.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.8.
.TH GSASL "1" "January 2021" "gsasl 1.10.0" "User Commands"
.SH NAME
gsasl \- SASL library command line interface
.SH SYNOPSIS
.B gsasl
[\fI\,OPTIONS\/\fR]... [\fI\,HOST \/\fR[\fI\,PORT\/\fR]]...
.SH DESCRIPTION
GNU SASL 1.10.0
.PP
Authenticate user to a server using Simple Authentication and
Security Layer.  Currently IMAP and SMTP servers are supported.  This
is a command line interface for the GNU SASL library.
.TP
\fB\-h\fR, \fB\-\-help\fR
Print help and exit
.TP
\fB\-V\fR, \fB\-\-version\fR
Print version and exit
.SS "Commands:"
.TP
\fB\-c\fR, \fB\-\-client\fR
Act as client.  (default=on)
.TP
\fB\-s\fR, \fB\-\-server\fR
Act as server.  (default=off)
.TP
\fB\-\-client\-mechanisms\fR
Write name of supported client mechanisms
separated by space to stdout.  (default=off)
.TP
\fB\-\-server\-mechanisms\fR
Write name of supported server mechanisms
separated by space to stdout.  (default=off)
.TP
\fB\-k\fR, \fB\-\-mkpasswd\fR
Derive password. Provide \fB\-\-mechanism\fR as
SCRAM\-SHA\-1 or SCRAM\-SHA\-256.  The required
inputs are password (through \fB\-\-password\fR or
read from terminal) and optional inputs are
iteration count (through \fB\-\-iteration\-count\fR,
or defaulting to 65536) and salt (through
\fB\-\-salt\fR, or generated randomly).  The output
is a string of the form
"{mech}count,salt,stored\-key,server\-key[,salted\-password]"
where "mech" is the mechanism, "count" is
the number of times password was hashed,
"salt" is the provided/generated
base64\-encoded salt, "stored\-key" and
"server\-key" are the two derived and
base64\-encoded server\-side keys.  When
\fB\-\-verbose\fR is provided, "salted\-password"
will be included as the hex\-encoded
PBKDF2\-derived password.  (default=off)
.SS "Network options:"
.TP
\fB\-\-connect\fR=\fI\,HOST[\/\fR:PORT]
Connect to TCP server and negotiate on stream
instead of stdin/stdout. PORT is the protocol
service, or an integer denoting the port, and
defaults to 143 (imap) if not specified. Also
sets the \fB\-\-hostname\fR default.
.SS "Generic options:"
.TP
\fB\-d\fR, \fB\-\-application\-data\fR
After authentication, read data from stdin and
run it through the mechanism's security layer
and print it base64 encoded to stdout. The
default is to terminate after authentication.
(default=on)
.TP
\fB\-\-imap\fR
Use a IMAP\-like logon procedure (client only).
Also sets the \fB\-\-service\fR default to 'imap'.
(default=off)
.TP
\fB\-\-smtp\fR
Use a SMTP\-like logon procedure (client only).
Also sets the \fB\-\-service\fR default to 'smtp'.
(default=off)
.TP
\fB\-m\fR, \fB\-\-mechanism\fR=\fI\,STRING\/\fR
Mechanism to use.
.TP
\fB\-\-no\-client\-first\fR
Disallow client to send data first (client
only).  (default=off)
.SS "SASL mechanism options (they are prompted for when required):"
.TP
\fB\-n\fR, \fB\-\-anonymous\-token\fR=\fI\,STRING\/\fR
Token for anonymous authentication, usually
mail address (ANONYMOUS only).
.TP
\fB\-a\fR, \fB\-\-authentication\-id\fR=\fI\,STRING\/\fR
Identity of credential owner.
.HP
\fB\-z\fR, \fB\-\-authorization\-id\fR=\fI\,STRING\/\fR Identity to request service for.
.TP
\fB\-p\fR, \fB\-\-password\fR=\fI\,STRING\/\fR
Password for authentication (insecure for
non\-testing purposes).
.TP
\fB\-r\fR, \fB\-\-realm\fR=\fI\,STRING\/\fR
Realm. Defaults to hostname.
.TP
\fB\-\-passcode\fR=\fI\,NUMBER\/\fR
Passcode for authentication (SECURID only).
.TP
\fB\-\-service\fR=\fI\,STRING\/\fR
Set the requested service name (should be a
registered GSSAPI host based service name).
.TP
\fB\-\-hostname\fR=\fI\,STRING\/\fR
Set the name of the server with the requested
service.
.TP
\fB\-\-service\-name\fR=\fI\,STRING\/\fR
Set the generic server name in case of a
replicated server (DIGEST\-MD5 only).
.TP
\fB\-\-enable\-cram\-md5\-validate\fR
Validate CRAM\-MD5 challenge and response
.TP
interactively.
(default=off)
.TP
\fB\-\-disable\-cleartext\-validate\fR
Disable cleartext validate hook, forcing server
.TP
to prompt for password.
(default=off)
.TP
\fB\-\-quality\-of\-protection\fR=\fI\,TYPE\/\fR
How application payload will be protected.
.TP
\&'qop\-auth' means no protection, 'qop\-int'
means integrity protection, 'qop\-conf' means
integrity and confidentialiy protection.
Currently only used by DIGEST\-MD5, where the
default is 'qop\-int'.
.TP
\fB\-\-iteration\-count\fR=\fI\,NUMBER\/\fR
Indicate PBKDF2 hash iteration count (SCRAM
only).  (default=`65536')
.TP
\fB\-\-salt\fR=\fI\,B64DATA\/\fR
Indicate PBKDF2 salt as base64\-encoded string
(SCRAM only).
.SS "STARTTLS options:"
.TP
\fB\-\-starttls\fR
Force use of STARTTLS.  The default is to use
STARTTLS when available.  (default=off)
.TP
\fB\-\-no\-starttls\fR
Unconditionally disable STARTTLS.
(default=off)
.TP
\fB\-\-no\-cb\fR
Don't use channel bindings from TLS.
(default=off)
.TP
\fB\-\-x509\-ca\-file\fR=\fI\,FILE\/\fR
File containing one or more X.509 Certificate
Authorities certificates in PEM format, used
to verify the certificate received from the
server.  If not specified, verification uses
system trust settings.  If FILE is the empty
string, don't fail on X.509 server
certificates verification errors.
.TP
\fB\-\-x509\-cert\-file\fR=\fI\,FILE\/\fR
File containing client X.509 certificate in PEM
format.  Used together with \fB\-\-x509\-key\-file\fR
to specify the certificate/key pair.
.TP
\fB\-\-x509\-key\-file\fR=\fI\,FILE\/\fR
Private key for the client X.509 certificate in
PEM format.  Used together with
\fB\-\-x509\-key\-file\fR to specify the
certificate/key pair.
.TP
\fB\-\-priority\fR=\fI\,STRING\/\fR
Cipher priority string.
.SS "Other options:"
.TP
\fB\-\-verbose\fR
Produce verbose output.  (default=off)
.TP
\fB\-\-quiet\fR
Don't produce any diagnostic output.
(default=off)
.SH AUTHOR
Written by Simon Josefsson.
.SH "REPORTING BUGS"
Report bugs to: bug\-gsasl@gnu.org
.br
GNU SASL home page: <https://www.gnu.org/software/gsasl/>
.br
General help using GNU software: <https://www.gnu.org/gethelp/>
.SH COPYRIGHT
Copyright \(co 2021 Simon Josefsson.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
.br
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
.SH "SEE ALSO"
The full documentation for
.B gsasl
is maintained as a Texinfo manual.  If the
.B info
and
.B gsasl
programs are properly installed at your site, the command
.IP
.B info gsasl
.PP
should give you access to the complete manual.