myproxy-logon(1)

1myproxy-logon(1)                    MyProxy                   myproxy-logon(1)
2
3
4

NAME

6       myproxy-logon - retrieve a credential
7

SYNOPSIS

9       myproxy-logon [ options ]
10
11       myproxy-get-delegation [ options ]
12

DESCRIPTION

14       The  myproxy-logon  command  retrieves  a  proxy  credential  from  the
15       myproxy-server(8) that was previously stored using  myproxy-init(1)  or
16       myproxy-store(1).   It  can  also  be  used to retrieve short-lived end
17       entity credentials from a myproxy-server(8) configured to act as a Cer‐
18       tificate  Authority.   In the default mode, the command prompts for the
19       MyProxy pass phrase associated with the credential to be retrieved  and
20       stores  the  retrieved  credential  in  the  location  specified by the
21       X509_USER_PROXY environment  variable  or  /tmp/x509up_u<uid>  if  that
22       environment variable is not set.
23
24       The myproxy-logon command is also available under the name myproxy-get-
25       delegation for backward compatibility.
26

OPTIONS

28       -h, --help
29              Displays command usage text and exits.
30
31       -u, --usage
32              Displays command usage text and exits.
33
34       -v, --verbose
35              Enables verbose debugging output to the terminal.
36
37       -V, --version
38              Displays version information and exits.
39
40       -s hostname[:port], --pshost hostname[:port]
41              Specifies the hostname(s) of  the  myproxy-server(s).   Multiple
42              hostnames,  each  hostname optionally followed by a ':' and port
43              number, may be specified in a comma-separated list.  This option
44              is  required  if  the MYPROXY_SERVER environment variable is not
45              defined.  If specified, this option overrides the MYPROXY_SERVER
46              environment variable. If a port number is specified with a host‐
47              name,  it  will  override  the  -p  option  as   well   as   the
48              MYPROXY_SERVER_PORT environment variable for that host.
49
50       -p port, --psport port
51              Specifies   the   TCP  port  number  of  the  myproxy-server(8).
52              Default: 7512
53
54       -l username, --username username
55              Specifies the MyProxy account  under  which  the  credential  to
56              retrieve  is  stored.  By default, the command uses the value of
57              the LOGNAME environment variable.  Use this option to specify  a
58              different  account  username on the MyProxy server.  The MyProxy
59              username need not correspond to a real Unix username.
60
61       -d, --dn_as_username
62              Use the  certificate  subject  (DN)  as  the  default  username,
63              instead of the LOGNAME environment variable.  When used with the
64              -a option, the certificate subject of the authorization  creden‐
65              tial is used.  Otherwise, the certificate subject of the default
66              credential is used.
67
68       -t hours, --proxy_lifetime hours
69              Specifies  the  lifetime  of  credentials  retrieved  from   the
70              myproxy-server(8)  using  the  stored credential.  The resulting
71              lifetime is the shorter of the requested lifetime and the  life‐
72              time  specified  when  the  credential was stored using myproxy-
73              init(1).  Default: 12 hours
74
75       -o file, --out file
76              Specifies where the retrieved proxy credential should be stored.
77              If  this  option  is not specified, the proxy credential will be
78              stored in the location specified by the X509_USER_PROXY environ‐
79              ment variable or /tmp/x509up_u<uid> if that environment variable
80              is not set.  To write the credential to the  command's  standard
81              output rather than to a file, use -o -.
82
83       -a file, --authorization file
84              Use  this  option  to specify an existing, valid credential that
85              you want to renew.  Renewing a credential generally requires two
86              certificate-based  authentications.   The  client  authenticates
87              with its identity, using the credential in the standard location
88              or  specified  by  the  X509_USER_PROXY  or  X509_USER_CERT  and
89              X509_USER_KEY environment variables in addition to  authenticat‐
90              ing  with  the existing credential, in the location specified by
91              this option, that it wants to renew.
92
93       -k name, --credname name
94              Specifies the name of the credential that is to be retrieved  or
95              renewed.
96
97       -S, --stdin_pass
98              By  default,  the command prompts for a passphrase and reads the
99              passphrase from the active tty.  When running the  command  non-
100              interactively,  there may be no associated tty.  Specifying this
101              option tells the command to read passphrases from standard input
102              without prompts or confirmation.
103
104       -n, --no_passphrase
105              Don't prompt for a credential passphrase.  Use other methods for
106              authentication, such as Kerberos ticket  or  X.509  certificate.
107              This  option is implied by -a since passphrase authentication is
108              not used for credential renewal.
109
110       -T, --trustroots
111              Retrieve CA certificates directory from server (if available) to
112              store in the location specified by the X509_CERT_DIR environment
113              variable if set or /etc/grid-security/certificates if running as
114              root or ~/.globus/certificates if running as non-root.
115
116       -b, --bootstrap
117              Unless  this  option  is  specified,  then  if the X509_CERT_DIR
118              exists and the CA that signed the myproxy-server(8)  certificate
119              is  not  trusted, myproxy-logon will fail with an error, to pro‐
120              tect  against  man-in-the-middle  attacks.   If,  however,  this
121              option  is  specified, myproxy-logon will accept the CA to boot‐
122              strap trust.  This option implies -T.
123
124       -q, --quiet
125              Only write output messages on error.
126
127       -N, --no_credentials
128              Authenticate only.  Don't retrieve credentials.
129
130       -m voms, --voms voms
131              Add VOMS attributes to the credential by running voms-proxy-init
132              on  the  client-side  after  retrieving  the credential from the
133              myproxy-server(8).  The  VOMS  VO  name  must  be  provided,  as
134              required  by voms-proxy-init -voms.  The voms-proxy-init command
135              must also be installed and configured to use this  option.   For
136              example,  the  VOMS_USERCONF environment variable may need to be
137              set for voms-proxy-init to run correctly.
138
139       -Q file, --certreq file
140              Specify the path to a PEM formatted certificate request  to  use
141              when requesting a certificate from the myproxy-server(8), rather
142              than allowing myproxy-logon to generate the private key and cer‐
143              tificate  request  itself.  In this case, myproxy-logon will not
144              output a private key but will only output the signed certificate
145              and  (as  needed)  certificate  chain.   To read the certificate
146              request from standard input rather than from a file, use -Q -.
147

EXIT STATUS

149       0 on success, >0 on error
150

ENVIRONMENT

152       GLOBUS_GSSAPI_NAME_COMPATIBILITY
153              This client will, by default, perform a  reverse-DNS  lookup  to
154              determine the FQHN (Fully Qualified Host Name) to use in verify‐
155              ing the identity of the server by checking the FQHN against  the
156              CN   in   server's   certificate.    Setting  this  variable  to
157              STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be  per‐
158              formed  and  the  user-specified  name to be used instead.  This
159              variable setting will be ignored if MYPROXY_SERVER_DN (described
160              later) is set.
161
162       MYPROXY_SERVER
163              Specifies  the  hostname(s)  where the myproxy-server(8) is run‐
164              ning. Multiple hostnames can be specified in a  comma  separated
165              list  with  each  hostname optionally followed by a ':' and port
166              number.  This environment variable can be used in place  of  the
167              -s option.
168
169       MYPROXY_SERVER_PORT
170              Specifies the port where the myproxy-server(8) is running.  This
171              environment variable can be used in place of the -p option.
172
173       MYPROXY_SERVER_DN
174              Specifies the distinguished name (DN) of the  myproxy-server(8).
175              All  MyProxy client programs authenticate the server's identity.
176              By default, MyProxy servers run with host  credentials,  so  the
177              MyProxy  client  programs  expect  the  server to have a distin‐
178              guished name with "/CN=host/<fqhn>" or  "/CN=myproxy/<fqhn>"  or
179              "/CN=<fqhn>"  (where  <fqhn>  is the fully-qualified hostname of
180              the server).  If the server is running with some other  DN,  you
181              can set this environment variable to tell the MyProxy clients to
182              accept the alternative DN. Also see  GLOBUS_GSSAPI_NAME_COMPATI‐
183              BILITY above.
184
185       MYPROXY_TCP_PORT_RANGE
186              Specifies  a  range  of valid port numbers in the form "min,max"
187              for the client side of the network connection to the server.  By
188              default,  the  client will bind to any available port.  Use this
189              environment variable to restrict  the  ports  used  to  a  range
190              allowed  by  your  firewall.   If unset, MyProxy will follow the
191              setting of the GLOBUS_TCP_PORT_RANGE environment variable.
192
193       X509_USER_CERT
194              Specifies a non-standard location for the certificate to be used
195              for authentication to the myproxy-server(8).
196
197       X509_USER_KEY
198              Specifies a non-standard location for the private key to be used
199              for authentication to the myproxy-server(8).
200
201       X509_USER_PROXY
202              Specifies a non-standard location for the proxy credential to be
203              used  for  authentication to the myproxy-server(8).  Also speci‐
204              fies  the  output  location  for  the  proxy  credential  to  be
205              retrieved  from  the  myproxy-server(8)  unless the -o option is
206              given.
207
208       X509_CERT_DIR
209              Specifies a non-standard location for the CA certificates direc‐
210              tory.
211
212       MYPROXY_KEYBITS
213              Specifies  the  size  for  RSA  keys  generated  by MyProxy.  By
214              default, MyProxy generates 2048 bit RSA keys.  Set this environ‐
215              ment variable to "1024" for 1024 bit RSA keys.
216

AUTHORS

218       See http://grid.ncsa.illinois.edu/myproxy/about for the list of MyProxy
219       authors.
220