FreeBSD Manual Pages
GSASL(1) User Commands GSASL(1) NAME gsasl - SASL library command line interface SYNOPSIS gsasl [OPTION]... [HOST [PORT]]... DESCRIPTION Authenticate user to a server using Simple Authentication and Security Layer. Currently IMAP and SMTP servers are supported. This is a com- mand line interface for the GNU SASL library. -h, --help Print help and exit -V, --version Print version and exit Commands: -c, --client Act as client. (default=on) -s, --server Act as server. (default=off) --client-mechanisms Write name of supported client mechanisms separated by space to stdout. (default=off) --server-mechanisms Write name of supported server mechanisms separated by space to stdout. (default=off) -k, --mkpasswd Derive password. Provide --mechanism as SCRAM-SHA-1 or SCRAM-SHA-256. The required inputs are password (through --password or read from terminal) and optional inputs are itera- tion count (through --iteration-count, or defaulting to 65536) and salt (through --salt, or generated randomly). The output is a string of the form "{mech}count,salt,stored-key,server-key[,salted-password]" where "mech" is the mechanism, "count" is the number of times password was hashed, "salt" is the provided/generated base64-encoded salt, "stored-key" and "server-key" are the two derived and base64-encoded server-side keys. When --verbose is provided, "salted-password" will be included as the hex-encoded PBKDF2-de- rived password. (default=off) Network options: --connect=HOST[:PORT] Connect to TCP server and negotiate on stream instead of stdin/stdout. PORT is the protocol service, or an integer denot- ing the port, and defaults to 143 (imap) if not specified. Also sets the --hostname default. Generic options: -d, --application-data After authentication, read data from stdin and run it through the mechanism's security layer and print it base64 encoded to stdout. The default is to terminate after authentication. (de- fault=on) --imap Use a IMAP-like logon procedure (client only). Also sets the --service default to 'imap'. (default=off) --smtp Use a SMTP-like logon procedure (client only). Also sets the --service default to 'smtp'. (default=off) -m, --mechanism=STRING Mechanism to use. --no-client-first Disallow client to send data first (client only). (default=off) SASL mechanism options (they are prompted for when required): -n, --anonymous-token=STRING Token for anonymous authentication, usually mail address (ANONY- MOUS only). -a, --authentication-id=STRING Identity of credential owner. -z, --authorization-id=STRING Identity to request service for. -p, --password=STRING Password for authentication (insecure for non-testing purposes). -r, --realm=STRING Realm. Defaults to hostname. --passcode=NUMBER Passcode for authentication (SECURID only). --service=STRING Set the requested service name (should be a registered GSSAPI host based service name). --hostname=STRING Set the name of the server with the requested service. --service-name=STRING Set the generic server name in case of a replicated server (DI- GEST-MD5 only). --enable-cram-md5-validate Validate CRAM-MD5 challenge and response interactively. (default=off) --disable-cleartext-validate Disable cleartext validate hook, forcing server to prompt for password. (default=off) --quality-of-protection=TYPE How application payload will be protected. 'qop-auth' means no protection, 'qop-int' means integrity protection, 'qop-conf' means integrity and con- fidentialiy protection. Currently only used by DIGEST-MD5, where the default is 'qop-int'. --iteration-count=NUMBER Indicate PBKDF2 hash iteration count (SCRAM only). (de- fault=`65536') --salt=B64DATA Indicate PBKDF2 salt as base64-encoded string (SCRAM only). --scram-salted-password=STRING Salted SCRAM password for authentication (SCRAM only; 40 hex characters for SCRAM-SHA-1 and 64 characters for SCRAM-SHA-256). STARTTLS options: --starttls Force use of STARTTLS. The default is to use STARTTLS when available. (default=off) --no-starttls Unconditionally disable STARTTLS. (default=off) --no-cb Don't use channel bindings from TLS. (default=off) --x509-ca-file=FILE File containing one or more X.509 Certificate Authorities cer- tificates in PEM format, used to verify the certificate received from the server. If not specified, verification uses system trust settings. If FILE is the empty string, don't fail on X.509 server certificates verification errors. --x509-cert-file=FILE File containing client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certificate/key pair. --x509-key-file=FILE Private key for the client X.509 certificate in PEM format. Used together with --x509-key-file to specify the certifi- cate/key pair. --priority=STRING Cipher priority string. Other options: --verbose Produce verbose output. (default=off) --quiet Don't produce any diagnostic output. (default=off) AUTHOR Written by Simon Josefsson. REPORTING BUGS Report bugs to: bug-gsasl@gnu.org GNU SASL home page: <https://www.gnu.org/software/gsasl/> General help using GNU software: <https://www.gnu.org/gethelp/> COPYRIGHT Copyright (C) 2025 Simon Josefsson. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. SEE ALSO The full documentation for gsasl is maintained as a Texinfo manual. If the info and gsasl programs are properly installed at your site, the command info gsasl should give you access to the complete manual. GNU SASL 2.2.2 March 2025 GSASL(1)
NAME | SYNOPSIS | DESCRIPTION | AUTHOR | REPORTING BUGS | COPYRIGHT | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=gsasl&sektion=1&manpath=FreeBSD+Ports+15.0>