# # etc/system.rootauthrc # # NB: this file contains system defaults read only in the case the # $HOME/.rootauthrc is non-existing or non-readable. Its content # can be included in the private $HOME/.rootauthrc using the # include directive (see below). The location of the private file # can be changed by setting the environment variable ROOTAUTHRC # to the appropriate absolute file pathname. # # This file contains information about authentication methods available for # authentication vis-a-vis of a given host. It allows to define host specific # methods and defaults for the info (username, certificates, ...) to be used. # The information specified here superseeds the one found in .rootrc. # # Format: # - lines starting with '#' are comment lines. # # - lines of the form 'include ' allow to include other files # of this kind which are expanded exactly at the point where the # 'include' appears; environment variables are supported, eg # include $ROOTSYS/etc/system.rootauthrc # # - lines of the form: # # [user ] # # where is the host(s) identifier (see below), is an # option key and is the relevant info whose format depends # on ; 'user' indicates the username to whom the information # applies; if absent, the info applies to all users. # # : # - hosts can specified either with their name (e.g. pcepsft43), # their FQDN (e.g. pcepsft43.cern.ch) or their IP address # (e.g. 137.138.99.73). # - if =default or ='*' the following # applies to all hosts, unless host-specific entries are found. # - the '*' character can be used in the any field of the name to # indicate a set of machines or domains, e.g. pcepsft*.cern.ch # applies to all 'pcepsft' machines in the domain 'cern.ch' # (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch' # because internally the generic lxplus machine has a real name of # the form lxplusnnn.cern.ch; you can also use 'lxplus' if you # don't care about domain name checking) # - a whole domain can be indicated by its name, eg 'cern.ch', # 'cnaf.infn.it' or '.ch' # - truncated IP address can also be used to indicate a set of # machines; they are interpreted as the very first or very last # part of the address; for example, to select 137.138.99.73, # any of these is valid: '137.138.99', '137.138', '137`, '99.73'; # or with wild cards: '137.13*' or '*.99.73`; however, '138.99' # is invalid because ambigous. # # : # - valid keys are 'list' and 'method'; # - if =list, contains the list of codes or short names for # methods that can/should be tried for authentication wrt to , # in order of preference. # Available methods are: # # Method short name code # # UsrPwd usrpwd 0 # # Example of a valid 'list' line: # # default list 0 # lxplus*.cern.ch list usrpwd # # The first line defines as default method UsrPwd. # # Having a line 'list' for a host is non mandatory: methods can # also be defined directly via 'method' lines (see below); in # such a case the first 'method' line will define the preferred # method and so on. # # - if =method, contains # + a method code --> mandatory, must be in the valid range # + a prompt flag --> optional, identified by the key 'pt:', # e.g. pt:yes # values: 'yes' or 1, 'no' or '0' # + a reuse flag --> optional, identified by the key 'ru:', # e.g. ru:no # values: 'yes' or 1, 'no' or '0' # + some relevant information for authentication (optional, # see below) # # The 'prompt' flag defines whether the user should be prompted # for the relevant authentication details each time an # authentication with the corresponding method is attempted. # Default is 'yes', superseeded by the related entry in '.rootrc' . # The 'reuse' flag determines if a successful authentication will # be later re-used without prompting (e.g. when the user tries # to access the same host with same method during the same # session: this allows to speed up operation in case of multiple # access). Default is 'yes' for methods 0 (UsrPwd), superseeded # by the related entries in '.rootrc'. # 'reuse' will be af no advantage and 'prompt' is not allowed for # security reasons. The format for the default info depends on # the method: # # Method Format info # # UsrPwd us: cp: # # The key 'us' allows to specify a target username different from # the local username (which is the default target username); the # value specified via 'us' is superseeded by any user information # passed through the constructor, e.g. in TFTP("@"). # # The additional keys for UsrPwd specify: # 'cp' whether to encrypt the password with a public key (default) # or not (slighty faster), values are 'yes' or '1' for YES, # 'no' or '0' for NO (case sensitive); # # Example of valid 'method' lines: # # default list 0 # default user asdfgh method usrpwd pt:1 ru:no # include local/myrootauthrc # include $ROOTSYS/etc/system.rootauthrc # # The first line states that, unless differently specified, # the first method to be tried for autentication is UsrPwd. # The second line specifies that, for UsrPwd authentication, user # 'asdfgh' will get a prompt with default username 'asdfgh' and # that a successful authentication will not be reused # The third directive includes the content of the file # myrootauthrc located in the subdirectory local of the # directory where the intercative root session was started. # The fourth directive includes the content of the system # defaults. # # - Finally, also supported are lines of the form: # # proofserv [:][:[:...[:]]] \ # [:][:[:...[:]]] \ # ... [:][:[:...[:]]] # # which are active only for PROOF sessions and specify the list of hosts # for which the authentication info should be transmitted to the slaves # of the PROOF cluster; these directives are useful, for example, in # the case of data servers external to the PROOF cluster that you may # want to access via a given 'user' and a given authentication 'method'; # 'user' and 'method' are not mandatory; for each (an user, method) # specified with 'proofserv' all the information that can be collected # from the rest of the .rootauthrc file is sent to slaves via the master # # default list usrpwd