dacscred - acquire and manage DACS
[ -dd dir]
[-ll log_level] [ -v] op
This program is part of the DACS
utility supports simple DACS
optionally storing the returned DACS
identities securely for future use
by non-browser applications. Basic maintenance operations are provided for
this cache of credentials.
per-user information, including the cache, is kept within a
directory that must be owned by the user. Additionally, the directory must be
accessible only by the user. DACS
will refuse to use any per-user
information if file permissions are inappropriate.
If this directory is not specified on the command line, the following is the
default behaviour. If an environment variable named DACSDIR
available, its value is used for the name of this directory; otherwise,
will use a directory named .dacs in the user's home directory.
The contents of the cache file are encrypted. A password must be provided when
the cache is created and before each subsequent access. Currently, AES-128-CFB
is used along with a SHA-1-based HMAC
A jurisdiction may reject credentials that are used from an IP address that does
not match the IP address from which the credentials were initially requested
(see the VERIFY_IP configuration directive). This means that if a cache is
moved to a different host, the credentials may be treated as invalid if they
are used from that host.
The following command line flags are common to all operations:
The DACS directory to use instead of
the default is directory.
Set the debugging output level to
log_level (see dacs(1)). The default level is warn.
The -v flag bumps the debugging output
level to debug or (if repeated) trace.
Display the program's version information and
argument specifies the operation to be performed. The following
operations are available:
Try to authenticate as username
 at the URL auth-URL
has the syntax [[
component of the name must be provided; see dacs(1)
). An SSL/TLS
connection is always used for this purpose.
If authentication is successful and the -s
flag is not given, the (
) pair will be recorded; subsequent
invocations of the command can omit the auth-URL
argument if it is
unchanged. If the -p
flag is given, the user is prompted for a password
to pass to dacs_authenticate
; if -pf
is given instead, a
password is read from file
(stdin is read if file
"-"). If aux
is given, it is used as the value of the
argument to dacs_authenticate
. The -caf
) flag identifies file
as a file of CA certificates (client
certificates) in PEM format, respectively; see sslclient(1)
New credentials replace old credentials in the cache. Credentials and
authentication mappings in the cache are not automatically managed, so the
cache may contain credentials that have expired.
The following example prompts the user for a password before trying to
authenticate as DSS:smith:
% dacscred auth -p DSS:smith \
The following example might be used within a script to test if $passwd is the
correct password for DSS:smith:
% echo $passwd | dacscred auth -s -pf - DSS:smith \
The exit status will be 0 only if the password is correct.
Delete all credentials with a name that
matches a regular expression (see regex(3)).
Print all credentials to stdout that should be
sent along with a service request to the given URL. If no URL is given, print
all credentials in the cache. Note that these credentials represent
DACS identities and should be kept secret.
List the names of all credentials in the
cache, by default. This is equivalent to providing the cred argument. If the
auth argument is given, a list of identities and the auth-URL arguments
that were used to authenticate those identities is displayed. If a
regex is given, the list is limited to those identities matched by it
(cred behaviour) or those " username auth-URL" strings
that match it (auth behaviour).
Change the password that protects the cache.
The current password must first be provided.
The program exits 0 if everything was fine, 1 if an error occurred.
This command only supplies partial support for interacting with
Distributed Systems Software ( www.dss.ca
Copyright2003-2014 Distributed Systems Software. See the LICENSE
that accompanies the distribution for licensing information.