This file is indexed.

/etc/root/system.rootauthrc is in root-system-common 5.34.14-1build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
#
#  etc/system.rootauthrc
#
#  NB: this file contains system defaults read only in the case the 
#      $HOME/.rootauthrc is non-existing or non-readable. Its content 
#      can be included in the the private $HOME/.rootauthrc using the 
#      include directive (see below). The location of the private file
#      can be changed by setting the environment variable ROOTAUTHRC
#      to the appropriate absolute file pathname.
#
#  This file contains information about authentication methods available for
#  authentication vis-a-vis of a given host. It allows to define host specific
#  methods and defaults for the info (username, certificates, ...) to be used.
#  The information specified here superseeds the one found in .rootrc.
#  
#  Format:
#    - lines starting with '#' are comment lines.
#
#    - lines of the form 'include <file>' allow to include other files
#      of this kind which are expanded exactly at the point where the 
#      'include' appears; environment variables are supported, eg
#      include $ROOTSYS/etc/system.rootauthrc
#
#    - lines of the form:
#
#         <host> [user <username>] <key> <info>
#
#      where <host> is the host(s) identifier (see below), <key> is an 
#      option key and <info> is the relevant info whose format depends 
#      on <key>; 'user' indicates the username to whom the information
#      applies; if absent, the info applies to all users.
#
#      <host>:
#         - hosts can specified either with their name (e.g. pcepsft43), 
#           their FQDN (e.g. pcepsft43.cern.ch) or their IP address 
#           (e.g. 137.138.99.73).
#         - if <host>=default or <host>='*' the following <key> <info> 
#           applies to all hosts, unless host-specific entries are found.
#         - the '*' character can be used in the any field of the name to 
#           indicate a set of machines or domains, e.g. pcepsft*.cern.ch 
#           applies to all 'pcepsft' machines in the domain 'cern.ch'
#           (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch'
#           because internally the generic lxplus machine has a real name of
#           the form lxplusnnn.cern.ch; you can also use 'lxplus' if you
#           don't care about domain name checking)
#         - a whole domain can be indicated by its name, eg 'cern.ch', 
#           'cnaf.infn.it' or '.ch'
#         - truncated IP address can also be used to indicate a set of
#           machines; they are interpreted as the very first or very last 
#           part of the address; for example, to select 137.138.99.73, 
#           any of these is valid: '137.138.99', '137.138', '137`, '99.73'; 
#           or with wild cards: '137.13*' or '*.99.73`; however, '138.99' 
#           is invalid because ambigous.
#         - host names can be followed by :rootd or :proofd to define directives
#           applying only to the given service
#
#      <key> <info>:
#         - valid keys are 'list' and 'method';
#         - if <key>=list, <info> contains the list of codes or short names for 
#           methods that can/should be tried for authentication wrt to <host>, 
#           in order of preference.
#           Available methods are:
#
#              Method                        short name      code
#
#              UsrPwd                         usrpwd          0
#              SRP                            srp             1
#              Kerberos                       krb5            2
#              Globus                         globus          3
#              SSH                            ssh             4
#              UidGid                         uidgid          5   (insecure)
#
#           Example of a valid 'list' line:
#
#              default          list  4 
#              lxplus*.cern.ch  list  ssh 3 krb5
#
#           The first line defines as default method SSH, this is equivalent
#           of setting:
#
#              Rootd.Authentication    4
#              Proofd.Authentication   4
#
#           in the .rootc file.
#
#           The second line adds Globus and Kerberos as available methods
#           for authentication to the lxplus machines (in addition to SSH):
#           SSH the preferred first, Kerberos the last option. 
#
#           Having a line 'list' for a host is non mandatory: methods can
#           also be defined directly via 'method' lines (see below); in
#           such a case the first 'method' line will define the preferred
#           method and so on.
#
#         - if <key>=method, <info> contains 
#              + a method code  --> mandatory, must be in the valid range
#              + a prompt flag  --> optional, identified by the key 'pt:',
#                                   e.g. pt:yes
#                                   values: 'yes' or 1, 'no' or '0'
#              + a reuse flag   --> optional, identified by the key 'ru:',
#                                   e.g. ru:no
#                                   values: 'yes' or 1, 'no' or '0'
#              + some relevant information for authentication (optional,
#                see below)
#
#           The 'prompt' flag defines whether the user should be prompted
#           for the relevant authentication details each time an 
#           authentication with the corresponding method is attempted.
#           Default is 'yes', superseeded by the related entry in '.rootrc' .
#           The 'reuse' flag determines if a successful authentication will
#           be later re-used without prompting (e.g. when the user tries
#           to access the same host with same method during the same
#           session: this allows to speed up operation in case of multiple
#           access). Default is 'yes' for methods 0 (UsrPwd), 3 (Globus)
#           and 4 (SSH), superseeded by the related entries in '.rootrc';
#           feature not yet implemented for methods 1 (SRP) and 2 (Kerberos). 
#           No additional info is needed by method 5 (UidGid): this method
#           sends to the remote host the (uid,gid) of the current process;
#           'reuse' will be af no advantage and 'prompt' is not allowed for
#           security reasons. The format for the default info depends on
#           the method:
#
#              Method                       Format info
#
#              UsrPwd                       us:<username> cp:<crypt_option>
#              SRP                          us:<username> 
#              Kerberos                     pp:<principal> us:<username>(<principal>) 
#              Globus                       cd:<user_certkey_dir> 
#                                           cf:<usercert_file>
#                                           kf:<userkey_file>
#                                           ad:<authorities_dir>
#              SSH                          us:<username>
#              UidGid
#
#
#           The key 'us' allows to specify a target username different from
#           the local username (which is the default target username); the 
#           value specified via 'us' is superseeded by any user information
#           passed through the constructor, e.g. <user> in TFTP("<user>@<host>").
#
#           The additional keys for UsrPwd specify:
#              'cp' whether to encrypt the password with a public key (default)
#                   or not (slighty faster), values are 'yes' or '1' for YES,
#                   'no' or '0' for NO (case sensitive);
#
#
#           For Kerberos, the default principal is the one associated to
#           the local user in the Kerberos realm. A different principal
#           can be specified via the key 'pp', access to which must be granted
#           remotely via .k5login . For backward compatibility, the principal 
#           can also be specified via the 'us' key (it must be in its full 
#           form <username>@<KERBEROS.REALM>, otherwise the string pointed by
#           'us' is interpreted as target username).
#
#           The keys for Globus allow to specify only partial changes of 
#           the defaults:
#              'cd' defines the directory containing the user certificate
#                   and private key files;
#              'cf' defines the user certificate file
#              'kf' defines the user private key file
#              'ad' defines the directory containing credentials for
#                   recognized Certificate Authorities
#                   (the CA signing the remote host certificate must have
#                   an entry here)
#           All these files and directories can be specified as absolute
#           paths (starting with '/') or as relative to the getenv("HOME")
#           directory (starting with '~/') or relative to the local '.globus'
#           directory. Defaults are:
#              cd:~/.globus
#              cf:usercert.pem
#              kf:userkey.pem
#              ad:/etc/grid-security/certificates
#
#           NB: for all the mentioned keys, there should be NO space between
#           the key and the value, e.g. 'us: qwerty' will result in 
#           <username>=""
#
#           Example of valid 'method' lines:
#
#              default list 4 0 1
#              default    method  ssh pt:yes us:qwerty
#              default    method  3 pt:0 
#              default user asdfgh  method  usrpwd pt:1 ru:no 
#              lxplus*.cern.ch  method  3 pt:no  ad:certificates
#              pcepsft43.cern.ch  user poiuyt method globus pt:no \
#                                 cd:~/CA/HubCA/poiuyt ad:certificates
#              include    local/pceple19.rootauthrc
#              include $ROOTSYS/etc/system.rootauthrc
#              localhost:proofd list  uidgid 
#              pcepsft43.cern.ch  user asdfgh method 2 pt:no pp:asdkrb@LOC.KRB.REALM
#            
#           The first line states that, unless differently specified, 
#           the first method to be tried for autentication is SSH,
#           followed in case of failure by UsrPwd and SRP. 
#           The second line specifies that when a SSH authentication is
#           attempted, the user will be prompted for the remote username,
#           with 'qwerty' as default. The third line states that for 
#           Globus the user will not be prompted and the credentials
#           and related files will be looked for in the default places.
#           The fourth line specifies that, for UsrPwd authentication, user
#           'asdfgh' will get a prompt with default username 'asdfgh' and
#           that a successful authentication will not be reused
#           The fifth line tells that for Globus to lxplus, the user 
#           will still not be prompted, but the credentials for the 
#           CA signing the remote certificate will be looked
#           for in ~/.globus/certificates.
#           The sixth line tells that for Globus authentication on 
#           pcepsft43 of user poiuyt, the usercert.pem and userkey.pem
#           files are looked for in directory ~/CA/HubCA/poiuyt, 
#           and the credentials for the CA signing the remote certificate
#           in ~/.globus/certificates.
#           The seventh directive includes the content of the file 
#           pceple19.rootauthrc located in the subdirectory local of the
#           directory where the intercative root session was started. 
#           The eight directive includes the content of the system 
#           defaults.
#           The ninth line states that when accessing slaves on the local
#           host, the uidgid method should be used.
#           The tenth line states that the krb5 method should be used for
#           accessing account 'asdfgh' at pcepsft43.cern.ch, with kerberos
#           credentials for principal adskrb@LOC.KRB.REALM .
#
#    - Finally, also supported are lines of the form:
#
#         proofserv <host1>[:<user1>][:<method1>[:...[:<methodn>]]] \
#                   <host2>[:<user2>][:<method1>[:...[:<methodn>]]] \
#                   ... <hostn>[:<usern>][:<method1>[:...[:<methodn>]]]
#
#      which are active only for PROOF sessions and specify the list of hosts 
#      for which the authentication info should be transmitted to the slaves
#      of the PROOF cluster; these directives are useful, for example, in
#      the case of data servers external to the PROOF cluster that you may
#      want to access via a given 'user' and a given authentication 'method'; 
#      'user' and 'method' are not mandatory; for each <host> (an user, method)
#      specified with 'proofserv' all the information that can be collected 
#      from the rest of the .rootauthrc file is sent to slaves via the master
#            
#
default list usrpwd ssh  krb5 globus uidgid