Next: Protocol Clarifications, Previous: Acknowledgements, Up: Top
GNU SASL (gsasl) – Command line interface to libgsasl.
gsasl is the main program of GNU SASL.
This section only lists the commands and options available.
Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.
gsasl recognizes these commands:
-c, --client Act as client (the default).
--client-mechanisms Write name of supported client mechanisms
separated by space to stdout.
-s, --server Act as server.
--server-mechanisms Write name of supported server mechanisms
separated by space to stdout.
Normally the SASL negotiation is performed on the terminal, with reading from stdin and writing to stdout. It is also possible to perform the negotiation with a server over a TCP network connection.
--connect=HOSTNAME[:SERVICE]
Connect to TCP server and negotiate on stream
instead of stdin/stdout. SERVICE is the protocol
service, or an integer denoting the port, and
defaults to 143 (imap) if not specified. Also sets
the --hostname default.
These parameters affect overall behaviour.
-d, --application-data After authentication, read data from stdin and run
it through the mechanism's security layer and
print it base64 encoded to stdout. The default is
to terminate after authentication.
--imap Use a IMAP-like logon procedure (client only).
Also sets the --service default to "imap".
-m, --mechanism=STRING Mechanism to use.
--no-client-first Disallow client to send data first (client only).
These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is the query the user on the terminal.
-n, --anonymous-token=STRING Token for anonymous authentication, usually
mail address (ANONYMOUS only).
-a, --authentication-id=STRING Identity of credential owner.
-z, --authorization-id=STRING Identity to request service for.
--disable-cleartext-validate
Disable cleartext validate hook, forcing server to
prompt for password.
--enable-cram-md5-validate Validate CRAM-MD5 challenge and response
interactively.
--hostname=STRING Set the name of the server with the requested
service.
-p, --password=STRING Password for authentication (insecure for
non-testing purposes).
--passcode=NUMBER Passcode for authentication (SECURID only).
--quality-of-protection=<auth | auth-int | auth-conf>
How application payload will be protected. "auth"
means no protection, "auth-int" means integrity
protection, "auth-conf" means integrity and
confidentialiy protection. Currently only used by
DIGEST-MD5, where the default is "auth-conf".
-r, --realm=STRING Realm. Defaults to hostname.
--service=STRING Set the requested service name (should be a
registered GSSAPI host based service name).
--service-name=STRING Set the generic server name in case of a
replicated server (DIGEST-MD5 only).
-x, --maxbuf=NUMBER Indicate maximum buffer size (DIGEST-MD5 only).
--starttls Force use of STARTTLS. The default is to use
STARTTLS when available. (default=off)
--no-starttls Unconditionally disable STARTTLS.
(default=off)
--x509-ca-file=FILE File containing one or more X.509 Certificate
Authorities certificates in PEM format, used
to verify the certificate received from the
server. If not specified, no verification of
the remote server certificate will be done.
--x509-cert-file=FILE File containing client X.509 certificate in PEM
format. Used together with --x509-key-file
to specify the certificate/key pair.
--x509-key-file=FILE Private key for the client X.509 certificate in
PEM format. Used together with
--x509-key-file to specify the
certificate/key pair.
These are some standard parameters.
-q, --quiet, --silent Don't produce any diagnostic output.
-v, --verbose Produce verbose output.
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version