Ubuntu Manpage: dacscookie - create DACS credentials and emit as a cookie

Provided by: dacs_1.4.28b-3ubuntu1_amd64

NAME

       dacscookie - create DACS credentials and emit as a cookie

SYNOPSIS


       dacscookie [dacsoptions[1]] [-create] [-i ident] [-user user] [-ip ipaddr]
                            [-role role_str] [-expires date] [-ua str]
                            dacscookie [dacsoptions[1]] -decrypt [-concise]

DESCRIPTION

This program is part of the DACS suite.

The dacscookie utility constructs DACS credentials that represent a single DACS identity and emits them
as the NAME=VALUE element of a HTTP cookie[2] (RFC 2109[3], RFC 2965[4]) that may be used by DACS. It can
also decode and display these cookies, provided the same encryption keys used to create the cookies are
available. The program is useful for testing purposes, or by programs that perform authentication (e.g.,
by calling dacsauth(1)[5]) and need to return credentials. It may also be used to generate an identity
"offline"; the resulting credentials could be used by applications other than standard Web browsers, or
be distributed via any secure channel (e.g., encrypted email) for use by the recipient.

Configured or derived defaults are used if optional identity information is not provided.

Security

Only the DACS administrator should be able to successfully run this program. Because DACS keys and
configuration files must be limited to the administrator, this will normally be the case, but a
careful administrator will set file permissions to deny access to all other users, or even delete the
binary.

Similarly, access to cookies generated by this program must be carefully controlled. Any jurisdiction
within the same federation in which the credentials were created will be able to directly decrypt the
credentials.

OPTIONS

dacscookie recognizes these options for cookie creation:

-create
Create the specified credentials and emit them to the standard output as the NAME=VALUE component of
an HTTP cookie. This is the default.

-expires date
Set the expiry date for the cookie. If date begins with '+' and is followed by a digit string, the
expiry date will be that number of seconds relative to the current time. Otherwise, the date is
expected to be in one of the recognized formats (see concise syntax[6]). If not provided, the
configured default value, AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS[7], will be used.

-i ident
The identity (ident) is given in the concise syntax[6]. Note that any elements that are explicitly
given will override those that appear in ident.

-ip ipaddr
Use ipaddr as the user's IP address (in numerical dot notation). If not provided, this element will
be obtained from any -i flag or else omitted from the credentials.

-role role_str
Use role_str as the user's role string, which must be syntactically correct. If not provided, this
element will be obtained from any -i flag or else omitted from the credentials.

-ua str
Use str as the user agent string associated with the credentials. If no string is specified, the
credentials cannot be verified against a user agent string. See dacs.conf(5)[8].

-user name
Use name, a syntactically correct username, within the applicable jurisdiction. If not provided, this
element must be specified using the -i flag.

dacscookie recognizes these options for cookie decryption:

-decrypt
Instead of creating credentials, read a cookie from the standard input and print its decoded contents
to the standard output. If the input is invalid in any way, a message is displayed.

-concise
With the -decrypt flag, only print the identity in the concise user syntax[6].

EXAMPLES

       The following will generate an identity and store it in a file:

           % dacscookie -u j1.example.com -user bobo > cookie.out
           % chmod 0600 cookie.out

       The following will display various elements of the credentials to stdout:

           % dacscookie -u j1.example.com -decrypt < cookie.out
           % rm cookie.out

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

AUTHOR

       Distributed Systems Software (www.dss.ca[14])

COPYING

       Copyright2003-2012 Distributed Systems Software. See the LICENSE[15] file that accompanies the
       distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. HTTP cookie
           http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html

        3. RFC 2109
           http://www.rfc-editor.org/rfc/rfc2109.txt

        4. RFC 2965
           http://www.rfc-editor.org/rfc/rfc2965.txt

        5. dacsauth(1)
           http://dacs.dss.ca/man/dacsauth.1.html

        6. concise syntax
           http://dacs.dss.ca/man/dacs.1.html#concise_user_syntax

        7. AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
           http://dacs.dss.ca/man/dacs.conf.5.html#AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS

        8. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html#VERIFY_UA

        9. dacs_auth_agent(8)
           http://dacs.dss.ca/man/dacs_auth_agent.8.html

       10. dacs_auth_transfer(8)
           http://dacs.dss.ca/man/dacs_auth_transfer.8.html

       11. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       12. dacscred(1)
           http://dacs.dss.ca/man/dacscred.1.html

       13. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

       14. www.dss.ca
           http://www.dss.ca

       15. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE

DACS 1.4.28b                                       02/04/2014                                      DACSCOOKIE(1)