/usr/share/doc/dacs-examples/man/dacscred.1.html is in dacs-examples 1.4.38a-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 | <!-- Copyright (c) 2003-2013 -->
<!-- Distributed Systems Software. All rights reserved. -->
<!-- See the file LICENSE for redistribution information. -->
<!-- $Id: copyright-html 2625 2013-01-22 18:15:12Z brachman $ -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>dacscred</title><link rel="stylesheet" type="text/css" href="css/dacsdocs.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div id="refentry" class="para16">
<script language="javascript" type="text/javascript" src="css/js/fontselector.js"></script>
<table width="100%"><tr>
<td align="left">
<b>DACSCRED(1)</b></td>
<td align="center">
<b>DACS Tools and Utilities</b></td>
<td align="right">
<b>DACSCRED(1)</b></td>
</tr></table>
<div class="refnamediv"><h2>NAME</h2><p>dacscred — acquire and manage <span class="command"><strong>DACS</strong></span> credentials</p></div><div class="refsynopsisdiv"><h2>SYNOPSIS</h2><div class="cmdsynopsis"><p><code class="command">dacscred</code> [<code class="option">-dd <em class="replaceable"><code>dir</code></em></code>] [<code class="option">-ll <em class="replaceable"><code>log_level</code></em></code>] [<code class="option">-v</code>] <em class="replaceable"><code>op</code></em> [<em class="replaceable"><code>opargs</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">dacscred</code> <code class="option">--version</code> </p></div></div><div class="refsect1"><a name="idm30"></a><h2>DESCRIPTION</h2><p>This program is part of the <span class="command"><strong>DACS</strong></span> suite.</p><p>The <span class="command"><strong>dacscred</strong></span> utility supports simple
<span class="command"><strong>DACS</strong></span> authentication, optionally storing the returned
<span class="command"><strong>DACS</strong></span> identities securely for future use by
non-browser applications.
Basic maintenance operations are provided for this cache of credentials.
</p><p><span class="command"><strong>DACS</strong></span> per-user information, including the cache,
is kept within a directory that must be owned by the user.
Additionally, the directory must be accessible only by the user.
<span class="command"><strong>DACS</strong></span> will refuse to use any per-user information
if file permissions are inappropriate.
</p><p>If this directory is not specified on the command line,
the following is the default behaviour.
If an environment variable named
<code class="envar">DACSDIR</code> is available, its value is
used for the name of this directory; otherwise, <span class="command"><strong>DACS</strong></span>
will use a directory named <code class="filename">.dacs</code> in the user's
home directory.
</p><p>The contents of the cache file are encrypted.
A password must be provided when the cache is created and before each
subsequent access.
Currently, <code class="literal">AES-128-CFB</code> is used along with
a <code class="literal">SHA-1</code>-based
<a class="ulink" href="http://www.rfc-editor.org/rfc/rfc2104.txt" target="_top">HMAC</a>.
</p><div class="important" style="margin-left: 0.125in; margin-right: 0.125in;"><h3 class="title"><a name="security1"></a>Security</h3><p>A jurisdiction may reject credentials that are used from an
IP address that does not match the IP address from which the credentials
were initially requested (see the <span class="property">VERIFY_IP</span>
configuration directive).
This means that if a cache is moved to a different host,
the credentials may be treated as invalid if they are used from that host.
</p></div></div><div class="refsect1"><a name="idm53"></a><h2>OPTIONS</h2><p>The following command line flags are common to all operations:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-dd</code> <em class="replaceable"><code>directory</code></em></span></dt><dd><p>The <span class="command"><strong>DACS</strong></span> directory to use instead of
the default is
<em class="replaceable"><code>directory</code></em>.
</p></dd><dt><span class="term"><code class="option">-ll</code> <em class="replaceable"><code>log_level</code></em></span></dt><dd><p>Set the debugging output level to
<em class="replaceable"><code>log_level</code></em>
(see <a class="ulink" href="dacs.1.html" target="_top">dacs(1)</a>).
The default level is <code class="literal">warn</code>.
</p></dd><dt><span class="term"><code class="option">-v</code></span></dt><dd><p>The <code class="option">-v</code> flag
bumps the debugging output level to <code class="literal">debug</code>
or (if repeated) <code class="literal">trace</code>.
</p></dd><dt><span class="term"><code class="option">--version</code></span></dt><dd><p>Display the program's version information and then exit.
</p></dd></dl></div><p>
</p><p>The <em class="replaceable"><code>op</code></em> argument specifies the
operation to be performed.
The following operations are available:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><div class="cmdsynopsis"><p><code class="literal">auth</code> [[<code class="option">-p</code>] | [<code class="option">-pf</code> <em class="replaceable"><code>file</code></em>]] [<code class="option">-ccf</code> <em class="replaceable"><code>file</code></em>] [<code class="option">-caf</code> <em class="replaceable"><code>file</code></em>] [<code class="option">-aux</code> <em class="replaceable"><code>aux</code></em>] [<code class="option">-s</code>] <em class="replaceable"><code>username</code></em> [<em class="replaceable"><code>auth-URL</code></em>]</p></div>
</span></dt><dd><p>
Try to authenticate as <em class="replaceable"><code>username</code></em>
by invoking
<a class="ulink" href="dacs_authenticate.8.html" target="_top">dacs_authenticate</a>
at the URL <em class="replaceable"><code>auth-URL</code></em>.
<em class="replaceable"><code>username</code></em> has the syntax
[[<em class="replaceable"><code>federation</code></em>]::]<em class="replaceable"><code>jurisdiction</code></em>:<em class="replaceable"><code>username</code></em>
(the jurisdiction component of the name must be provided;
see <a class="ulink" href="dacs.1.html#naming" target="_top">dacs(1)</a>).
An SSL/TLS connection is always used for this purpose.
</p><p>If authentication is successful and the <code class="option">-s</code> flag is not
given, the
(<em class="replaceable"><code>username</code></em>, <em class="replaceable"><code>auth-URL</code></em>)
pair will be recorded; subsequent invocations of the command can omit
the <em class="replaceable"><code>auth-URL</code></em> argument if it is unchanged.
If the <code class="option">-p</code> flag is given, the user is prompted for
a password to pass to <span class="command"><strong>dacs_authenticate</strong></span>; if
<code class="option">-pf</code> is given instead, a password is read from
<em class="replaceable"><code>file</code></em> (<span class="symbol">stdin</span> is read
if <em class="replaceable"><code>file</code></em> is "<code class="literal">-</code>").
If <em class="replaceable"><code>aux</code></em> is given, it is used as the value of
the <em class="parameter"><code>AUXILIARY</code></em> argument to
<span class="command"><strong>dacs_authenticate</strong></span>.
The <code class="option">-caf</code> (<code class="option">-ccf</code>) flag identifies
<em class="replaceable"><code>file</code></em>
as a file of CA certificates (client certificates)
in PEM format, respectively;
see
<a class="ulink" href="sslclient.1.html" target="_top">sslclient(1)</a>.
</p><p>New credentials replace old credentials in the cache.
Credentials and authentication mappings in the cache are not automatically
managed, so the cache may contain credentials that have expired.
</p><p>The following example prompts the user for a password before
trying to authenticate as <code class="literal">DSS:smith</code>:
</p><pre class="programlisting">
% dacscred auth -p DSS:smith \
https://dss.example.com/cgi-bin/dacs/dacs_authenticate
</pre><p>
</p><p>The following example might be used within a script to
test if <code class="literal">$passwd</code> is the correct password for
<code class="literal">DSS:smith</code>:
</p><pre class="programlisting">
% echo $passwd | dacscred auth -s -pf - DSS:smith \
https://dss.example.com/cgi-bin/dacs/dacs_authenticate
</pre><p>
The exit status will be <code class="literal">0</code> only if the password
is correct.
</p></dd><dt><span class="term"><div class="cmdsynopsis"><p><code class="literal">delete</code> <em class="replaceable"><code>regex</code></em>... </p></div></span></dt><dd><p>Delete all credentials with a name that matches a
regular expression
(see
<a class="ulink" href="http://www.freebsd.org/cgi/man.cgi?query=regex&apropos=0&sektion=3&manpath=FreeBSD+10.1-RELEASE&format=html" target="_top">regex(3)</a>).
</p></dd><dt><span class="term"><div class="cmdsynopsis"><p><code class="literal">get</code> [<em class="replaceable"><code>url</code></em>]</p></div></span></dt><dd><p>Print all credentials to <span class="symbol">stdout</span>
that should be sent along with a service request to the given URL.
If no URL is given, print all credentials in the cache.
Note that these credentials represent <span class="command"><strong>DACS</strong></span> identities
and should be kept secret.
</p></dd><dt><span class="term"><div class="cmdsynopsis"><p><code class="literal">list</code> [ <code class="literal">auth</code> | <code class="literal">cred</code> ] [<em class="replaceable"><code>regex</code></em>]</p></div></span></dt><dd><p>List the names of all credentials in the cache, by default.
This is equivalent to providing the <code class="literal">cred</code> argument.
If the <code class="literal">auth</code> argument is given, a list
of identities and the <em class="replaceable"><code>auth-URL</code></em> arguments that
were used to authenticate those identities is displayed.
If a <em class="replaceable"><code>regex</code></em> is given, the list is limited to
those identities matched by it (<code class="literal">cred</code> behaviour)
or those
"<em class="replaceable"><code>username</code></em> <em class="replaceable"><code>auth-URL</code></em>"
strings that match it (<code class="literal">auth</code> behaviour).
</p></dd><dt><span class="term"><div class="cmdsynopsis"><p><code class="literal">passwd</code></p></div></span></dt><dd><p>Change the password that protects the cache.
The current password must first be provided.
</p></dd></dl></div></div><div class="refsect1"><a name="idm199"></a><h2>DIAGNOSTICS</h2><p>The program exits <code class="literal">0</code> if everything was fine,
<code class="literal">1</code> if an error occurred.
</p></div><div class="refsect1"><a name="idm204"></a><h2>BUGS</h2><p>This command only supplies partial support for interacting with
<span class="command"><strong>dacs_authenticate</strong></span>.
</p></div><div class="refsect1"><a name="idm208"></a><h2>SEE ALSO</h2><p><a class="ulink" href="dacs_authenticate.8.html" target="_top">dacs_authenticate(8)</a>
</p></div><div class="refsect1"><a name="idm212"></a><h2>AUTHOR</h2><p>Distributed Systems Software
(<a class="ulink" href="http://www.dss.ca" target="_top">www.dss.ca</a>)
</p></div><div class="refsect1"><a name="idm216"></a><h2>COPYING</h2><p>Copyright 2003-2014 Distributed Systems Software.
See the
<a class="ulink" href="../misc/LICENSE" target="_top"><code class="filename">LICENSE</code></a>
file that accompanies the distribution
for licensing information.
</p></div>
<!-- Generated from $Id: dacscred.1.xml 2813 2015-07-22 21:48:24Z brachman $ -->
<table width="100%"><tr>
<td align="left">
<b>DACS Version 1.4.38a</b></td>
<td align="center">
<b> 5-Feb-2018</b></td>
<td align="right">
<b>DACSCRED(1)</b></td>
</tr></table>
<hr><p>
<!-- Begin font size selector -->
<table width="100%"><tr><td align="left">
<span class="set_font"><a href="index.html" title="Table of Contents">Table of Contents</a></span></td>
<td align="center"><span class="logo"><a href="http://www.dss.ca"><img src="/css/images/dss-long-14y.png" title="Distributed Systems Software, Inc."></a></span></td>
<td width="5%" align="right">
<div class="fontsize_label" title="Font size selector">Font:</div>
</td>
<td width="10%" align="left">
<!-- NB: must set both left margin and padding to work in all browsers-->
<!-- The onFocus code eliminates annoying post-click decoration -->
<ul id="fontsizecontainer" class="size02">
<li><a href="javascript:setFont('0');" onFocus="if(this.blur)this.blur()" title="Smallest text size [0]"><span>Z</span></a></li>
<li><a href="javascript:setFont('1');" onFocus="if(this.blur)this.blur()" title="Medium text size [1]"><span>Z</span></a></li>
<li><a href="JavaScript:setFont('2');" onFocus="if(this.blur)this.blur()" title="Large text size [2]"><span>Z</span></a></li>
<li><a href="JavaScript:setFont('3');" onFocus="if(this.blur)this.blur()" title="Largest text size [3]"><span>Z</span></a></li>
</ul>
</td>
<td width="3%" align="center">
<span class="set_font"><a href="javascript:setFont('-');" onFocus="if(this.blur)this.blur()" title="Decrease current font size">−−</a></span>
</td>
<td width="3%" align="center">
<span class="set_font"><a href="javascript:setFontConfig();" onFocus="if(this.blur)this.blur()" title="Remember current font size">Set</a></span>
</td>
<td width="3%" align="center">
<span class="set_font"><a href="javascript:setFont('+');" onFocus="if(this.blur)this.blur()" title="Increase current font size">++</a></span>
</td></tr></table>
<!-- End font size selector -->
<script language="javascript" type="text/javascript">
doFontConfig();</script>
</p><small><p><b> $Id: dacscred.1.xml 2813 2015-07-22 21:48:24Z brachman $</b></p></small>
</div></body></html>
|