdProto);
+ ProofdProto = 7;
+ Warning("TSlave", "continuing with ProofdProto: %d)",ProofdProto);
+ }
TAuthenticate *auth;
if (security == (Int_t) TAuthenticate::kSRP) {
@@ -82,7 +87,7 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
// Authenticate to proofd...
if (!proof->IsMaster()) {
- // we are remote client... need full authentication procedure, either:
+ // we are client... need full authentication procedure, either:
// - via TAuthenticate::SetGlobalUser()/SetGlobalPasswd())
// - ~/.rootnetrc or ~/.netrc
// - interactive
@@ -92,14 +97,18 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
Error("TSlave", "%s authentication failed for host %s",
TAuthenticate::GetAuthMethod(sec), host);
} else {
- Error("TSlave", "authentication failed for host %s (method: %d - unknown)", host, sec);
+ Error("TSlave",
+ "authentication failed for host %s (method: %d - unknown)", host, sec);
}
delete auth;
SafeDelete(fSocket);
return;
}
proof->fUser = auth->GetRemoteLogin(auth->GetHostAuth(),auth->GetSecurity(),auth->GetDetails());
- proof->fPasswd = auth->GetPasswd();
+ // proof->fPasswd = auth->GetPasswd();
+ // proof->fPwHash = auth->GetPwHash();
+ proof->fPasswd = TAuthenticate::GetGlobalPasswd();
+ proof->fPwHash = TAuthenticate::GetGlobalPwHash();
proof->fSecurity = auth->GetSecurity();
fUser = proof->fUser;
fSecurity = proof->fSecurity;
@@ -112,7 +121,7 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
if (ProofdProto > 6) {
// Now we send authentication details to access, eg, data servers
// not in the proof cluster and to be propagated to slaves.
- // This is triggered by the 'proofdserv <dserv1> <dserv2> ...'
+ // This is triggered by the 'proofserv <dserv1> <dserv2> ...'
// card in .rootauthrc
SendHostAuth(this, 0);
}
@@ -141,7 +150,16 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
SafeDelete(fSocket);
return;
}
- fUser = auth->GetRemoteLogin(auth->GetHostAuth(),auth->GetSecurity(),auth->GetDetails());
+ // fUser = auth->GetRemoteLogin(auth->GetHostAuth(),
+ // auth->GetSecurity(),auth->GetDetails());
+
+ proof->fUser = auth->GetRemoteLogin(auth->GetHostAuth(),
+ auth->GetSecurity(),auth->GetDetails());
+ proof->fPasswd = auth->GetPasswd();
+ proof->fPwHash = auth->GetPwHash();
+ proof->fSecurity = auth->GetSecurity();
+ fUser = proof->fUser;
+ fSecurity = proof->fSecurity;
PDB(kGlobal,3) {
auth->GetHostAuth()->PrintEstablished();
@@ -183,6 +201,7 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
fSocket->Recv(fProtocol, what);
fProof->fProtocol = fProtocol; // on master this is the protocol
// of the last slave
+#if 0
TMessage mess;
// if unsecure, send user name and passwd to remote host (use trivial
@@ -203,6 +222,39 @@ TSlave::TSlave(const char *host, Int_t port, Int_t ord, Int_t perf,
fSocket->Send(mess);
+#else
+
+ TMessage mess, pubkey;
+
+ // Send public part of RSA key to ProofServ
+ TString PubKey = TAuthenticate::GetRSAPubExport();
+ pubkey << PubKey;
+ fSocket->Send(pubkey);
+
+ // send user name to remote host
+ // for UsrPwd and SRP methods send also passwd, rsa encoded
+ TString passwd = "";
+ Bool_t pwhash = kFALSE;
+ if (fSecurity == TAuthenticate::kClear || fSecurity == TAuthenticate::kSRP) {
+ passwd = fProof->fPasswd;
+ pwhash = fProof->fPwHash;
+ }
+
+ // Password should be encoded before sending
+ if (TAuthenticate::SecureSend(fSocket, 1, (char *)passwd.Data()) == -1) {
+ Warning("TSlave",
+ "problems secure-sending pass hash - may result in failures");
+ }
+
+ if (!fProof->IsMaster())
+ mess << fProof->fUser << pwhash << fProof->fConfFile;
+ else
+ mess << fProof->fUser << pwhash << fOrdinal;
+
+ fSocket->Send(mess);
+
+#endif
+
// set some socket options
fSocket->SetOption(kNoDelay, 1);
}
@@ -299,130 +351,135 @@ Int_t TSlave::SendHostAuth(TSlave *sl, Int_t opt)
PDB(kGlobal,3) Info("SendHostAuth","file: %s",net);
// Check if file can be read ...
- if (gSystem->AccessPathName(net, kReadPermission)) { return 0; }
-
- // Open file
- FILE *fd = fopen(net, "r");
-
- // Scan it ...
- char line[kMAXPATHLEN], host[kMAXPATHLEN], key[kMAXPATHLEN], rest[kMAXPATHLEN];
- char *pnx = 0;
- int cont = 0;
- while (fgets(line, sizeof(line), fd) != 0) {
- // Skip comment lines
- if (line[0] == '#') continue;
- // Get rid of end of line '\n', if there ...
- if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = '\0';
- if (cont == 0) {
- // scan line
- int nw= sscanf(line, "%s %s", key, rest);
- // no useful info provided for this line
- if (nw < 2) continue;
- }
- // This is the list we are looking for ...
- if (!strcmp(key, "proofserv") || cont == 1) {
- PDB(kGlobal,3) Info("SendHostAuth","found proofserv: %s", rest);
-
- if (cont == 0) {
- pnx = strstr(line, rest);
- } else if (cont == 1) {
- pnx = line;
- cont = 0;
- }
+ // if (gSystem->AccessPathName(net, kReadPermission)) { return 0; }
+
+ if (!gSystem->AccessPathName(net, kReadPermission)) {
+
+ // Open file
+ FILE *fd = fopen(net, "r");
+
+ // Scan it ...
+ char line[kMAXPATHLEN], host[kMAXPATHLEN], key[kMAXPATHLEN], rest[kMAXPATHLEN];
+ char *pnx = 0;
+ int cont = 0;
+ while (fgets(line, sizeof(line), fd) != 0) {
+
+ // Skip comment lines
+ if (line[0] == '#') continue;
+ // Get rid of end of line '\n', if there ...
+ if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = '\0';
+ if (cont == 0) {
+ // scan line
+ int nw= sscanf(line, "%s %s", key, rest);
+ // no useful info provided for this line
+ if (nw < 2) continue;
+ }
+ // This is the list we are looking for ...
+ if (!strcmp(key, "proofserv") || cont == 1) {
+ PDB(kGlobal,3) Info("SendHostAuth","found proofserv: %s", rest);
+
+ if (cont == 0) {
+ pnx = strstr(line, rest);
+ } else if (cont == 1) {
+ pnx = line;
+ cont = 0;
+ }
+
+ while (pnx != 0 && cont == 0) {
+ rest[0] = '\0';
+ sscanf(pnx, "%s %s", host, rest);
+ PDB(kGlobal,3) Info("SendHostAuth", "found host: %s %s (cont=%d)", host, rest, cont);
+
+ // Check if a protocol is requested
+ char *pd1 = 0, *pd2 = 0;
+ char meth[10] = { "" }, usr[256] = { "" };
+ int met = -1;
+ pd1 = strchr(host,':');
+ if (pd1 != 0) pd2 = strchr(pd1+1, ':');
+ if (pd2 != 0) {
+ strcpy(meth, pd2+1);
+ if (strlen(meth) > 1) {
+ // Method passed as string: translate it to number
+ met = TAuthenticate::GetAuthMethodIdx(meth);
+ if (met == -1)
+ PDB(kGlobal,2) Info("SendHostAuth", "unrecognized method (%s): ", meth);
+ } else {
+ met = atoi(meth);
+ }
+ int plen= (int)(pd2-host);
+ host[plen]='\0';
+ }
+ if (pd1 != 0) {
+ strcpy(usr, pd1+1);
+ int plen = (int)(pd1-host);
+ host[plen]='\0';
+ }
+ PDB(kGlobal,3) Info("SendHostAuth", "host user method: %s %s %d", host, usr, met);
+
+ // Get methods from file .rootauthrc
+ char **user; Int_t *nmeth, *security[kMAXSEC]; char **details[kMAXSEC];
+ user = new char*[1]; user[0] = StrDup(usr);
+ Int_t Nuser = TAuthenticate::GetAuthMeth(host, "root", &user, &nmeth, security, details);
+ // Now copy the info to send into buffer
+ int ju = 0;
+ for (ju = 0; ju < Nuser; ju++) {
+ int i = 0;
+ bsiz = strlen(host)+strlen(user[ju])+2+(nmeth[ju]+1)*3;
+ int jm = -1;
+ for (i = 0; i < nmeth[ju]; i++) {
+ bsiz += strlen(details[i][ju])+1;
+ if (security[i][ju] == met) jm = i;
+ }
+ bsiz += 20;
+ if (jm == -1) {
+ // Details for the method chosen were not found in the file
+ // Get defaults ...
+ char *newdet = TAuthenticate::GetDefaultDetails(met, 0, user[ju]);
+ bsiz += strlen(newdet)+1;
+ buf = new char[bsiz];
+ sprintf(buf,"h:%s u:%s n:%d", host, user[ju], nmeth[ju]+1);
+ sprintf(buf,"%s '%d %s' ", buf, met, newdet);
+ for (i = 0; i < nmeth[ju]; i++) {
+ sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
+ }
+ delete [] newdet;
+ } else {
+ // Details for the method chosen were found in the file
+ // Put them first ...
+ buf = new char[bsiz];
+ sprintf(buf,"h:%s u:%s n:%d", host, user[ju], nmeth[ju]);
+ // First the one specified, if any
+ for (i = 0; i < nmeth[ju]; i++) {
+ if (security[i][ju] == met)
+ sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
+ }
+ for (i = 0; i < nmeth[ju]; i++) {
+ if (security[i][ju] != met)
+ sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
+ }
+ }
+ sl->GetSocket()->Send(buf, kPROOF_SENDHOSTAUTH);
+ delete [] buf;
+ }
+
+ // Got to next, if any
+ if (strlen(rest) > 0) {
+ // Check if there is a continuation line
+ if ((int)rest[0] == 92) cont = 1;
+ pnx = strstr(pnx, rest);
+ } else {
+ pnx = 0;
+ }
+ }
+ }
+ }
+
+ fclose(fd);
- while (pnx != 0 && cont == 0) {
- rest[0] = '\0';
- sscanf(pnx, "%s %s", host, rest);
- PDB(kGlobal,3) Info("SendHostAuth", "found host: %s %s (cont=%d)", host, rest, cont);
-
- // Check if a protocol is requested
- char *pd1 = 0, *pd2 = 0;
- char meth[10] = { "" }, usr[256] = { "" };
- int met = -1;
- pd1 = strchr(host,':');
- if (pd1 != 0) pd2 = strchr(pd1+1, ':');
- if (pd2 != 0) {
- strcpy(meth, pd2+1);
- if (strlen(meth) > 1) {
- // Method passed as string: translate it to number
- met = TAuthenticate::GetAuthMethodIdx(meth);
- if (met == -1)
- PDB(kGlobal,2) Info("SendHostAuth", "unrecognized method (%s): ", meth);
- } else {
- met = atoi(meth);
- }
- int plen= (int)(pd2-host);
- host[plen]='\0';
- }
- if (pd1 != 0) {
- strcpy(usr, pd1+1);
- int plen = (int)(pd1-host);
- host[plen]='\0';
- }
- PDB(kGlobal,3) Info("SendHostAuth", "host user method: %s %s %d", host, usr, met);
-
- // Get methods from file .rootauthrc
- char **user; Int_t *nmeth, *security[kMAXSEC]; char **details[kMAXSEC];
- user = new char*[1]; user[0] = StrDup(usr);
- Int_t Nuser = TAuthenticate::GetAuthMeth(host, "root", &user, &nmeth, security, details);
- // Now copy the info to send into buffer
- int ju = 0;
- for (ju = 0; ju < Nuser; ju++) {
- int i = 0;
- bsiz = strlen(host)+strlen(user[ju])+2+(nmeth[ju]+1)*3;
- int jm = -1;
- for (i = 0; i < nmeth[ju]; i++) {
- bsiz += strlen(details[i][ju])+1;
- if (security[i][ju] == met) jm = i;
- }
- bsiz += 20;
- if (jm == -1) {
- // Details for the method chosen were not found in the file
- // Get defaults ...
- char *newdet = TAuthenticate::GetDefaultDetails(met, 0, user[ju]);
- bsiz += strlen(newdet)+1;
- buf = new char[bsiz];
- sprintf(buf,"h:%s u:%s n:%d", host, user[ju], nmeth[ju]+1);
- sprintf(buf,"%s '%d %s' ", buf, met, newdet);
- for (i = 0; i < nmeth[ju]; i++) {
- sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
- }
- delete [] newdet;
- } else {
- // Details for the method chosen were found in the file
- // Put them first ...
- buf = new char[bsiz];
- sprintf(buf,"h:%s u:%s n:%d", host, user[ju], nmeth[ju]);
- // First the one specified, if any
- for (i = 0; i < nmeth[ju]; i++) {
- if (security[i][ju] == met)
- sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
- }
- for (i = 0; i < nmeth[ju]; i++) {
- if (security[i][ju] != met)
- sprintf(buf,"%s '%d %s' ", buf, security[i][ju], details[i][ju]);
- }
- }
- sl->GetSocket()->Send(buf, kPROOF_SENDHOSTAUTH);
- delete [] buf;
- }
-
- // Got to next, if any
- if (strlen(rest) > 0) {
- // Check if there is a continuation line
- if ((int)rest[0] == 92) cont = 1;
- pnx = strstr(pnx, rest);
- } else {
- pnx = 0;
- }
- }
- }
}
-
// End of transmission ...
sl->GetSocket()->Send("END", kPROOF_SENDHOSTAUTH);
- fclose(fd);
} else if (opt == 1) {
// We are a Master notifying the Slaves for nodes to be considered
@@ -457,6 +514,7 @@ Int_t TSlave::SendHostAuth(TSlave *sl, Int_t opt)
// End of transmission ...
sl->GetSocket()->Send("END", kPROOF_SENDHOSTAUTH);
+
}
return retval;
}
diff --git a/proofd/src/proofd.cxx b/proofd/src/proofd.cxx
index aa47a533045fd936afd710e6d638761ea16ede47..7a9e03b162fa5a7561f40713a89d819980d7c34c 100644
--- a/proofd/src/proofd.cxx
+++ b/proofd/src/proofd.cxx
@@ -1,4 +1,4 @@
-// @(#)root/proofd:$Name: $:$Id: proofd.cxx,v 1.38 2003/09/07 16:25:53 rdm Exp $
+// @(#)root/proofd:$Name: $:$Id: proofd.cxx,v 1.39 2003/09/07 18:25:46 rdm Exp $
// Author: Fons Rademakers 02/02/97
/*************************************************************************
@@ -106,8 +106,6 @@
// -T <tmpdir> specifies the directory path to be used to place //
// temporary files; default is /usr/tmp. //
// Useful if not running as root. //
-// -t period defines the period (in hours) for cleaning of //
-// the authentication table <tmpdir>/rpdauthtab //
// -G gridmapfile defines the gridmap file to be used for globus //
// authentication if different from globus default //
// (/etc/grid-security/gridmap); (re)defines the //
@@ -229,7 +227,6 @@ const int kMaxSlaves = 32;
char gFilePA[40] = { 0 };
int gAuthListSent = 0;
-int gCleaningPeriod = 24; // period for Auth table cleanup (default 1 day = 24 hours)
char gConfDir[kMAXPATHLEN] = { 0 };
int gDebug = 0;
int gForegroundFlag = 0;
@@ -490,7 +487,7 @@ void CheckGlobus(char *rcfile)
int sGlobus =-1, uGlobus =-1, lGlobus =-1, pGlobus=-1;
char lRcFile[kMAXPATHLEN] = { 0 }, uRcFile[kMAXPATHLEN] = { 0 },
sRcFile[kMAXPATHLEN] = { 0 }, ProofCf[kMAXPATHLEN] = { 0 };
- char namenv[256], valenv[256], dummy[512];
+ char namenv[256] = {0}, valenv[256] = {0}, dummy[512] = {0};
char sname[128] = "system";
char s[kMAXPATHLEN] = { 0 };
@@ -581,7 +578,6 @@ void CheckGlobus(char *rcfile)
if (gDebug > 2) ErrorInfo("CheckGlobus: checking system proof.conf: %s", s);
if (!access(s, F_OK) && !access(s, R_OK)) {
- pGlobus = 0;
FILE *fs = fopen(s,"r");
while (fgets(line, sizeof(line), fs)) {
if (line[0] == '#') continue; // skip comment lines
@@ -608,7 +604,7 @@ void CheckGlobus(char *rcfile)
if (gDebug > 2) ErrorInfo("CheckGlobus: checking user proof.conf: %s", s);
if (!access(s, F_OK) && !access(s, R_OK)) {
- pGlobus = 0;
+ pGlobus = -1;
FILE *fs = fopen(s, "r");
while (fgets(line, sizeof(line), fs)) {
if (line[0] == '#') continue; // skip comment lines
@@ -928,7 +924,7 @@ void ProofdExec()
RpdSetDebugFlag(gDebug);
// CleanUp authentication table, if needed or required ...
- RpdCheckSession(gCleaningPeriod);
+ RpdCheckSession();
// Get Host name
const char *OpenHost = NetRemoteHost();
@@ -1132,15 +1128,6 @@ int main(int argc, char **argv)
tcpwindowsize = atoi(*++argv);
break;
- case 't':
- if (--argc <= 0) {
- if (!gInetdFlag)
- fprintf(stderr, "-t requires as argument a period (in hours) as argument of cleaning for the auth table\n");
- Error(ErrFatal, -1, "-t requires as argument a period (in hours) as argument of cleaning for the auth table");
- }
- gCleaningPeriod = atoi(*++argv);
- break;
-
case 'T':
if (--argc <= 0) {
if (!gInetdFlag)
diff --git a/rootd/src/rootd.cxx b/rootd/src/rootd.cxx
index a6700704d6f23e1f01a9592343305c7a7ab5f882..7c151337c12a4946181346576debe304e68e4299 100644
--- a/rootd/src/rootd.cxx
+++ b/rootd/src/rootd.cxx
@@ -1,4 +1,4 @@
-// @(#)root/rootd:$Name: $:$Id: rootd.cxx,v 1.57 2003/09/07 16:25:53 rdm Exp $
+// @(#)root/rootd:$Name: $:$Id: rootd.cxx,v 1.58 2003/09/07 18:25:47 rdm Exp $
// Author: Fons Rademakers 11/08/97
/*************************************************************************
@@ -114,8 +114,6 @@
// -T <tmpdir> specifies the directory path to be used to place //
// temporary files; default is /usr/tmp. //
// Useful if not running as root. //
-// -t period defines the period (in hours) for cleaning of //
-// the authentication table <tmpdir>/rpdauthtab //
// -G gridmapfile defines the gridmap file to be used for globus //
// authentication if different from globus default //
// (/etc/grid-security/gridmap); (re)defines the //
@@ -330,7 +328,6 @@ enum { kBinary, kAscii };
int gAuthListSent = 0;
double gBytesRead = 0;
double gBytesWritten = 0;
-int gCleaningPeriod = 24; // period for Auth table cleanup (default 1 day = 24 hours)
char gConfDir[kMAXPATHLEN] = { 0 }; // Needed to localize root stuff if not running as root
int gDebug = 0;
int gDownloaded = 0;
@@ -397,7 +394,6 @@ void ErrFatal(int level,const char *msg)
{
Perror((char *)msg);
if (level > -1) NetSendError((ERootdErrors)level);
- RootdAuthCleanup("0",0);
RootdClose();
exit(1);
}
@@ -1990,7 +1986,7 @@ void RootdLoop()
RpdSetDebugFlag(gDebug);
// CleanUp authentication table, if needed or required ...
- RpdCheckSession(gCleaningPeriod);
+ RpdCheckSession();
// Get Host name
const char *OpenHost = NetRemoteHost();
@@ -2289,15 +2285,6 @@ int main(int argc, char **argv)
sprintf(gTmpDir, "%s", *++argv);
break;
- case 't':
- if (--argc <= 0) {
- if (!gInetdFlag)
- fprintf(stderr, "-t requires as argument a period (in hours) of cleaning for the auth table\n");
- Error(ErrFatal, kErrFatal, "-t requires as argument a period (in hours) of cleaning for the auth table");
- }
- gCleaningPeriod = atoi(*++argv);
- break;
-
case 's':
if (--argc <= 0) {
if (!gInetdFlag)
diff --git a/rpdutils/inc/rpdp.h b/rpdutils/inc/rpdp.h
index e16c5df9cd53f4f1834252b41b2fcb13dbc18b7a..2241c89c5332ce58db0cc84d90ade12616e26fa7 100644
--- a/rpdutils/inc/rpdp.h
+++ b/rpdutils/inc/rpdp.h
@@ -1,4 +1,4 @@
-// @(#)root/rpdutils:$Name: $:$Id: rpdp.h,v 1.2 2003/08/29 17:23:32 rdm Exp $
+// @(#)root/rpdutils:$Name: $:$Id: rpdp.h,v 1.3 2003/09/07 18:25:47 rdm Exp $
// Author: Gerardo Ganis 7/4/2003
/*************************************************************************
@@ -39,7 +39,9 @@ const int kMAXSEC = 6;
const int kMAXSECBUF = 2048;
const int kAUTH_REUSE_MSK = 0x1;
const int kAUTH_CRYPT_MSK = 0x2;
+const int kAUTH_SSALT_MSK = 0x4;
const int kMAXPATHLEN = 1024;
+const int kMAXTABSIZE = 1000000000;
// type of authentication method
enum ESecurity { kClear, kSRP, kKrb5, kGlobus, kSSH, kRfio };
@@ -62,6 +64,7 @@ extern int gParallel;
extern int gRemPid;
extern int gReUseAllow;
extern int gReUseRequired;
+extern int gSaltRequired;
extern int gSockFd;
extern int gSshdPort;
@@ -142,7 +145,7 @@ int RpdCheckAuthAllow(int Sec, char *Host);
int RpdCheckHostWild(const char *Host, const char *host);
char *RpdGetIP(const char *host);
void RpdSendAuthList();
-void RpdCheckSession(int period);
+void RpdCheckSession();
void RpdUser(const char *sstr);
void RpdSshAuth(const char *sstr);
diff --git a/rpdutils/src/globus.cxx b/rpdutils/src/globus.cxx
index c2eab92afe5047cad0857c53c2ec577c1066be76..3f4e6ba7ecff623aa7e31b07cf6a9e779129a860 100644
--- a/rpdutils/src/globus.cxx
+++ b/rpdutils/src/globus.cxx
@@ -1,4 +1,4 @@
-// @(#)root/rpdutils:$Name: $:$Id: globus.cxx,v 1.1 2003/08/29 10:38:19 rdm Exp $
+// @(#)root/rpdutils:$Name: $:$Id: globus.cxx,v 1.2 2003/09/01 11:30:45 rdm Exp $
// Author: Gerardo Ganis 7/4/2003
/*************************************************************************
@@ -169,6 +169,15 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
ErrorInfo
("GlbsToolCheckCert: read cert key map files: %s %s %s %s",
dir_tmp, cert_tmp, key_tmp, map_tmp);
+ // Cleanup memory
+ if (dir_tmp)
+ delete[]dir_tmp;
+ if (cert_tmp)
+ delete[]cert_tmp;
+ if (key_tmp)
+ delete[]key_tmp;
+ if (map_tmp)
+ delete[]map_tmp;
}
fclose(fconf);
@@ -261,6 +270,15 @@ int GlbsToolCheckCert(char *ClientIssuerName, char **SubjName)
return 1;
found:
+ if (dir_tmp)
+ delete[]dir_tmp;
+ if (cert_tmp)
+ delete[]cert_tmp;
+ if (key_tmp)
+ delete[]key_tmp;
+ if (map_tmp)
+ delete[]map_tmp;
+
if (CertFound) {
// Get the subject name
char *subject_name =
diff --git a/rpdutils/src/rpdutils.cxx b/rpdutils/src/rpdutils.cxx
index 764866b3c79e59b316dfb97b31e989250bebfa5b..a2002c5dbe73a1e1330a6f2a5a959ee690f4f703 100644
--- a/rpdutils/src/rpdutils.cxx
+++ b/rpdutils/src/rpdutils.cxx
@@ -1,4 +1,4 @@
-// @(#)root/rpdutils:$Name: $:$Id: rpdutils.cxx,v 1.8 2003/09/09 12:37:25 rdm Exp $
+// @(#)root/rpdutils:$Name: $:$Id: rpdutils.cxx,v 1.9 2003/09/09 13:58:01 rdm Exp $
// Author: Gerardo Ganis 7/4/2003
/*************************************************************************
@@ -197,6 +197,7 @@ int gReUseRequired = -1;
int gRSAKey = 0;
rsa_NUMBER gRSA_n;
rsa_NUMBER gRSA_d;
+int gSaltRequired = -1;
int gSec = -1;
int gTriedMeth[kMAXSEC];
@@ -308,7 +309,7 @@ int RpdUpdateAuthTab(int opt, char *line, char **token)
fclose(ftab);
// ... before deleting the original ...
unlink(gRpdAuthTab);
- SafeDelete(bak);
+ if (bak) delete[] bak;
}
return 0;
} else if (opt == 0) {
@@ -699,8 +700,8 @@ int RpdCheckAuthTab(int Sec, char *User, char *Host, int RemId, int *OffSet)
&& GetErrno() == EINTR)
ResetErrno();
}
- SafeDelete(OldName);
- SafeDelete(NewName);
+ if (OldName) delete[] OldName;
+ if (NewName) delete[] NewName;
}
// Receive Token
@@ -921,11 +922,11 @@ bool RpdReUseAuth(const char *sstr, int kind)
// Fill gUser and free allocated memory
strcpy(gUser, User);
}
- SafeDelete(Pipe);
+ if (Pipe) delete[] Pipe;
}
- SafeDelete(User);
- SafeDelete(Token);
+ if (User) delete[] User;
+ if (Token) delete[] Token;
// Return value
if (gAuth >= 1) {
@@ -1264,7 +1265,7 @@ int RpdCheckAuthAllow(int Sec, char *Host)
fclose(ftab);
// Free allocated memory
- SafeDelete(IP);
+ if (IP) delete[] IP;
// Use defaults if nothing found
if (!found) {
@@ -1371,9 +1372,9 @@ int RpdCheckHostWild(const char *Host, const char *host)
exit:
// Release allocated memory ...
- SafeDelete(fH);
- SafeDelete(sH);
- SafeDelete(dum);
+ if (fH) delete[] fH;
+ if (sH) delete[] sH;
+ if (dum) delete[] dum;
return rc;
}
@@ -1435,7 +1436,7 @@ void RpdSendAuthList()
NetSend(sdum, ldum, kMESS_STRING);
if (gDebug > 2)
ErrorInfo("RpdSendAuthList: sent list: %s", sdum);
- SafeDelete(sdum);
+ if (sdum) delete[] sdum;
}
}
@@ -1470,8 +1471,8 @@ void RpdSshAuth(const char *sstr)
ErrorInfo
("RpdSshAuth: failure notification perhaps unsuccessful ... ");
}
- SafeDelete(User);
- SafeDelete(Pipe);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
return;
}
// Check user existence and get its environment
@@ -1480,16 +1481,16 @@ void RpdSshAuth(const char *sstr)
ErrorInfo("RpdSshAuth: entry for user % not found in /etc/passwd",
User);
NetSend(-2, kROOTD_SSH);
- SafeDelete(User);
- SafeDelete(Pipe);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
return;
}
// Method cannot be attempted for anonymous users ... (ie data servers )...
if (!strcmp(pw->pw_shell, "/bin/false")) {
ErrorInfo("RpdSshAuth: no SSH for anonymous user '%s' ", User);
NetSend(-2, kROOTD_SSH);
- SafeDelete(User);
- SafeDelete(Pipe);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
return;
}
@@ -1502,9 +1503,9 @@ void RpdSshAuth(const char *sstr)
ErrorInfo
("RpdSshAuth: can't allocate UNIX socket for authentication");
NetSend(0, kROOTD_SSH);
- SafeDelete(User);
- SafeDelete(Pipe);
- SafeDelete(UniquePipe);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
+ if (UniquePipe) delete[] UniquePipe;
return;
}
// Communicate command to be executed via ssh ...
@@ -1535,9 +1536,9 @@ void RpdSshAuth(const char *sstr)
// If failure, notify and return ...
if (gAuth == 0) {
NetSend(kErrAuthNotOK, kROOTD_ERR); // Send message length first
- SafeDelete(User);
- SafeDelete(Pipe);
- SafeDelete(UniquePipe);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
+ if (UniquePipe) delete[] UniquePipe;
return;
}
// notify the client
@@ -1585,7 +1586,7 @@ void RpdSshAuth(const char *sstr)
ErrorInfo
("RpdSshAuth: problems secure-sending token - may result in corrupted token");
}
- SafeDelete(token);
+ if (token) delete[] token;
// Save RSA public key into file for later use by other rootd/proofd
RpdSavePubKey(gPubKey, OffSet);
@@ -1598,10 +1599,10 @@ void RpdSshAuth(const char *sstr)
}
// Release allocated memory
- SafeDelete(User);
- SafeDelete(Pipe);
- SafeDelete(UniquePipe);
- SafeDelete(CmdInfo);
+ if (User) delete[] User;
+ if (Pipe) delete[] Pipe;
+ if (UniquePipe) delete[] UniquePipe;
+ if (CmdInfo) delete[] CmdInfo;
return;
}
@@ -1624,15 +1625,11 @@ void RpdKrb5Auth(const char *sstr)
ErrorInfo("RpdKrb5Auth: analyzing ... %s", sstr);
if (gClientProtocol > 8) {
- char *User = new char[strlen(sstr)];
int Ulen, ofs, opt;
- char dumm[20];
+ char dumm[256];
// Decode subject string
- sscanf(sstr, "%d %d %d %d %s %s", &gRemPid, &ofs, &opt, &Ulen, User,
- dumm);
- User[Ulen] = '\0';
+ sscanf(sstr, "%d %d %d %d %s", &gRemPid, &ofs, &opt, &Ulen, dumm);
gReUseRequired = (opt & kAUTH_REUSE_MSK);
- SafeDelete(User);
}
// get service principal
krb5_principal server;
@@ -1727,7 +1724,7 @@ void RpdKrb5Auth(const char *sstr)
ErrorInfo
("RpdKerb5Auth: problems secure-sending token - may result in corrupted token");
}
- SafeDelete(token);
+ if (token) delete[] token;
// Save RSA public key into file for later use by other rootd/proofd
RpdSavePubKey(gPubKey, OffSet);
@@ -1817,7 +1814,7 @@ void RpdSRPUser(const char *sstr)
strcpy(gUser, user);
- SafeDelete(user);
+ if (user) delete[] user;
if (!gAltSRP) {
sprintf(srootdpass, "%s/%s", pw->pw_dir, kSRootdPass);
@@ -1978,7 +1975,7 @@ void RpdSRPUser(const char *sstr)
ErrorInfo
("RpdKrb5Auth: problems secure-sending token - may result in corrupted token");
}
- SafeDelete(token);
+ if (token) delete[] token;
// Save RSA public key into file for later use by other rootd/proofd
RpdSavePubKey(gPubKey, OffSet);
@@ -2187,7 +2184,7 @@ void RpdPass(const char *pass)
}
NetSend(token, kMESS_STRING);
}
- SafeDelete(token);
+ if (token) delete[] token;
} else {
// Comunicate login user name to client
@@ -2252,7 +2249,7 @@ void RpdGlobusAuth(const char *sstr)
if (gDebug > 2)
ErrorInfo("RpdGlobusAuth: gRemPid: %d, Subj: %s (%d %d)", gRemPid,
Subj, lSubj, strlen(Subj));
- SafeDelete(Subj); // GlbClientName will be determined from the security context ...
+ if (Subj) delete[] Subj; // GlbClientName will be determined from the security context ...
// Now wait for client to communicate the issuer name of the certificate ...
char *answer = new char[20];
@@ -2264,7 +2261,7 @@ void RpdGlobusAuth(const char *sstr)
return;
}
int client_issuer_name_len = atoi(answer);
- SafeDelete(answer);
+ if (answer) delete[] answer;
char *client_issuer_name = new char[client_issuer_name_len + 1];
NetRecv(client_issuer_name, client_issuer_name_len, kind);
if (kind != kMESS_STRING) {
@@ -2288,7 +2285,7 @@ void RpdGlobusAuth(const char *sstr)
return;
} else {
int sjlen = strlen(subject_name) + 1;
- subject_name[sjlen] = '\0';
+ // subject_name[sjlen] = '\0';
int bsnd = NetSend(sjlen, kROOTD_GLOBUS);
if (gDebug > 2)
@@ -2302,7 +2299,7 @@ void RpdGlobusAuth(const char *sstr)
free(subject_name);
}
// not needed anymore ...
- SafeDelete(client_issuer_name);
+ if (client_issuer_name) delete[] client_issuer_name;
// Inquire Globus credentials:
// This is looking to file X509_USER_CERT for valid a X509 cert (default
@@ -2461,7 +2458,7 @@ void RpdGlobusAuth(const char *sstr)
ErrorInfo
("RpdGlobusAuth: problems secure-sending token - may result in corrupted token");
}
- SafeDelete(token);
+ if (token) delete[] token;
// Save RSA public key into file for later use by other rootd/proofd
RpdSavePubKey(gPubKey, OffSet);
@@ -2574,19 +2571,23 @@ void RpdCleanup(const char *sstr)
}
//______________________________________________________________________________
-void RpdCheckSession(int period)
+void RpdCheckSession()
{
- // Period in seconds.
- int speriod = 3600 * period;
+ // Check auth tab file size
+ struct stat st;
+ if (stat(gRpdAuthTab, &st) == 0) {
- if (gDebug > 2)
- ErrorInfo("RpdCheckSession: enter: period: %d", period);
+ // Cleanup auth tab file if too big
+ if (st.st_size > kMAXTABSIZE)
+ RpdUpdateAuthTab(0, 0, 0);
- // Session file ...
- char SessionFile[kMAXPATHLEN] = { 0 };
- // sprintf(SessionFile, "%s/rootd.%d", gTmpDir, getppid());
- sprintf(SessionFile, "%s/rpd.run", gTmpDir);
+ // New file if still too big
+ if (stat(gRpdAuthTab, &st) == 0) {
+ if (st.st_size > kMAXTABSIZE)
+ RpdUpdateAuthTab(-1, 0, 0);
+ }
+ }
// Reset
int i;
@@ -2596,82 +2597,6 @@ void RpdCheckSession(int period)
gHaveMeth[i] = 1;
}
- if (gDebug > 2)
- ErrorInfo("RpdCheckSession: sessionfile: %s", SessionFile);
-
- // If it already exists, update auth tab or do nothing ...
- struct stat st;
- if (stat(SessionFile, &st) == 0) {
- if (gDebug > 2)
- ErrorInfo("RpdCheckSession: stat ok: mtime: %d", st.st_mtime);
- if ((time(0) - st.st_mtime) > speriod)
- RpdUpdateAuthTab(0, 0, 0);
-
- FILE *fp = fopen(SessionFile, "r");
-
- int ctim, nw;
- char line[1024];
- int meth[5];
- while (fgets(line, sizeof(line), fp)) {
- nw = sscanf(line, "%d %d %d %d %d %d", &ctim, &meth[4], &meth[0],
- &meth[1], &meth[2], &meth[3]);
- if (nw > 1) {
- gNumAllow = meth[4];
- if (gNumAllow != (nw - 2)) {
- ErrorInfo
- ("RpdCheckSession: inconsistency found in session file ( gNumAllow:%d nw:%d) - rescan",
- gNumAllow, nw);
- goto rescan;
- } else {
- for (i = 0; i < gNumAllow; i++) {
- if (meth[i] >= 0 && meth[i] <= kMAXSEC) {
- gAllowMeth[i] = meth[i];
- gHaveMeth[meth[i]] = 1;
- } else {
- ErrorInfo
- ("RpdCheckSession: inconsistency found in session file (meth[%d]: %d) - rescan",
- i, meth[i]);
- goto rescan;
- }
- }
- gNumLeft = gNumAllow;
- }
- }
- }
- fclose(fp);
- return;
- rescan:
- fclose(fp);
-
- } else {
- if (errno != ENOENT)
- ErrorInfo
- ("RpdCheckSession: file exists but problems from stat: errno:%d - recreating the file",
- errno);
- }
-
- // Remove old files first ...
- char cmd[kMAXPATHLEN] = { 0 };
- sprintf(cmd, "ls -1 %s/rootd.* 2>/dev/null", gTmpDir);
- FILE *fp = popen(cmd, "r");
- i = 0;
- if (fp != 0) {
- int ch;
- for (ch = fgetc(fp); ch != EOF; ch = fgetc(fp)) {
- if (ch != 10) {
- cmd[i++] = ch;
- } else {
- cmd[i] = '\0';
- unlink(cmd);
- i = 0;
- }
- }
- if (i > 0) {
- cmd[i] = '\0';
- unlink(cmd);
- }
- pclose(fp);
- }
// List of default authentication methods (to be save in the session file)
RpdDefaultAuthAllow();
@@ -2681,14 +2606,6 @@ void RpdCheckSession(int period)
for (i = 0; i < gNumAllow; i++) {
sprintf(cmeth, "%s %d", cmeth, gAllowMeth[i]);
}
-
- // Create new file ...
- fp = fopen(SessionFile, "w");
- fprintf(fp, "%d %s\n", (int) time(0), cmeth);
- fclose(fp);
-
- // CleauUp Authentication Table
- RpdUpdateAuthTab(-1, 0, 0);
}
//______________________________________________________________________________
@@ -2901,7 +2818,7 @@ void RpdUser(const char *sstr)
const int kMaxBuf = 256;
char recvbuf[kMaxBuf];
char rootdpass[kMAXPATHLEN];
- char specpass[64];
+ char specpass[64] = {0};
EMessageTypes kind;
struct passwd *pw;
#ifdef R__SHADOWPW
@@ -2927,6 +2844,7 @@ void RpdUser(const char *sstr)
user[ulen] = '\0';
gReUseRequired = (opt & kAUTH_REUSE_MSK);
gCryptRequired = (opt & kAUTH_CRYPT_MSK);
+ gSaltRequired = (opt & kAUTH_SSALT_MSK);
gOffSet = ofs;
} else {
strcpy(user, sstr);
@@ -2967,7 +2885,8 @@ void RpdUser(const char *sstr)
// If not anonymous, try to get passwd
// (if our system uses shadow passwds and we are not superuser
// we cannot authenticate users ...)
- char *passw = 0;
+ // char *passw = 0;
+ char *passw = specpass;
if (gAnon == 0) {
// Try if special password is given via .rootdpass
@@ -2981,7 +2900,8 @@ void RpdUser(const char *sstr)
close(fid);
}
- if (passw == 0 || strlen(passw) == 0 || !strcmp(passw, "x")) {
+ // if (passw == 0 || strlen(passw) == 0 || !strcmp(passw, "x")) {
+ if (strlen(passw) == 0 || !strcmp(passw, "x")) {
#ifdef R__SHADOWPW
// System V Rel 4 style shadow passwords
if ((spw = getspnam(user)) == 0) {
@@ -2997,7 +2917,8 @@ void RpdUser(const char *sstr)
#endif
}
// Check if successful
- if (passw == 0 || strlen(passw) == 0 || !strcmp(passw, "x")) {
+ // if (passw == 0 || strlen(passw) == 0 || !strcmp(passw, "x")) {
+ if (strlen(passw) == 0 || !strcmp(passw, "x")) {
NetSend(kErrNotAllowed, kROOTD_ERR);
ErrorInfo("RpdUser: passwd hash not available for user %s", user);
ErrorInfo
@@ -3025,7 +2946,7 @@ void RpdUser(const char *sstr)
}
// Ok: Save username and go to next steps
strcpy(gUser, user);
- SafeDelete(user);
+ if (user) delete[] user;
if (gClientProtocol > 8) {
@@ -3057,7 +2978,7 @@ void RpdUser(const char *sstr)
char Salt[20] = { 0 };
int Slen = 0;
- if (gReUseRequired) {
+ if (gSaltRequired) {
if (!strncmp(passw, "$1$", 3)) {
// Shadow passwd
char *pd = strstr(passw + 4, "$");
@@ -3078,7 +2999,7 @@ void RpdUser(const char *sstr)
("RpdUser: problems secure-sending salt - may result in corrupted salt");
}
} else {
- NetSend("-1", kMESS_STRING);
+ NetSend(0, kMESS_ANY);
}
} else {
// We continue the aythentication process in clear
@@ -3131,7 +3052,7 @@ void RpdUser(const char *sstr)
// Check the passwd and login if ok ...
RpdPass(passwd);
- SafeDelete(passwd);
+ if (passwd) delete[] passwd;
}
@@ -3300,10 +3221,8 @@ int RpdGetRSAKeys(char *PubKey, int Opt)
rsa_num_sget(&gRSA_n, RSA_n_exp);
rsa_num_sget(&gRSA_d, RSA_d_exp);
- if (RSA_n_exp)
- SafeDelete(RSA_n_exp);
- if (RSA_d_exp)
- SafeDelete(RSA_d_exp);
+ if (RSA_n_exp) delete[] RSA_n_exp;
+ if (RSA_d_exp) delete[] RSA_d_exp;
} else
return 0;
@@ -3321,7 +3240,7 @@ void RpdSavePubKey(char *PubKey, int OffSet)
{
// Save RSA public key into file for later use by other rootd/proofd.
- if (gRSAKey == 0)
+ if (gRSAKey == 0 || OffSet < 0)
return;
char PubKeyFile[kMAXPATHLEN];
diff --git a/srputils/src/SRPAuth.cxx b/srputils/src/SRPAuth.cxx
index d289b14991f279a56119f3789352a9ecac59f011..7cce3f572ad0de823eebee71693596e75c97eb15 100644
--- a/srputils/src/SRPAuth.cxx
+++ b/srputils/src/SRPAuth.cxx
@@ -1,4 +1,4 @@
-// @(#)root/srputils:$Name: $:$Id: SRPAuth.cxx,v 1.5 2001/01/07 15:18:39 rdm Exp $
+// @(#)root/srputils:$Name: $:$Id: SRPAuth.cxx,v 1.6 2003/08/29 10:41:28 rdm Exp $
// Author: Fons Rademakers 15/02/2000
/*************************************************************************
@@ -93,11 +93,11 @@ Int_t SRPAuthenticate(TAuthenticate *auth, const char *user, const char *passwd,
int rc = 0;
if ((rc = TAuthenticate::AuthExists(auth,(Int_t)TAuthenticate::kSRP,Details,Options,&kind,&stat)) == 1) {
// A valid authentication exists: we are done ...
- SafeDelete(Options);
+ if (Options) delete[] Options;
return 1;
}
if (rc == -2) {
- SafeDelete(Options);
+ if (Options) delete[] Options;
return rc;
}
@@ -166,6 +166,7 @@ Int_t SRPAuthenticate(TAuthenticate *auth, const char *user, const char *passwd,
}
t_clientpasswd(tc, psswd);
+ if (gDebug>0) ::Info("SRPAuthenticate", "password: '%s'",psswd);
// receive B from server
sock->Recv(hexbuf, MAXHEXPARAMLEN, kind);
@@ -186,6 +187,12 @@ Int_t SRPAuthenticate(TAuthenticate *auth, const char *user, const char *passwd,
if (version > 1) {
+ // Save passwd for later use ...
+ TAuthenticate::SetGlobalUser(user);
+ TAuthenticate::SetGlobalPasswd(psswd);
+ TAuthenticate::SetGlobalPwHash(kFALSE);
+
+
// Receive result of the overall process
sock->Recv(stat, kind);
if (kind == kROOTD_ERR) {
@@ -238,7 +245,7 @@ Int_t SRPAuthenticate(TAuthenticate *auth, const char *user, const char *passwd,
// Create and save AuthDetails object
TAuthenticate::SaveAuthDetails(auth,(Int_t)TAuthenticate::kSRP,OffSet,ReUse,Details,lUser,gRSAKey,Token);
det = Details;
- SafeDelete(Token);
+ if (Token) delete[] Token;
// Receive result from remote Login process
sock->Recv(stat, kind);