#
#  $ROOTSYS/etc/system.rootdaemonrc, $HOME/.rootdaemonrc
#      This files describe the names of the hosts for which
#      the allowed authentication methods are not the default ones
#      as specified in system.rootrc (if any).
#      This file is used by the 'rootd', 'proofd' and 'sockd' daemons
#      ('sockd' indicates servers run from ROOT interactive sessions
#       via teh TServerSocket class).
#
#      If existing, $HOME/.rootdaemonrc has priority over
#      $ROOTSYS/etc/system.rootdaemonrc
#
#  Format:
#    - lines starting with '#' are comment lines.
#
#    - hosts can specified either with their name (eg. pcepsft43),
#      their FQDN (eg, pcepsft43.cern.ch) or their IP address
#      (eg 137.138.99.73).
#
#    - host names can be followed by :rootd, :proofd or :sockd to define
#      directives applying only to the given service
#
#    - directives applying to all host can be specified either by
#      'default' or '*'
#
#    - the '*' character can be used in any field of the name to indicate
#      a set of machines or domains, e.g. pcepsft*.cern.ch applies to all
#      'pcepsft' machines in the domain 'cern.ch'. (to indicate all
#      'lxplus' machines you should use 'lxplus*.cern.ch' because
#      internally the generic lxplus machine has a real name of the form
#      lxplusnnn.cern.ch; you can also use 'lxplus' if you don't care
#      about domain name checking).
#
#    - a whole domain can be indicated by its name, eg 'cern.ch',
#      'cnaf.infn.it' or '.ch'
#    - truncated IP address can also be used to indicate a set of
#      machines; they are interpreted as the very first or very last
#      part of the address; for example, to select 137.138.99.73,
#      any of these is valid: '137.138.99', '137.138', '137', '99.73';
#      or with wild cards: '137.13*' or '*.99.73'; however, '138.99'
#      is invalid because ambiguous.
#
#    - the information following the name or IP address indicates, in order
#      of preference, the short names or the internal codes of authentication
#      methods accepted for requests coming from the specified host(s); the
#      ones implemented so far are:
#
#        Method                           short name   code
#
#        UsrPwd                            usrpwd       0
#        SRP                               srp          1
#        Kerberos                          krb5         2
#        Globus                            globus       3
#        SSH                               ssh          4
#        UidGid                            uidgid       5   (insecure)
#
#     (The insecure method is intended to speed up access within a cluster
#     protected by other means from outside attacks; should not be used for
#     inter-cluster or inter-domain authentication).
#     Methods non specified explicitly are not accepted.
#     For the insecure method it is possible to give access only to a
#     specific list of users by specifying the usernames after the method
#     separated by colons (:) example:
#
#        uidgid:user1:user2:user3
#
#     will allow uidgid access only to users user1, user2 and user3.
#     This is useful to give easy access to data servers.
#
#     It is also possible to deny access to a user by using a '-' in front of
#     the name:
#
#        uidgid:-user4
#
#   - Lines ending with '\' are followed by additional information for the
#     host on the next line; the name of the host should not be repeated.
#
# Example of allowing machines in the cern.ch domain to authenticate
# using SSH (as preferred method) followed by the Globus and UsrPwd methods;
# in this case, attempts to use SRP, Kerberos or UidGid methods will be
# rejected; however, the accepted methods will be communicated to the client
# and an automatic retry is attempted if the client can use any of them
# (negotiation).
#
# Valid examples:
#
# default              none
# default              ssh 0 uidgid
# 137.138.             4 0
# pceple19.cern.ch     4 1 3 2 5 0
# lxplus*.cern.ch      4 1 globus 0:qwerty:uytre 5
# pcep*.cern.ch:rootd  4 1 5:qwerty 
#
# Everything allowed from the local host (for testing)
#
127.0.0.1            4 0 3 1 2 5
#
# secure methods allowed by default
default usrpwd ssh @havesrp@ @havekrb5@ @haveglobus@