Provided by: myproxy_5.5-1_i386 bug

NAME

       myproxy-init - store a credential for later retrieval

SYNOPSIS

       myproxy-init [ options ]

DESCRIPTION

       The  myproxy-init  command  uploads a credential to a myproxy-server(8)
       for later retrieval.  In the default mode, the  command  first  prompts
       for  the user's Grid pass phrase (if needed), which is used to create a
       proxy credential.  The command then prompts for a MyProxy pass  phrase,
       which  will  be required to later retrieve the credential.  The MyProxy
       pass phrase  must  be  entered  a  second  time  for  confirmation.   A
       credential  with  a lifetime of one week (by default) is then delegated
       to the myproxy-server(8) and stored with the given MyProxy pass phrase.
       Proxy  credentials  with  default  lifetime  of  12  hours  can then be
       retrieved  by  myproxy-logon(1)  using  the  MyProxy  passphrase.   The
       default behavior can be overridden by options specified below.

       The  myproxy-init  command  can  also upload a credential to a myproxy-
       server(8) to support credential  renewal.   Renewal  allows  a  trusted
       service (for example, a batch job scheduler) to obtain a new credential
       for a user before the existing credential it has for that user expires.
       The  -R  argument to myproxy-init configures the credential for renewal
       by the specified service.  Renewal requires two  authentications.   The
       renewing  service  must authenticate with its own credentials, matching
       the distinquished name specified by the  -R  argument,  and  must  also
       authenticate with an existing credential that matches the distinguished
       name of the stored credential, to retrieve a new credential.

       A credential may be used either for retrieval or renewal but not  both.
       If both are desired, upload a different credential for each use, with a
       different name using the -k option.

       The hostname where the myproxy-server(8) is running must  be  specified
       by  either  defining  the MYPROXY_SERVER environment variable or the -s
       option.

       By default, myproxy-init will create a proxy credential from the user's
       end-entity      credentials      at      ~/.globus/usercert.pem     and
       ~/.globus/userkey.pem to delegate to the myproxy-server(8).  To specify
       an  alternate  location for the source certificate and key to delegate,
       use the X509_USER_CERT and X509_USER_KEY environment variables.  To use
       a   proxy  credential  as  the  source  of  the  delegation,  set  both
       environment variables to the location  of  the  proxy  credential.   To
       delegate  a  "legacy  globus  proxy", set the GT_PROXY_MODE environment
       variable to "old".  To delegate an "RFC 3820 compliant proxy", set  the
       GT_PROXY_MODE environment variable to "rfc".

OPTIONS

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies  the  hostname(s)  of the myproxy-server(s).  Multiple
              hostnames, each hostname optionally followed by a ':'  and  port
              number, may be specified in a comma-separated list.  This option
              is required if the MYPROXY_SERVER environment  variable  is  not
              defined.  If specified, this option overrides the MYPROXY_SERVER
              environment variable. If a  port  number  is  specified  with  a
              hostname,  it  will  override  the  -p  option  as  well  as the
              MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies  the  TCP  port  number  of   the   myproxy-server(8).
              Default: 7512

       -l username, --username username
              Specifies  the MyProxy account under which the credential should
              be stored.  By default,  the  command  uses  the  value  of  the
              LOGNAME  environment  variable.   Use  this  option to specify a
              different account username on the MyProxy server.   The  MyProxy
              username need not correspond to a real Unix username.

       -c hours, --cred_lifetime hours
              Specifies  the lifetime of the credential stored on the myproxy-
              server(8)  in  hours.   Specify  0  for  the  maximum   possible
              lifetime,   i.e.,  the  lifetime  of  the  original  credential.
              Default: 1 week (168 hours)

       -t hours, --proxy_lifetime hours
              Specifies the maximum lifetime of credentials retrieved from the
              myproxy-server(8)  using  the  stored  credential.   Default: 12
              hours

       -C filename, --certfile filename
              Specifies  the  filename  of  the source certificate.

       -y filename, --keyfile filename
              Specifies the filename of the source private key.

       -d, --dn_as_username
              Use the  certificate  subject  (DN)  as  the  default  username,
              instead of the LOGNAME environment variable.

       -a, --allow_anonymous_retrievers
              Allow   credentials  to  be  retrieved  with  just  pass  phrase
              authentication.  By default, only entities with credentials that
              match  the myproxy-server.config(5) default retriever policy may
              retrieve  credentials.   This  option  allows  entities  without
              existing  credentials to retrieve a credential using pass phrase
              authentication by including "anonymous" in the  set  of  allowed
              retrievers.   The  myproxy-server.config(5)  server-wide  policy
              must also allow "anonymous" clients for this option to  have  an
              effect.

       -A, --allow_anonymous_renewers
              Allow  credentials to be renewed by any client.  Any client with
              a valid credential with a subject name that matches  the  stored
              credential  may  retrieve  a  new  credential  from  the MyProxy
              repository if this option  is  given.   Since  this  effectively
              defeats  the  purpose  of  proxy credential lifetimes, it is not
              recommended.  It is included only for sake of completeness.

       -r name, --retrievable_by name
              Allow the specified entity to retrieve credentials.  See -x  and
              -X options for controlling name matching behavior.

       -R name, --renewable_by name
              Allow  the specified entity to renew credentials.  See -x and -X
              options for controlling name  matching  behavior.   This  option
              implies  -n  since  passphrase  authentication  is  not used for
              credential renewal.

       -Z name, --retrievable_by_cert name
              Allow the specified entity to  retrieve  credentials  without  a
              passphrase.  See -x and -X options for controlling name matching
              behavior.  This option implies -n.

       -x, --regex_dn_match
              Specifies that names used with following options -r, -R, and  -Z
              will   be   matched   against   the   full  certificate  subject
              distinguished name (DN)  according  to  REGULAR  EXPRESSIONS  in
              myproxy-server.config(5).

       -X, --match_cn_only
              Specifies  that names used with following options -r, -R, and -Z
              will be matched against the certificate subject common name (CN)
              according  to  REGULAR  EXPRESSIONS in myproxy-server.config(5).
              For example, if an argument of -r  "Jim  Basney"  is  specified,
              then  the  resulting  policy will be "*/CN=Jim Basney".  This is
              the default behavior.

       -k name, --credname name
              Specifies the credential name.

       -K description, --creddesc description
              Specifies credential description.

       -S, --stdin_pass
              By default, the command prompts for a passphrase and  reads  the
              passphrase  from  the active tty.  When running the command non-
              interactively, there may be no associated tty.  Specifying  this
              option tells the command to read passphrases from standard input
              without prompts or confirmation.

       -L, --local_proxy
              In addition to  storing  a  proxy  credential  on  the  myproxy-
              server(8) with lifetime set by --cred_lifetime (default 1 week),
              create  a  local  proxy  credential   with   lifetime   set   by
              --proxy_lifetime (default 12 hours).

       -n, --no_passphrase
              Don't  prompt  for  a  credential passphrase.  Store credentials
              without a  credential  passphrase,  to  be  protected  by  other
              methods, such as PAM, SASL, or certificate-based authentication.
              This option is implied by -R since passphrase authentication  is
              not  used  for  credential  renewal.   Note  that  the  myproxy-
              server(8)  always  requires  some  type  of  authentication  for
              retrieving  credentials,  so  if  you store a credential with no
              passphrase and other authentication methods are not  configured,
              the credential will not be accessible.

       -m voms, --voms voms
              Add VOMS attributes to the credential by running voms-proxy-init
              on the client-side before storing the credential on the myproxy-
              server(8).   The  VOMS  VO name must be provided, as required by
              voms-proxy-init -voms.   The  voms-proxy-init  command  must  be
              installed  and  configured to use this option.  For example, the
              VOMS_USERCONF environment variable may need to be set for  voms-
              proxy-init to run correctly.

EXIT STATUS

       0 on success, >0 on error

FILES

       ~/.globus/usercert.pem
              Default  location  of  the  certificate  from  which  the  proxy
              credential  is  created.   Set  the  X509_USER_CERT  environment
              variable to override.

       ~/.globus/userkey.pem
              Default  location  of  the  private  key  from  which  the proxy
              credential  is  created.   Set  the  X509_USER_KEY   environment
              variable to override.

       /tmp/myproxy-proxy.<uid>.<pid>
              Location  of the temporary proxy credential that is delegated to
              the myproxy-server(8).  It is removed after  the  delegation  is
              completed.

ENVIRONMENT

       GLOBUS_GSSAPI_NAME_COMPATIBILITY
              This  client  will,  by default, perform a reverse-DNS lookup to
              determine the  FQHN  (Fully  Qualified  Host  Name)  to  use  in
              verifying  the  identity  of  the  server  by  checking the FQHN
              against the CN in server's certificate.  Setting  this  variable
              to  STRICT_RFC2818  will  cause the reverse-DNS lookup to NOT be
              performed and the user-specified name to be used instead.   This
              variable setting will be ignored if MYPROXY_SERVER_DN (described
              later) is set.

       MYPROXY_SERVER
              Specifies  the  hostname(s)  where  the   myproxy-server(8)   is
              running.   Multiple  hostnames  can  be  specified  in  a  comma
              separated list with each hostname optionally followed by  a  ':'
              and port number.  This environment variable can be used in place
              of the -s option.

       MYPROXY_SERVER_PORT
              Specifies the port where the myproxy-server(8) is running.  This
              environment variable can be used in place of the -p option.

       MYPROXY_SERVER_DN
              Specifies  the distinguished name (DN) of the myproxy-server(8).
              All MyProxy client programs authenticate the server's  identity.
              By  default,  MyProxy  servers run with host credentials, so the
              MyProxy  client  programs  expect   the   server   to   have   a
              distinguished      name      with      "/CN=host/<fqhn>"      or
              "/CN=myproxy/<fqhn>" or "/CN=<fqhn>" (where <fqhn> is the fully-
              qualified  hostname  of  the  server).  If the server is running
              with some other DN, you can set  this  environment  variable  to
              tell  the MyProxy clients to accept the alternative DN. Also see
              GLOBUS_GSSAPI_NAME_COMPATIBILITY above.

       X509_USER_CERT
              Specifies a non-standard location for the certificate from which
              the  proxy  credential is created.  The location may be the path
              to an end-entity certificate (ex.  ~/.globus/usercert.pem) or  a
              proxy (ex.  /tmp/x509up_u<uid>).

       X509_USER_KEY
              Specifies a non-standard location for the private key from which
              the proxy credential is created.  The location may be  the  path
              to  an  end-entity private key (ex.  ~/.globus/userkey.pem) or a
              proxy (ex.  /tmp/x509up_u<uid>).

       X509_CERT_DIR
              Specifies  a  non-standard  location  for  the  CA  certificates
              directory.

       GT_PROXY_MODE
              Set  to  "old"  to  store a "legacy globus proxy" in the MyProxy
              repository.  Set to "rfc" to store an "RFC 3820 compliant proxy"
              in the MyProxy repository.

       MYPROXY_TCP_PORT_RANGE
              Specifies  a  range  of valid port numbers in the form "min,max"
              for the client side of the network connection to the server.  By
              default,  the  client will bind to any available port.  Use this
              environment variable to restrict  the  ports  used  to  a  range
              allowed  by  your  firewall.   If unset, MyProxy will follow the
              setting of the GLOBUS_TCP_PORT_RANGE environment variable.

       MYPROXY_KEYBITS
              Specifies the size  for  RSA  keys  generated  by  MyProxy.   By
              default,   MyProxy  generates  2048  bit  RSA  keys.   Set  this
              environment variable to "1024" for 1024 bit RSA keys.

AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.

SEE ALSO

       myproxy-change-pass-phrase(1),     myproxy-destroy(1),     myproxy-get-
       trustroots(1),  myproxy-info(1), myproxy-logon(1), myproxy-retrieve(1),
       myproxy-store(1),  myproxy-server.config(5),  myproxy-admin-adduser(8),
       myproxy-admin-change-pass(8),         myproxy-admin-load-credential(8),
       myproxy-admin-query(8), myproxy-server(8)