GNU SASL (gsasl) – Command line interface to libgsasl.
gsasl is the main program of GNU SASL.
This section only lists the commands and options available.
Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.
gsasl recognizes these commands:
-c, --client Act as client (the default). --client-mechanisms Write name of supported client mechanisms separated by space to stdout. -s, --server Act as server. --server-mechanisms Write name of supported server mechanisms separated by space to stdout.
Normally the SASL negotiation is performed on the terminal, with reading from stdin and writing to stdout. It is also possible to perform the negotiation with a server over a TCP network connection.
--connect=HOSTNAME[:SERVICE] Connect to TCP server and negotiate on stream instead of stdin/stdout. SERVICE is the protocol service, or an integer denoting the port, and defaults to 143 (imap) if not specified. Also sets the --hostname default.
These parameters affect overall behaviour.
-d, --application-data After authentication, read data from stdin and run it through the mechanism's security layer and print it base64 encoded to stdout. The default is to terminate after authentication. --imap Use a IMAP-like logon procedure (client only). Also sets the --service default to "imap". -m, --mechanism=STRING Mechanism to use. --no-client-first Disallow client to send data first (client only).
These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is to query the user on the terminal.
-n, --anonymous-token=STRING Token for anonymous authentication, usually mail address (ANONYMOUS only). -a, --authentication-id=STRING Identity of credential owner. -z, --authorization-id=STRING Identity to request service for. --disable-cleartext-validate Disable cleartext validate hook, forcing server to prompt for password. --enable-cram-md5-validate Validate CRAM-MD5 challenge and response interactively. --hostname=STRING Set the name of the server with the requested service. -p, --password=STRING Password for authentication (insecure for non-testing purposes). --passcode=NUMBER Passcode for authentication (SECURID only). --quality-of-protection=<qop-auth | qop-int | qop-conf> How application payload will be protected. "qop-auth" means no protection, "qop-int" means integrity protection, "qop-conf" means confidentiality. Currently only used by DIGEST-MD5, where the default is "qop-int". -r, --realm=STRING Realm. Defaults to hostname. --service=STRING Set the requested service name (should be a registered GSSAPI host based service name). --service-name=STRING Set the generic server name in case of a replicated server (DIGEST-MD5 only). -x, --maxbuf=NUMBER Indicate maximum buffer size (DIGEST-MD5 only).
--starttls Force use of STARTTLS. The default is to use STARTTLS when available. (default=off) --no-starttls Unconditionally disable STARTTLS. (default=off) --no-cb Don't set any channel bindings. (default=off) --x509-ca-file=FILE File containing one or more X.509 Certificate Authorities certificates in PEM format, used to verify the certificate received from the server. If not specified, no verification of the remote server certificate will be done. --x509-cert-file=FILE File containing client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certificate/key pair. --x509-key-file=FILE Private key for the client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certificate/key pair. --priority Cipher priority string.
These are some standard parameters.
-q, --quiet, --silent Don't produce any diagnostic output. -v, --verbose Produce verbose output. -?, --help Give this help list --usage Give a short usage message -V, --version Print program version