dacscookie

DACSCOOKIE(1)                 DACS Commands Manual                 DACSCOOKIE(1)



NAME
       dacscookie - create DACS credentials and emit as a cookie

SYNOPSIS
       dacscookie [dacsoptions[1]] [-create] [-i ident] [-user user]
                            [-ip ipaddr]
                            [-role role_str] [-expires date] [-ua str]
                            dacscookie [dacsoptions[1]] -decrypt [-concise]

DESCRIPTION
       This program is part of the DACS suite.

       The dacscookie utility constructs DACS credentials that represent a
       single DACS identity and emits them as the NAME=VALUE element of a HTTP
       cookie[2] (RFC 2109[3], RFC 2965[4], RFC 6265[5]) that may be used by
       DACS. It can also decode and display these cookies, provided the same
       encryption keys used to create the cookies are available. The program is
       useful for testing purposes, or by programs that perform authentication
       (e.g., by calling dacsauth(1)[6]) and need to return credentials. It may
       also be used to generate an identity "offline"; the resulting credentials
       could be used by applications other than standard Web browsers, or be
       distributed via any secure channel (e.g., encrypted email) for use by the
       recipient.

       Configured or derived defaults are used if optional identity information
       is not provided.

           Security
           Only the DACS administrator should be able to successfully run this
           program. Because DACS keys and configuration files must be limited to
           the administrator, this will normally be the case, but a careful
           administrator will set file permissions to deny access to all other
           users, or even delete the binary.

           Similarly, access to cookies generated by this program must be
           carefully controlled. Any jurisdiction within the same federation in
           which the credentials were created will be able to directly decrypt
           the credentials.

OPTIONS
       dacscookie recognizes these options for cookie creation:

       -create
           Create the specified credentials and emit them to the standard output
           as the NAME=VALUE component of an HTTP cookie. This is the default.

       -expires date
           Set the expiry date for the cookie. If date begins with '+' and is
           followed by a digit string, the expiry date will be that number of
           seconds relative to the current time. Otherwise, the date is expected
           to be in one of the recognized formats (see concise syntax[7]). If
           not provided, the configured default value,
           AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS[8], will be used.

       -i ident
           The identity (ident) is given in the concise syntax[7]. Note that any
           elements that are explicitly given will override those that appear in
           ident.

       -ip ipaddr
           Use ipaddr as the user's IP address (in standard dot notation). If
           not provided, this element will be obtained from any -i flag or else
           omitted from the credentials.

       -role role_str
           Use role_str as the user's role string, which must be syntactically
           correct. If not provided, this element will be obtained from any -i
           flag or else omitted from the credentials.

       -ua str
           Use str as the user agent string associated with the credentials. If
           no string is specified, the credentials cannot be verified against a
           user agent string. See dacs.conf(5)[9].

       -user name
           Use name, a syntactically correct username, within the applicable
           jurisdiction. If not provided, this element must be specified using
           the -i flag.

       dacscookie recognizes these options for cookie decryption:

       -decrypt
           Instead of creating credentials, read a cookie from the standard
           input and print its decoded contents to the standard output. If the
           input is invalid in any way, a message is displayed.

       -concise
           With the -decrypt flag, only print the identity in the concise user
           syntax[7].

EXAMPLES
       The following will generate an identity and store it in a file:

           % dacscookie -u j1.example.com -user bobo > cookie.out
           % chmod 0600 cookie.out

       The following will display various elements of the credentials to stdout:

           % dacscookie -u j1.example.com -decrypt < cookie.out
           % rm cookie.out


DIAGNOSTICS
       The program exits 0 if everything was fine, 1 if an error occurred.

SEE ALSO
       dacs_auth_agent(8)[10], dacs_auth_transfer(8)[11],
       dacs_authenticate(8)[12], dacsauth(1)[6], dacscred(1)[13],
       dacs_current_credentials(8)[14].

AUTHOR
       Distributed Systems Software (www.dss.ca[15])

COPYING
       Copyright © 2003-2015 Distributed Systems Software. See the LICENSE[16]
       file that accompanies the distribution for licensing information.

NOTES
        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. HTTP cookie
           http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html

        3. RFC 2109
           http://www.rfc-editor.org/rfc/rfc2109.txt

        4. RFC 2965
           http://www.rfc-editor.org/rfc/rfc2965.txt

        5. RFC 6265
           http://www.rfc-editor.org/rfc/rfc6265.txt

        6. dacsauth(1)
           http://dacs.dss.ca/man/dacsauth.1.html

        7. concise syntax
           http://dacs.dss.ca/man/dacs.1.html#concise_user_syntax

        8. AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
           http://dacs.dss.ca/man/dacs.conf.5.html#AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS

        9. dacs.conf(5)
           http://dacs.dss.ca/man/dacs.conf.5.html#VERIFY_UA

       10. dacs_auth_agent(8)
           http://dacs.dss.ca/man/dacs_auth_agent.8.html

       11. dacs_auth_transfer(8)
           http://dacs.dss.ca/man/dacs_auth_transfer.8.html

       12. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       13. dacscred(1)
           http://dacs.dss.ca/man/dacscred.1.html

       14. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

       15. www.dss.ca
           http://www.dss.ca

       16. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE



DACS 1.4.40                        02/19/2019                      DACSCOOKIE(1)