GNU SASL (gsasl) – Command line interface to libgsasl.
gsasl is the main program of GNU SASL.
This section only lists the commands and options available.
Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.
gsasl recognizes these commands:
-c, --client Act as client (the default).
--client-mechanisms Write name of supported client mechanisms
separated by space to stdout.
-s, --server Act as server.
--server-mechanisms Write name of supported server mechanisms
separated by space to stdout.
-k, --mkpasswd Derive password. Provide --mechanism as SCRAM-SHA-1 or
SCRAM-SHA-256. The required inputs are
password (through --password or read from
terminal) and optional inputs are iteration
count (through --iteration-count, or
defaulting to 65536) and salt (through
--salt, or generated randomly). The output
is a string of the form
"{mech}count,salt,stored-key,server-key[,salted-password]"
where "mech" is the mechanism, "count" is
the number of times password was hashed,
"salt" is the provided/generated
base64-encoded salt, "stored-key" and
"server-key" are the two derived and
base64-encoded server-side keys. When
--verbose is provided, "salted-password"
will be included as the hex-encoded PBKDF2-derived
password. (default=off)
Normally the SASL negotiation is performed on the terminal, with reading from stdin and writing to stdout. It is also possible to perform the negotiation with a server over a TCP network connection.
--connect=HOSTNAME[:SERVICE]
Connect to TCP server and negotiate on stream
instead of stdin/stdout. SERVICE is the protocol
service, or an integer denoting the port, and
defaults to 143 (imap) if not specified. Also sets
the --hostname default.
These parameters affect overall behaviour.
-d, --application-data After authentication, read data from stdin and run
it through the mechanism's security layer and
print it base64 encoded to stdout. The default is
to terminate after authentication.
--imap Use a IMAP-like logon procedure (client only).
Also sets the --service default to "imap".
-m, --mechanism=STRING Mechanism to use.
--no-client-first Disallow client to send data first (client only).
These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is to query the user on the terminal.
-n, --anonymous-token=STRING Token for anonymous authentication, usually
mail address (ANONYMOUS only).
-a, --authentication-id=STRING Identity of credential owner.
-z, --authorization-id=STRING Identity to request service for.
--disable-cleartext-validate
Disable cleartext validate hook, forcing server to
prompt for password.
--enable-cram-md5-validate Validate CRAM-MD5 challenge and response
interactively.
--hostname=STRING Set the name of the server with the requested
service.
-p, --password=STRING Password for authentication (insecure for
non-testing purposes).
--passcode=NUMBER Passcode for authentication (SECURID only).
--quality-of-protection=<qop-auth | qop-int | qop-conf>
How application payload will be protected.
"qop-auth" means no protection,
"qop-int" means integrity protection,
"qop-conf" means confidentiality.
Currently only used by DIGEST-MD5, where the
default is "qop-int".
-r, --realm=STRING Realm. Defaults to hostname.
--service=STRING Set the requested service name (should be a
registered GSSAPI host based service name).
--service-name=STRING Set the generic server name in case of a
replicated server (DIGEST-MD5 only).
--iteration-count=NUMBER Indicate PBKDF2 hash iteration count (SCRAM
only). (default=`65536')
--salt=B64DATA Indicate PBKDF2 salt as base64-encoded string
(SCRAM only).
--scram-salted-password=STRING
Salted SCRAM password for authentication (SCRAM
only; 40 hex characters for SCRAM-SHA-1 and
64 characters for SCRAM-SHA-256).
--starttls Force use of STARTTLS. The default is to use
STARTTLS when available. (default=off)
--no-starttls Unconditionally disable STARTTLS.
(default=off)
--no-cb Don't set any channel bindings. (default=off)
--x509-ca-file=FILE File containing one or more X.509 Certificate
Authorities certificates in PEM format, used
to verify the certificate received from the
server. If not specified, verification uses
system trust settings. If FILE is the empty
string, don't fail on X.509 server
certificates verification errors.
--x509-cert-file=FILE File containing client X.509 certificate in PEM
format. Used together with --x509-key-file
to specify the certificate/key pair.
--x509-key-file=FILE Private key for the client X.509 certificate in
PEM format. Used together with
--x509-key-file to specify the
certificate/key pair.
--priority Cipher priority string.
These are some standard parameters.
-q, --quiet, --silent Don't produce any diagnostic output.
-v, --verbose Produce verbose output.
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version