table of contents
DACSCRED(1) | DACS Commands Manual | DACSCRED(1) |
NAME¶
dacscred - acquire and manage DACS credentialsSYNOPSIS¶
dacscred [-dd dir] [-ll log_level] [-v] op [opargs]
dacscred --version
DESCRIPTION¶
This program is part of the DACS suite.The dacscred utility supports simple DACS authentication, optionally storing the returned DACS identities securely for future use by non-browser applications. Basic maintenance operations are provided for this cache of credentials.
DACS per-user information, including the cache, is kept within a directory that must be owned by the user. Additionally, the directory must be accessible only by the user. DACS will refuse to use any per-user information if file permissions are inappropriate.
If this directory is not specified on the command line, the following is the default behaviour. If an environment variable named DACSDIR is available, its value is used for the name of this directory; otherwise, DACS will use a directory named .dacs in the user's home directory.
The contents of the cache file are encrypted. A password must be provided when the cache is created and before each subsequent access. Currently, AES-128-CFB is used along with a SHA-1-based HMAC[1].
Security
A jurisdiction may reject credentials that are used from an IP address that does not match the IP address from which the credentials were initially requested (see the VERIFY_IP configuration directive). This means that if a cache is moved to a different host, the credentials may be treated as invalid if they are used from that host.
OPTIONS¶
The following command line flags are common to all operations:-dd directory
-ll log_level
-v
--version
The op argument specifies the operation to be performed. The following operations are available:
If authentication is successful and the -s flag is not given, the (username, auth-URL) pair will be recorded; subsequent invocations of the command can omit the auth-URL argument if it is unchanged. If the -p flag is given, the user is prompted for a password to pass to dacs_authenticate; if -pf is given instead, a password is read from file (stdin is read if file is "-"). If aux is given, it is used as the value of the AUXILIARY argument to dacs_authenticate. The -caf (-ccf) flag identifies file as a file of CA certificates (client certificates) in PEM format, respectively; see sslclient(1)[5].
New credentials replace old credentials in the cache. Credentials and authentication mappings in the cache are not automatically managed, so the cache may contain credentials that have expired.
The following example prompts the user for a password before trying to authenticate as DSS:smith:
% dacscred auth -p DSS:smith \ https://dss.example.com/cgi-bin/dacs/dacs_authenticate
The following example might be used within a script to test if $passwd is the correct password for DSS:smith:
% echo $passwd | dacscred auth -s -pf - DSS:smith \ https://dss.example.com/cgi-bin/dacs/dacs_authenticate
The exit status will be 0 only if the password is correct.
DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.BUGS¶
This command only supplies partial support for interacting with dacs_authenticate.SEE ALSO¶
dacs_authenticate(8)[3]AUTHOR¶
Distributed Systems Software (www.dss.ca[7])COPYING¶
Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[8] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- HMAC
- 2.
- dacs(1)
- 3.
- dacs_authenticate
- 4.
- dacs(1)
- 5.
- sslclient(1)
- 6.
- regex(3)
- 7.
- www.dss.ca
- 8.
- LICENSE
02/19/2019 | DACS 1.4.40 |