DACSAUTH(1) | DACS Commands Manual | DACSAUTH(1) |
NAME¶
dacsauth - authentication checkSYNOPSIS¶
dacsauth
[ -m auth-module-spec] [...]
[-r roles-module-spec] [...]
[-Ddirective =value] [-aux]
[ -fj jurname] [-fn fedname]
[ -h | -help] [-id]
[-ll log_level] [
-p password]
[ -pf file] [-prompt] [-q]
[{-u | -user} username] [-v]
dacsauth-modules
DESCRIPTION¶
This program is part of the DACS suite. The dacsauth utility tests whether given authentication material satisfies authentication requirements and indicates the outcome through the process's exit status. It is similar to dacs_authenticate(8)[1] and dacscred(1)[2]. dacsauth provides a way for scripts and other programs to leverage the DACS authentication infrastructure. They might use successful authentication as a coarse form of authorization; only a user that provides a correct password might be allowed to run the program, for instance. Or they might return some type of credentials after successful authentication, or perhaps use dacs_auth_agent(8)[3] to return DACS credentials. dacsauth can also be used to retrieve role information associated with a given user. dacsauth does not read any DACS configuration files. Everything needed to perform the test must be specified as an argument.OPTIONS¶
The following command line flags are recognized. At least one -m flag (to perform authentication testing), or at least one -r flag must be specified (to form a role descriptor string for the identity and print it to stdout). A combination of both flags is allowed, in which case a role descriptor string is output only if the authentication test is successful. -Ddirective=valueThis is equivalent to setting
directive, a general DACS configuration directive, to
value. See dacs.conf(5)[4].
-aux
The next string provided by the -p,
-pf, or -prompt flag will be the value of the AUXILIARY
authentication argument. This provides a secure way to pass sensitive
auxiliary information, such as a PIN, to the program. A flag to obtain the
password, if any, must precede this flag on the command line.
-fj jurname
Use jurname, which must be
syntactically valid, as the jurisdiction name. If required but not provided, a
value derived from the host's domain name will be used.
-fn fedname
Use fedname, which must be
syntactically valid, as the federation name. If required but not provided, a
value derived from the host's domain name will be used.
-h
Display a help message and exit.
-id
If successful, print the authenticated
DACS identity to the standard output.
-ll log_level
Set the debugging output level to
log_level (see dacs(1)[5]). The default level is warn.
-m auth-module-spec
Each type of authentication test that is
required is described by an auth-module-spec that immediately follows
the -m flag. Each auth-module-spec is essentially an alternate
representation of an Auth clause[6] and its directives, which are used
by dacs_authenticate(8)[1]. Just as the order in which Auth clauses
appear in a DACS configuration file, the order in which the -m
flags appear may be significant, depending on the control keywords.
During processing, successive -m components are automatically assigned
names, auth_module_1, auth_module_2, and so on, mainly for error reporting
purposes.
An auth-module-spec has the following syntax:
The module begins with either the name of a built-in module, or a valid
abbreviation thereof, or the (absolute) URL of an external authentication
module (equivalent to the URL[7] directive). Next must appear a
recognized authentication style keyword specifier (equivalent to the
STYLE[8] directive). Next, the control keyword follows, which is
identical to the CONTROL[9] directive in the Auth clause. After the
control keyword, the flags described below may follow, in any order.
An auth-module-spec ends when the first invalid flag (or the end of
flags) is encountered.
The -O flag is equivalent to an OPTION[10] directive.
The -Of flag is followed by an argument that is the name of a file from
which to read options, one per line, in the format name=value.
Blank lines and lines beginning with a '#' are ignored; note that these lines
do not begin with "-O" and quotes are simply copied and not
interpreted. The -Of flag can be used to avoid putting passwords on the
command line and makes it easier to write expressions that would otherwise
have to be carefully escaped to prevent interpretation by the shell, for
example.
The -expr flag is equivalent to the EXPR[11] directive. The
-vfs flag is used to configure VFS[12] directives required by
this module.
-modules
Display a list of built-in authentication
modules and roles modules, one per line, and then exit. The canonical module
name is printed, followed by zero or more equivalent abbreviations. For
authentication modules, the authentication style is shown. To list the
available modules, run the command:
The set of available (enabled) built-in authentication and roles modules is
determined when DACS is built.
-p password
% dacsauth -modules
Specify the password to use (equivalent to the
PASSWORD argument to dacs_authenticate).
Security
A password given on the command line may be visible to other users on the same
system.
-pf file
Read the password to use from file
(equivalent to the PASSWORD argument to dacs_authenticate). If
file is "-", then the password is read from the standard
input without prompting.
-prompt
Prompt for the password and read it from stdin
(equivalent to the PASSWORD argument to dacs_authenticate). The
password is not echoed.
-q
Be more quiet by reducing the debugging output
level.
-r role-module-spec
Roles for username can be determined by
giving this flag, which is immediately followed by a roles-module-spec.
The -r flag may be repeated, and the resulting roles are combined. Each
roles-module-spec is essentially an alternate representation of a Roles
clause that is used by dacs_authenticate(8)[13]. Successive -r
components are assigned names, roles_module_1, roles_module_2, and so on,
mainly for error reporting purposes.
A roles-module-spec has the following syntax:
-u username
The
module component is equivalent to the Roles clause's URL[14]
directive and is either the name of an available built-in roles module, a
valid abbreviation thereof, or the (absolute) URL of an external roles module.
Flags may follow the module component, in any order. A
roles-module-spec ends when the first invalid flag (or the end of
flags) is encountered.
The -O flag is equivalent to an OPTION[10] directive.
The -Of flag is followed by an argument that is the name of a file from
which to read options, one per line, in the format name=value.
Blank lines and lines beginning with a '#' are ignored; note that these lines
do not begin with "-O" and quotes are simply copied and not
interpreted. The -Of flag can be used to avoid putting passwords on the
command line and makes it easier to write expressions that would otherwise
have to be carefully escaped to prevent interpretation by the shell, for
example.
The -expr flag is equivalent to the EXPR[11] directive. The
-vfs flag is used to configure VFS[12] directives required by
module.
The username to authenticate against
(equivalent to the USERNAME argument to dacs_authenticate). This
username is implicitly associated with the effective federation and
jurisdiction (see the -fn[15] and -fj[16] flags).
-v
The -v flag bumps the debugging output
level to debug or (if repeated) trace.
EXAMPLES¶
% dacsauth -m passwd passwd required -vfs "[passwds]dacs-kwv-fs:/usr/local/dacs/conf/passwd" -q -u bobo -p test
% dacsauth -m unix passwd required -u bobo -prompt
% dacsauth -m ntlm passwd suff -OSAMBA_SERVER="winders.example.com" -prompt -u bobo
% dacsauth -m https://example.example.com/cgi-bin/dacs/local_ntlm_authenticate \ passwd sufficient -OSAMBA_SERVER="winders.example.com" \ -fn EXAMPLE -fj FEDROOT -u bobo -pf mypass \ -DVFS="[federation_keys]dacs-fs:/usr/local/dacs/federations/example/federation_keys"
% dacsauth -m http passwd suff \ -OAUTH_URL="https://www.google.com/accounts/ClientLogin" \ -OUSERNAME_PARAMETER=Email -OPASSWORD_PARAMETER=Passwd \ -Oservice=xapi -Osource=DSS-DACS-1.4 -prompt -u nobody@gmail.com
% dacsauth -m expr expr suffi \ -expr '${Args::PASSWORD} eq "foo" ? ${Args::USERNAME} : ""' -user bobo -prompt
% echo "test" | dacsauth -m apache digest sufficient \ -OAUTH_MODULE=mod_auth_digest \ -OAUTH_FILE=/usr/local/apache2/conf/passwords.digest \ -OAUTH_REALM="DACS Digest Auth Area" \ -u bobo -pf -
% dacsauth -m pam prompted suffic \ -vfs "[federation_keys]dacs-fs:/usr/local/dacs/federations/dss/federation_keys" \ -OPAMD_HOST=localhost -OPAMD_PORT=dacs-pamd -fj EXAMPLE -fn TEST AUTH_PROMPT_VAR1="Login:" AUTH_TRANSID="10.0.0.124:57849:85748:9997c5588a6239e3" % dacsauth -m pam prompted suffic \ -vfs "[federation_keys]dacs-fs:/usr/local/dacs/federations/dss/federation_keys" \ -OAUTH_PROMPT_VAR1="bobo" \ -OAUTH_TRANSID="10.0.0.124:57849:85748:9997c5588a6239e3"-fj EXAMPLE -fn TEST AUTH_PROMPT_VAR2="Password:" AUTH_TRANSID="10.0.0.124:52188:88417:5ffb0015f21ea546" % dacsauth -m pam prompted suffic \ -vfs "[federation_keys]dacs-fs:/usr/local/dacs/federations/dss/federation_keys" \ -OAUTH_PROMPT_VAR2="apassword" \ -OAUTH_TRANSID="10.0.0.124:57849:85748:9997c5588a6239e3"-fj EXAMPLE -fn TEST
% dacsauth -r unix -u bobo bobo,wheel,www,users
% dacsauth -r https://example.example.com/cgi-bin/dacs/local_unix_roles \ -DVFS="[federation_keys]dacs-fs:/usr/local/dacs/federations/federation_keys" \ -fn EXAMPLE -u bobo bobo,wheel,www,users
% dacsauth -r https://example.example.com/cgi-bin/dacs/local_ldap_roles \ -Of /usr/local/dacs/ldap_roles_options_direct -u "Bobo Baggins" \ -DVFS="[federation_keys]dacs-fs:/usr/local/dacs/federations/federation_keys" \ -fn EXAMPLE -fj FEDROOT -prompt DnsAdmins,Print_Operators,Domain_Admins,Administrators
LDAP_BIND_METHOD=direct LDAP_ADMIN_URL*="ldap://winders.example.com/CN=" . encode(url,${Args::DACS_USERNAME}) . ",CN=Users,DC=example,DC=com" LDAP_ROLES_SELECTOR*="${LDAP::attrname}" eq "memberOf" ? strtr(ldap(rdn_attrvalue, \ ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") : ""
% dacsauth -r https://example.example.com/cgi-bin/dacs/local_ldap_roles \ -Of /usr/local/dacs/ldap_roles_options_indirect -u bobo \ -DVFS="[federation_keys]dacs-fs:/usr/local/dacs/federations/federation_keys" \ -fn EXAMPLE -fj FEDROOT -p bobospassword DnsAdmins,Print_Operators,Domain_Admins,Administrators
LDAP_BIND_METHOD=indirect LDAP_ADMIN_URL=ldap://winders.example.com/CN=Administrator,CN=Users,DC=example,DC=com # Search under Users... LDAP_SEARCH_ROOT_DN=CN=Users,DC=example,DC=com LDAP_ADMIN_PASSWORD=theSecretAdminPassword LDAP_SEARCH_FILTER*="(sAMAccountName=${Args::DACS_USERNAME})" LDAP_ROLES_SELECTOR*="${LDAP::attrname}" eq "memberOf" ? strtr(ldap(rdn_attrvalue, \ ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") : ""
DIAGNOSTICS¶
The program exits 0 if authentication was successful or with 1 if authentication failed or an error occurred.BUGS¶
This command only supplies partial support for interacting with dacs_authenticate. It may not be possible for an authentication module to return role information, as can be done by dacs_authenticate. It would be better if the -m flag were instead -a (for "authenticate").SEE ALSO¶
AUTHOR¶
Distributed Systems Software ( www.dss.ca[25])COPYING¶
Copyright2003-2012 Distributed Systems Software. See the LICENSE[26] file that accompanies the distribution for licensing information.NOTES¶
- 2.
- dacscred(1)
- 4.
- dacs.conf(5)
- 5.
- dacs(1)
- 6.
- Auth clause
- 7.
- URL
- 8.
- STYLE
- 9.
- CONTROL
- 10.
- OPTION
- 11.
- EXPR
- 12.
- VFS
- 14.
- URL
- 15.
- -fn
- 16.
- -fj
- 17.
- 19.
- pamd(8)
- 20.
- local_unix_roles
- 21.
- local_roles
- 22.
- local_ldap_roles
- 23.
- role string
- 24.
- dacs.exprs(5)
- 25.
- www.dss.ca
- 26.
- LICENSE
10/22/2012 | DACS 1.4.27b |