#
#  etc/system.rootauthrc
#
#  NB: this file contains system defaults read only in the case the 
#      $HOME/.rootauthrc is non-existing or non-readable. Its content 
#      can be included in the the private $HOME/.rootauthrc using the 
#      include directive (see below). The location of the private file
#      can be changed by setting the environment variable ROOTAUTHRC
#      to the appropriate absolute file pathname.
#
#  This file contains information about authentication methods available for
#  authentication vis-a-vis of a given host. It allows to define host specific
#  methods and defaults for the info (username, certificates, ...) to be used.
#  The information specified here superseeds the one found in .rootrc.
#  
#  Format:
#    - lines starting with '#' are comment lines.
#
#    - lines of the form 'include <file>' allow to include other files
#      of this kind which are expanded exactly at the point where the 
#      'include' appears; environment variables are supported, eg
#      include $ROOTSYS/etc/system.rootauthrc
#
#    - lines of the form:
#
#         <host> [user <username>] <key> <info>
#
#      where <host> is the host(s) identifier (see below), <key> is an 
#      option key and <info> is the relevant info whose format depends 
#      on <key>; 'user' indicates the username to whom the information
#      applies; if absent, the info applies to all users.
#
#      <host>:
#         - hosts can specified either with their name (e.g. pcepsft43), 
#           their FQDN (e.g. pcepsft43.cern.ch) or their IP address 
#           (e.g. 137.138.99.73).
#         - if <host>=default or <host>='*' the following <key> <info> 
#           applies to all hosts, unless host-specific entries are found.
#         - the '*' character can be used in the any field of the name to 
#           indicate a set of machines or domains, e.g. pcepsft*.cern.ch 
#           applies to all 'pcepsft' machines in the domain 'cern.ch'
#           (to indicate all 'lxplus' machines you should use 'lxplus*.cern.ch'
#           because internally the generic lxplus machine has a real name of
#           the form lxplusnnn.cern.ch; you can also use 'lxplus' if you
#           don't care about domain name checking)
#         - a whole domain can be indicated by its name, eg 'cern.ch', 
#           'cnaf.infn.it' or '.ch'
#         - truncated IP address can also be used to indicate a set of
#           machines; they are interpreted as the very first or very last 
#           part of the address; for example, to select 137.138.99.73, 
#           any of these is valid: '137.138.99', '137.138', '137`, '99.73'; 
#           or with wild cards: '137.13*' or '*.99.73`; however, '138.99' 
#           is invalid because ambigous.
#
#      <key> <info>:
#         - valid keys are 'list' and 'method';
#         - if <key>=list, <info> contains the list of codes or short names for 
#           methods that can/should be tried for authentication wrt to <host>, 
#           in order of preference.
#           Available methods are:
#
#              Method                        short name      code
#
#              UsrPwd                         usrpwd          0
#
#           Example of a valid 'list' line:
#
#              default          list  0 
#              lxplus*.cern.ch  list  usrpwd
#
#           The first line defines as default method UsrPwd.
#
#           Having a line 'list' for a host is non mandatory: methods can
#           also be defined directly via 'method' lines (see below); in
#           such a case the first 'method' line will define the preferred
#           method and so on.
#
#         - if <key>=method, <info> contains 
#              + a method code  --> mandatory, must be in the valid range
#              + a prompt flag  --> optional, identified by the key 'pt:',
#                                   e.g. pt:yes
#                                   values: 'yes' or 1, 'no' or '0'
#              + a reuse flag   --> optional, identified by the key 'ru:',
#                                   e.g. ru:no
#                                   values: 'yes' or 1, 'no' or '0'
#              + some relevant information for authentication (optional,
#                see below)
#
#           The 'prompt' flag defines whether the user should be prompted
#           for the relevant authentication details each time an 
#           authentication with the corresponding method is attempted.
#           Default is 'yes', superseeded by the related entry in '.rootrc' .
#           The 'reuse' flag determines if a successful authentication will
#           be later re-used without prompting (e.g. when the user tries
#           to access the same host with same method during the same
#           session: this allows to speed up operation in case of multiple
#           access). Default is 'yes' for methods 0 (UsrPwd), superseeded
#           by the related entries in '.rootrc'.
#           'reuse' will be af no advantage and 'prompt' is not allowed for
#           security reasons. The format for the default info depends on
#           the method:
#
#              Method                       Format info
#
#              UsrPwd                       us:<username> cp:<crypt_option>
#
#           The key 'us' allows to specify a target username different from
#           the local username (which is the default target username); the 
#           value specified via 'us' is superseeded by any user information
#           passed through the constructor, e.g. <user> in TFTP("<user>@<host>").
#
#           The additional keys for UsrPwd specify:
#              'cp' whether to encrypt the password with a public key (default)
#                   or not (slighty faster), values are 'yes' or '1' for YES,
#                   'no' or '0' for NO (case sensitive);
#
#           Example of valid 'method' lines:
#
#              default list 0
#              default user asdfgh  method  usrpwd pt:1 ru:no 
#              include local/myrootauthrc
#              include $ROOTSYS/etc/system.rootauthrc
#            
#           The first line states that, unless differently specified, 
#           the first method to be tried for autentication is UsrPwd.
#           The second line specifies that, for UsrPwd authentication, user
#           'asdfgh' will get a prompt with default username 'asdfgh' and
#           that a successful authentication will not be reused
#           The third directive includes the content of the file 
#           myrootauthrc located in the subdirectory local of the
#           directory where the intercative root session was started. 
#           The fourth directive includes the content of the system 
#           defaults.
#
#    - Finally, also supported are lines of the form:
#
#         proofserv <host1>[:<user1>][:<method1>[:...[:<methodn>]]] \
#                   <host2>[:<user2>][:<method1>[:...[:<methodn>]]] \
#                   ... <hostn>[:<usern>][:<method1>[:...[:<methodn>]]]
#
#      which are active only for PROOF sessions and specify the list of hosts 
#      for which the authentication info should be transmitted to the slaves
#      of the PROOF cluster; these directives are useful, for example, in
#      the case of data servers external to the PROOF cluster that you may
#      want to access via a given 'user' and a given authentication 'method'; 
#      'user' and 'method' are not mandatory; for each <host> (an user, method)
#      specified with 'proofserv' all the information that can be collected 
#      from the rest of the .rootauthrc file is sent to slaves via the master
#            
#
default list usrpwd