1myproxy-logon(1) MyProxy myproxy-logon(1)
2
3
4
6 myproxy-logon - retrieve a credential
7
9 myproxy-logon [ options ]
10
11 myproxy-get-delegation [ options ]
12
14 The myproxy-logon command retrieves a proxy credential from the
15 myproxy-server(8) that was previously stored using myproxy-init(1) or
16 myproxy-store(1). It can also be used to retrieve short-lived end
17 entity credentials from a myproxy-server(8) configured to act as a Cer‐
18 tificate Authority. In the default mode, the command prompts for the
19 MyProxy pass phrase associated with the credential to be retrieved and
20 stores the retrieved credential in the location specified by the
21 X509_USER_PROXY environment variable or /tmp/x509up_u<uid> if that
22 environment variable is not set.
23
24 The myproxy-logon command is also available under the name myproxy-get-
25 delegation for backward compatibility.
26
28 -h, --help
29 Displays command usage text and exits.
30
31 -u, --usage
32 Displays command usage text and exits.
33
34 -v, --verbose
35 Enables verbose debugging output to the terminal.
36
37 -V, --version
38 Displays version information and exits.
39
40 -s hostname[:port], --pshost hostname[:port]
41 Specifies the hostname(s) of the myproxy-server(s). Multiple
42 hostnames, each hostname optionally followed by a ':' and port
43 number, may be specified in a comma-separated list. This option
44 is required if the MYPROXY_SERVER environment variable is not
45 defined. If specified, this option overrides the MYPROXY_SERVER
46 environment variable. If a port number is specified with a host‐
47 name, it will override the -p option as well as the
48 MYPROXY_SERVER_PORT environment variable for that host.
49
50 -p port, --psport port
51 Specifies the TCP port number of the myproxy-server(8).
52 Default: 7512
53
54 -l username, --username username
55 Specifies the MyProxy account under which the credential to
56 retrieve is stored. By default, the command uses the value of
57 the LOGNAME environment variable. Use this option to specify a
58 different account username on the MyProxy server. The MyProxy
59 username need not correspond to a real Unix username.
60
61 -d, --dn_as_username
62 Use the certificate subject (DN) as the default username,
63 instead of the LOGNAME environment variable. When used with the
64 -a option, the certificate subject of the authorization creden‐
65 tial is used. Otherwise, the certificate subject of the default
66 credential is used.
67
68 -t hours, --proxy_lifetime hours
69 Specifies the lifetime of credentials retrieved from the
70 myproxy-server(8) using the stored credential. The resulting
71 lifetime is the shorter of the requested lifetime and the life‐
72 time specified when the credential was stored using myproxy-
73 init(1). Default: 12 hours
74
75 -o file, --out file
76 Specifies where the retrieved proxy credential should be stored.
77 If this option is not specified, the proxy credential will be
78 stored in the location specified by the X509_USER_PROXY environ‐
79 ment variable or /tmp/x509up_u<uid> if that environment variable
80 is not set. To write the credential to the command's standard
81 output rather than to a file, use -o -.
82
83 -a file, --authorization file
84 Use this option to specify an existing, valid credential that
85 you want to renew. Renewing a credential generally requires two
86 certificate-based authentications. The client authenticates
87 with its identity, using the credential in the standard location
88 or specified by the X509_USER_PROXY or X509_USER_CERT and
89 X509_USER_KEY environment variables in addition to authenticat‐
90 ing with the existing credential, in the location specified by
91 this option, that it wants to renew.
92
93 -k name, --credname name
94 Specifies the name of the credential that is to be retrieved or
95 renewed.
96
97 -S, --stdin_pass
98 By default, the command prompts for a passphrase and reads the
99 passphrase from the active tty. When running the command non-
100 interactively, there may be no associated tty. Specifying this
101 option tells the command to read passphrases from standard input
102 without prompts or confirmation.
103
104 -n, --no_passphrase
105 Don't prompt for a credential passphrase. Use other methods for
106 authentication, such as Kerberos ticket or X.509 certificate.
107 This option is implied by -a since passphrase authentication is
108 not used for credential renewal.
109
110 -T, --trustroots
111 Retrieve CA certificates directory from server (if available) to
112 store in the location specified by the X509_CERT_DIR environment
113 variable if set or /etc/grid-security/certificates if running as
114 root or ~/.globus/certificates if running as non-root.
115
116 -b, --bootstrap
117 Unless this option is specified, then if the X509_CERT_DIR
118 exists and the CA that signed the myproxy-server(8) certificate
119 is not trusted, myproxy-logon will fail with an error, to pro‐
120 tect against man-in-the-middle attacks. If, however, this
121 option is specified, myproxy-logon will accept the CA to boot‐
122 strap trust. This option implies -T.
123
124 -q, --quiet
125 Only write output messages on error.
126
127 -N, --no_credentials
128 Authenticate only. Don't retrieve credentials.
129
130 -m voms, --voms voms
131 Add VOMS attributes to the credential by running voms-proxy-init
132 on the client-side after retrieving the credential from the
133 myproxy-server(8). The VOMS VO name must be provided, as
134 required by voms-proxy-init -voms. The voms-proxy-init command
135 must also be installed and configured to use this option. For
136 example, the VOMS_USERCONF environment variable may need to be
137 set for voms-proxy-init to run correctly.
138
139 -Q file, --certreq file
140 Specify the path to a PEM formatted certificate request to use
141 when requesting a certificate from the myproxy-server(8), rather
142 than allowing myproxy-logon to generate the private key and cer‐
143 tificate request itself. In this case, myproxy-logon will not
144 output a private key but will only output the signed certificate
145 and (as needed) certificate chain. To read the certificate
146 request from standard input rather than from a file, use -Q -.
147
149 0 on success, >0 on error
150
152 GLOBUS_GSSAPI_NAME_COMPATIBILITY
153 This client will, by default, perform a reverse-DNS lookup to
154 determine the FQHN (Fully Qualified Host Name) to use in verify‐
155 ing the identity of the server by checking the FQHN against the
156 CN in server's certificate. Setting this variable to
157 STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be per‐
158 formed and the user-specified name to be used instead. This
159 variable setting will be ignored if MYPROXY_SERVER_DN (described
160 later) is set.
161
162 MYPROXY_SERVER
163 Specifies the hostname(s) where the myproxy-server(8) is run‐
164 ning. Multiple hostnames can be specified in a comma separated
165 list with each hostname optionally followed by a ':' and port
166 number. This environment variable can be used in place of the
167 -s option.
168
169 MYPROXY_SERVER_PORT
170 Specifies the port where the myproxy-server(8) is running. This
171 environment variable can be used in place of the -p option.
172
173 MYPROXY_SERVER_DN
174 Specifies the distinguished name (DN) of the myproxy-server(8).
175 All MyProxy client programs authenticate the server's identity.
176 By default, MyProxy servers run with host credentials, so the
177 MyProxy client programs expect the server to have a distin‐
178 guished name with "/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>" or
179 "/CN=<fqhn>" (where <fqhn> is the fully-qualified hostname of
180 the server). If the server is running with some other DN, you
181 can set this environment variable to tell the MyProxy clients to
182 accept the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATI‐
183 BILITY above.
184
185 MYPROXY_TCP_PORT_RANGE
186 Specifies a range of valid port numbers in the form "min,max"
187 for the client side of the network connection to the server. By
188 default, the client will bind to any available port. Use this
189 environment variable to restrict the ports used to a range
190 allowed by your firewall. If unset, MyProxy will follow the
191 setting of the GLOBUS_TCP_PORT_RANGE environment variable.
192
193 X509_USER_CERT
194 Specifies a non-standard location for the certificate to be used
195 for authentication to the myproxy-server(8).
196
197 X509_USER_KEY
198 Specifies a non-standard location for the private key to be used
199 for authentication to the myproxy-server(8).
200
201 X509_USER_PROXY
202 Specifies a non-standard location for the proxy credential to be
203 used for authentication to the myproxy-server(8). Also speci‐
204 fies the output location for the proxy credential to be
205 retrieved from the myproxy-server(8) unless the -o option is
206 given.
207
208 X509_CERT_DIR
209 Specifies a non-standard location for the CA certificates direc‐
210 tory.
211
212 MYPROXY_KEYBITS
213 Specifies the size for RSA keys generated by MyProxy. By
214 default, MyProxy generates 2048 bit RSA keys. Set this environ‐
215 ment variable to "1024" for 1024 bit RSA keys.
216
218 See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
219 authors.
220
222 myproxy-change-pass-phrase(1), myproxy-destroy(1), myproxy-get-trust‐
223 roots(1), myproxy-info(1), myproxy-init(1), myproxy-retrieve(1),
224 myproxy-server.config(5), myproxy-store(1), myproxy-admin-adduser(8),
225 myproxy-admin-change-pass(8), myproxy-admin-load-credential(8),
226 myproxy-admin-query(8), myproxy-server(8)
227
228
229
230MyProxy 2010-09-09 myproxy-logon(1)