myproxy-logon(1)                    MyProxy                   myproxy-logon(1)




NAME

       myproxy-logon - retrieve a credential


SYNOPSIS

       myproxy-logon [ options ]

       myproxy-get-delegation [ options ]


DESCRIPTION

       The  myproxy-logon  command  retrieves  a  proxy  credential  from  the
       myproxy-server(8) that was previously stored using  myproxy-init(1)  or
       myproxy-store(1).   It  can  also  be  used to retrieve short-lived end
       entity credentials from a myproxy-server(8) configured to act as a Cer-
       tificate  Authority.   In the default mode, the command prompts for the
       MyProxy pass phrase associated with the credential to be retrieved  and
       stores  the  retrieved  credential  in  the  location  specified by the
       X509_USER_PROXY environment  variable  or  /tmp/x509up_u<uid>  if  that
       environment variable is not set.

       The myproxy-logon command is also available under the name myproxy-get-
       delegation for backward compatibility.


OPTIONS

       -h, --help
              Displays command usage text and exits.

       -u, --usage
              Displays command usage text and exits.

       -v, --verbose
              Enables verbose debugging output to the terminal.

       -V, --version
              Displays version information and exits.

       -s hostname[:port], --pshost hostname[:port]
              Specifies the hostname(s) of  the  myproxy-server(s).   Multiple
              hostnames,  each  hostname optionally followed by a ':' and port
              number, may be specified in a comma-separated list.  This option
              is  required  if  the MYPROXY_SERVER environment variable is not
              defined.  If specified, this option overrides the MYPROXY_SERVER
              environment variable. If a port number is specified with a host-
              name,  it  will  override  the  -p  option  as   well   as   the
              MYPROXY_SERVER_PORT environment variable for that host.

       -p port, --psport port
              Specifies   the   TCP  port  number  of  the  myproxy-server(8).
              Default: 7512

       -l username, --username username
              Specifies the MyProxy account  under  which  the  credential  to
              retrieve  is  stored.  By default, the command uses the value of
              the LOGNAME environment variable.  Use this option to specify  a
              different  account  username on the MyProxy server.  The MyProxy
              username need not correspond to a real Unix username.

       -d, --dn_as_username
              Use the  certificate  subject  (DN)  as  the  default  username,
              instead of the LOGNAME environment variable.  When used with the
              -a option, the certificate subject of the authorization  creden-
              tial is used.  Otherwise, the certificate subject of the default
              credential is used.

       -t hours, --proxy_lifetime hours
              Specifies  the  lifetime  of  credentials  retrieved  from   the
              myproxy-server(8)  using  the  stored credential.  The resulting
              lifetime is the shorter of the requested lifetime and the  life-
              time  specified  when  the  credential was stored using myproxy-
              init(1).  Default: 12 hours

       -o file, --out file
              Specifies where the retrieved proxy credential should be stored.
              If  this  option  is not specified, the proxy credential will be
              stored in the location specified by the X509_USER_PROXY environ-
              ment variable or /tmp/x509up_u<uid> if that environment variable
              is not set.  To write the credential to the  command's  standard
              output rather than to a file, use -o -.

       -a file, --authorization file
              Use  this  option  to specify an existing, valid credential that
              you want to renew.  Renewing a credential generally requires two
              certificate-based  authentications.   The  client  authenticates
              with its identity, using the credential in the standard location
              or  specified  by  the  X509_USER_PROXY  or  X509_USER_CERT  and
              X509_USER_KEY environment variables in addition to  authenticat-
              ing  with  the existing credential, in the location specified by
              this option, that it wants to renew.

       -k name, --credname name
              Specifies the name of the credential that is to be retrieved  or
              renewed.

       -S, --stdin_pass
              By  default,  the command prompts for a passphrase and reads the
              passphrase from the active tty.  When running the  command  non-
              interactively,  there may be no associated tty.  Specifying this
              option tells the command to read passphrases from standard input
              without prompts or confirmation.

       -n, --no_passphrase
              Don't prompt for a credential passphrase.  Use other methods for
              authentication, such as Kerberos ticket  or  X.509  certificate.
              This  option is implied by -a since passphrase authentication is
              not used for credential renewal.

       -T, --trustroots
              Retrieve CA certificates directory from server (if available) to
              store in the location specified by the X509_CERT_DIR environment
              variable if set or /etc/grid-security/certificates if running as
              root or ~/.globus/certificates if running as non-root.

       -b, --bootstrap
              Unless  this  option  is  specified,  then  if the X509_CERT_DIR
              exists and the CA that signed the myproxy-server(8)  certificate
              is  not  trusted, myproxy-logon will fail with an error, to pro-
              tect  against  man-in-the-middle  attacks.   If,  however,  this
              option  is  specified, myproxy-logon will accept the CA to boot-
              strap trust.  This option implies -T.

       -q, --quiet
              Only write output messages on error.

       -N, --no_credentials
              Authenticate only.  Don't retrieve credentials.

       -m voms, --voms voms
              Add VOMS attributes to the credential by running voms-proxy-init
              on  the  client-side  after  retrieving  the credential from the
              myproxy-server(8).  The  VOMS  VO  name  must  be  provided,  as
              required  by voms-proxy-init -voms.  The voms-proxy-init command
              must also be installed and configured to use this  option.   For
              example,  the  VOMS_USERCONF environment variable may need to be
              set for voms-proxy-init to run correctly.

       -Q file, --certreq file
              Specify the path to a PEM formatted certificate request  to  use
              when requesting a certificate from the myproxy-server(8), rather
              than allowing myproxy-logon to generate the private key and cer-
              tificate  request  itself.  In this case, myproxy-logon will not
              output a private key but will only output the signed certificate
              and  (as  needed)  certificate  chain.   To read the certificate
              request from standard input rather than from a file, use -Q -.


EXIT STATUS

       0 on success, >0 on error


ENVIRONMENT

       GLOBUS_GSSAPI_NAME_COMPATIBILITY
              This client will, by default, perform a  reverse-DNS  lookup  to
              determine the FQHN (Fully Qualified Host Name) to use in verify-
              ing the identity of the server by checking the FQHN against  the
              CN   in   server's   certificate.    Setting  this  variable  to
              STRICT_RFC2818 will cause the reverse-DNS lookup to NOT be  per-
              formed  and  the  user-specified  name to be used instead.  This
              variable setting will be ignored if MYPROXY_SERVER_DN (described
              later) is set.

       MYPROXY_SERVER
              Specifies  the  hostname(s)  where the myproxy-server(8) is run-
              ning. Multiple hostnames can be specified in a  comma  separated
              list  with  each  hostname optionally followed by a ':' and port
              number.  This environment variable can be used in place  of  the
              -s option.

       MYPROXY_SERVER_PORT
              Specifies the port where the myproxy-server(8) is running.  This
              environment variable can be used in place of the -p option.

       MYPROXY_SERVER_DN
              Specifies the distinguished name (DN) of the  myproxy-server(8).
              All  MyProxy client programs authenticate the server's identity.
              By default, MyProxy servers run with host  credentials,  so  the
              MyProxy  client  programs  expect  the  server to have a distin-
              guished name with "/CN=host/<fqhn>" or  "/CN=myproxy/<fqhn>"  or
              "/CN=<fqhn>"  (where  <fqhn>  is the fully-qualified hostname of
              the server).  If the server is running with some other  DN,  you
              can set this environment variable to tell the MyProxy clients to
              accept the alternative DN. Also see  GLOBUS_GSSAPI_NAME_COMPATI-
              BILITY above.

       MYPROXY_TCP_PORT_RANGE
              Specifies  a  range  of valid port numbers in the form "min,max"
              for the client side of the network connection to the server.  By
              default,  the  client will bind to any available port.  Use this
              environment variable to restrict  the  ports  used  to  a  range
              allowed  by  your  firewall.   If unset, MyProxy will follow the
              setting of the GLOBUS_TCP_PORT_RANGE environment variable.

       X509_USER_CERT
              Specifies a non-standard location for the certificate to be used
              for authentication to the myproxy-server(8).

       X509_USER_KEY
              Specifies a non-standard location for the private key to be used
              for authentication to the myproxy-server(8).

       X509_USER_PROXY
              Specifies a non-standard location for the proxy credential to be
              used  for  authentication to the myproxy-server(8).  Also speci-
              fies  the  output  location  for  the  proxy  credential  to  be
              retrieved  from  the  myproxy-server(8)  unless the -o option is
              given.

       X509_CERT_DIR
              Specifies a non-standard location for the CA certificates direc-
              tory.

       MYPROXY_KEYBITS
              Specifies  the  size  for  RSA  keys  generated  by MyProxy.  By
              default, MyProxy generates 2048 bit RSA keys.  Set this environ-
              ment variable to "1024" for 1024 bit RSA keys.


AUTHORS

       See http://myproxy.ncsa.uiuc.edu/about for the list of MyProxy authors.


SEE ALSO

       myproxy-change-pass-phrase(1),  myproxy-destroy(1),  myproxy-get-trust-
       roots(1),   myproxy-info(1),   myproxy-init(1),    myproxy-retrieve(1),
       myproxy-server.config(5),  myproxy-store(1),  myproxy-admin-adduser(8),
       myproxy-admin-change-pass(8),         myproxy-admin-load-credential(8),
       myproxy-admin-query(8), myproxy-server(8)



MyProxy                           2010-09-09                  myproxy-logon(1)

Man(1) output converted with man2html