|DACSCRED(1)||DACS Tools and Utilities||DACSCRED(1)|
dacscred — acquire and manage DACS credentials
-dd ] [
-ll ] [
This program is part of the DACS suite.
The dacscred utility supports simple DACS authentication, optionally storing the returned DACS identities securely for future use by non-browser applications. Basic maintenance operations are provided for this cache of credentials.
DACS per-user information, including the cache, is kept within a directory that must be owned by the user. Additionally, the directory must be accessible only by the user. DACS will refuse to use any per-user information if file permissions are inappropriate.
If this directory is not specified on the command line,
the following is the default behaviour.
If an environment variable named
DACSDIR is available, its value is
used for the name of this directory; otherwise, DACS
will use a directory named
.dacs in the user's
The contents of the cache file are encrypted.
A password must be provided when the cache is created and before each
AES-128-CFB is used along with
A jurisdiction may reject credentials that are used from an IP address that does not match the IP address from which the credentials were initially requested (see the VERIFY_IP configuration directive). This means that if a cache is moved to a different host, the credentials may be treated as invalid if they are used from that host.
The following command line flags are common to all operations:
The DACS directory to use instead of
the default is
Set the debugging output level to
The default level is
bumps the debugging output level to
or (if repeated)
op argument specifies the
operation to be performed.
The following operations are available:
-p] | [
Try to authenticate as
at the URL
username has the syntax
(the jurisdiction component of the name must be provided;
An SSL connection is always used for this purpose.
If authentication is successful and the
-s flag is not
pair will be recorded; subsequent invocations of the command can omit
auth-URL argument if it is unchanged.
-p flag is given, the user is prompted for
a password to pass to dacs_authenticate; if
-pf is given instead, a password is read from
file (stdin is read
file is "
aux is given, it is used as the value of
AUXILIARY argument to
-ccf) flag identifies
as a file of CA certificates (client certificates)
in PEM format, respectively;
New credentials replace old credentials in the cache. Credentials and authentication mappings in the cache are not automatically managed, so the cache may contain credentials that have expired.
The following example prompts the user for a password before
trying to authenticate as
% dacscred auth -p DSS:smith \ https://dss.example.com/cgi-bin/dacs/dacs_authenticate
The following example might be used within a script to
$passwd is the correct password for
% echo $passwd | dacscred auth -s -pf - DSS:smith \ https://dss.example.com/cgi-bin/dacs/dacs_authenticate
The exit status will be
0 only if the password
Delete all credentials with a name that matches a regular expression (see regex(3)).
Print all credentials to stdout that should be sent along with a service request to the given URL. If no URL is given, print all credentials in the cache. Note that these credentials represent DACS identities and should be kept secret.
cred ] [
List the names of all credentials in the cache, by default.
This is equivalent to providing the
auth argument is given, a list
of identities and the
auth-URL arguments that
were used to authenticate those identities is displayed.
regex is given, the list is limited to
those identities matched by it (
strings that match it (
Change the password that protects the cache. The current password must first be provided.
Distributed Systems Software (www.dss.ca)
Copyright © 2003-2013 Distributed Systems Software.
file that accompanies the distribution
for licensing information.
|DACS Version 1.4.28b||1-Mar-2013||DACSCRED(1)|
|Table of Contents||
$Id: dacscred.1.xml 2625 2013-01-22 18:15:12Z brachman $