Next: , Previous: Acknowledgements, Up: Top

15 Invoking gsasl


GNU SASL (gsasl) – Command line interface to libgsasl.


gsasl is the main program of GNU SASL.

This section only lists the commands and options available.

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.


gsasl recognizes these commands:

  -c, --client               Act as client (the default).
      --client-mechanisms    Write name of supported client mechanisms
                             separated by space to stdout.
  -s, --server               Act as server.
      --server-mechanisms    Write name of supported server mechanisms
                             separated by space to stdout.

Network Options

Normally the SASL negotiation is performed on the terminal, with reading from stdin and writing to stdout. It is also possible to perform the negotiation with a server over a TCP network connection.

                             Connect to TCP server and negotiate on stream
                             instead of stdin/stdout. SERVICE is the protocol
                             service, or an integer denoting the port, and
                             defaults to 143 (imap) if not specified. Also sets
                             the --hostname default.

Miscellaneous Options:

These parameters affect overall behaviour.

  -d, --application-data     After authentication, read data from stdin and run
                             it through the mechanism's security layer and
                             print it base64 encoded to stdout. The default is
                             to terminate after authentication.
      --imap                 Use a IMAP-like logon procedure (client only).
                             Also sets the --service default to "imap".
  -m, --mechanism=STRING     Mechanism to use.
      --no-client-first      Disallow client to send data first (client only).

SASL Mechanism Options

These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is to query the user on the terminal.

  -n, --anonymous-token=STRING    Token for anonymous authentication, usually
                                  mail address (ANONYMOUS only).
  -a, --authentication-id=STRING  Identity of credential owner.
  -z, --authorization-id=STRING   Identity to request service for.
                             Disable cleartext validate hook, forcing server to
                             prompt for password.
      --enable-cram-md5-validate  Validate CRAM-MD5 challenge and response
      --hostname=STRING      Set the name of the server with the requested
  -p, --password=STRING      Password for authentication (insecure for
                             non-testing purposes).
      --passcode=NUMBER      Passcode for authentication (SECURID only).
      --quality-of-protection=<qop-auth | qop-int | qop-conf>
                             How application payload will be protected.
                             "qop-auth" means no protection,
                             "qop-int" means integrity protection,
                             "qop-conf" means confidentiality.
                             Currently only used by DIGEST-MD5, where the
                             default is "qop-int".
  -r, --realm=STRING         Realm. Defaults to hostname.
      --service=STRING       Set the requested service name (should be a
                             registered GSSAPI host based service name).
      --service-name=STRING  Set the generic server name in case of a
                             replicated server (DIGEST-MD5 only).
  -x, --maxbuf=NUMBER        Indicate maximum buffer size (DIGEST-MD5 only).

STARTTLS options

      --starttls                Force use of STARTTLS.  The default is to use
                                  STARTTLS when available.  (default=off)
      --no-starttls             Unconditionally disable STARTTLS.
      --no-cb                   Don't set any channel bindings.  (default=off)
      --x509-ca-file=FILE       File containing one or more X.509 Certificate
                                  Authorities certificates in PEM format, used
                                  to verify the certificate received from the
                                  server.  If not specified, no verification of
                                  the remote server certificate will be done.
      --x509-cert-file=FILE     File containing client X.509 certificate in PEM
                                  format.  Used together with --x509-key-file
                                  to specify the certificate/key pair.
      --x509-key-file=FILE      Private key for the client X.509 certificate in
                                  PEM format.  Used together with
                                  --x509-key-file to specify the
                                  certificate/key pair.
      --priority                Cipher priority string.

Other Options

These are some standard parameters.

  -q, --quiet, --silent      Don't produce any diagnostic output.
  -v, --verbose              Produce verbose output.

  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version