| DACSCOOKIE(1) | DACS Tools and Utilities | DACSCOOKIE(1) |
NAME
dacscookie — create DACS credentials and emit as a cookie
SYNOPSIS
dacscookie [dacsoptions] [-create] [-i ident] [-user user] [-ip ipaddr]
[-role role_str] [-expires date] [-ua str]dacscookie [dacsoptions] -decrypt [-concise]
DESCRIPTION
This program is part of the DACS suite.
The dacscookie utility
constructs DACS credentials
that represent a single DACS identity and emits them
as the
NAME=VALUE
Configured or derived defaults are used if optional identity information is not provided.
Security
Only the DACS administrator should be able to successfully run this program. Because DACS keys and configuration files must be limited to the administrator, this will normally be the case, but a careful administrator will set file permissions to deny access to all other users, or even delete the binary.
Similarly, access to cookies generated by this program must be carefully controlled. Any jurisdiction within the same federation in which the credentials were created will be able to directly decrypt the credentials.
OPTIONS
dacscookie recognizes these options for cookie creation:
-createCreate the specified credentials and emit them to the standard output as the
NAME=VALUE-expiresdateSet the expiry date for the cookie. If
datebegins with '+' and is followed by a digit string, the expiry date will be that number of seconds relative to the current time. Otherwise, the date is expected to be in one of the recognized formats (see concise syntax). If not provided, the configured default value, AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS, will be used.-iidentThe identity (
ident) is given in the concise syntax. Note that any elements that are explicitly given will override those that appear inident.-ipipaddrUse
ipaddras the user's IP address (in standard dot notation). If not provided, this element will be obtained from any-iflag or else omitted from the credentials.-rolerole_strUse
role_stras the user's role string, which must be syntactically correct. If not provided, this element will be obtained from any-iflag or else omitted from the credentials.-uastrUse
stras the user agent string associated with the credentials. If no string is specified, the credentials cannot be verified against a user agent string. See dacs.conf(5).-usernameUse
name, a syntactically correct username, within the applicable jurisdiction. If not provided, this element must be specified using the-iflag.
dacscookie recognizes these options for cookie decryption:
-decryptInstead of creating credentials, read a cookie from the standard input and print its decoded contents to the standard output. If the input is invalid in any way, a message is displayed.
-conciseWith the
-decryptflag, only print the identity in the concise user syntax.
EXAMPLES
The following will generate an identity and store it in a file:
% dacscookie -u j1.example.com -user bobo > cookie.out % chmod 0600 cookie.out
The following will display various elements of the credentials to stdout:
% dacscookie -u j1.example.com -decrypt < cookie.out % rm cookie.out
SEE ALSO
dacs_auth_agent(8), dacs_auth_transfer(8), dacs_authenticate(8), dacsauth(1), dacscred(1), dacs_current_credentials(8).
COPYING
Copyright © 2003-2018 Distributed Systems Software.
See the
LICENSE
file that accompanies the distribution
for licensing information.
| DACS Version 1.4.52 | 24-Sep-2024 | DACSCOOKIE(1) |
| Table of Contents |  |
Font:
|
−− | Set | ++ |
$Id: dacscookie.1.xml 3016 2018-08-17 18:12:46Z brachman $