Provided by: gsasl_2.2.1-1willsync1build2_amd64 
NAME
gsasl - SASL library command line interface
SYNOPSIS
gsasl [OPTION]... [HOST [PORT]]...
DESCRIPTION
Authenticate user to a server using Simple Authentication and Security Layer. Currently IMAP and SMTP
servers are supported. This is a command line interface for the GNU SASL library.
-h, --help
Print help and exit
-V, --version
Print version and exit
Commands:
-c, --client
Act as client. (default=on)
-s, --server
Act as server. (default=off)
--client-mechanisms
Write name of supported client mechanisms separated by space to stdout. (default=off)
--server-mechanisms
Write name of supported server mechanisms separated by space to stdout. (default=off)
-k, --mkpasswd
Derive password. Provide --mechanism as SCRAM-SHA-1 or SCRAM-SHA-256. The required inputs are
password (through --password or read from terminal) and optional inputs are iteration count
(through --iteration-count, or defaulting to 65536) and salt (through --salt, or generated
randomly). The output is a string of the form
"{mech}count,salt,stored-key,server-key[,salted-password]" where "mech" is the mechanism, "count"
is the number of times password was hashed, "salt" is the provided/generated base64-encoded salt,
"stored-key" and "server-key" are the two derived and base64-encoded server-side keys. When
--verbose is provided, "salted-password" will be included as the hex-encoded PBKDF2-derived
password. (default=off)
Network options:
--connect=HOST[:PORT]
Connect to TCP server and negotiate on stream instead of stdin/stdout. PORT is the protocol
service, or an integer denoting the port, and defaults to 143 (imap) if not specified. Also sets
the --hostname default.
Generic options:
-d, --application-data
After authentication, read data from stdin and run it through the mechanism's security layer and
print it base64 encoded to stdout. The default is to terminate after authentication. (default=on)
--imap Use a IMAP-like logon procedure (client only). Also sets the --service default to 'imap'.
(default=off)
--smtp Use a SMTP-like logon procedure (client only). Also sets the --service default to 'smtp'.
(default=off)
-m, --mechanism=STRING
Mechanism to use.
--no-client-first
Disallow client to send data first (client only). (default=off)
SASL mechanism options (they are prompted for when required):
-n, --anonymous-token=STRING
Token for anonymous authentication, usually mail address (ANONYMOUS only).
-a, --authentication-id=STRING
Identity of credential owner.
-z, --authorization-id=STRING Identity to request service for.
-p, --password=STRING
Password for authentication (insecure for non-testing purposes).
-r, --realm=STRING
Realm. Defaults to hostname.
--passcode=NUMBER
Passcode for authentication (SECURID only).
--service=STRING
Set the requested service name (should be a registered GSSAPI host based service name).
--hostname=STRING
Set the name of the server with the requested service.
--service-name=STRING
Set the generic server name in case of a replicated server (DIGEST-MD5 only).
--enable-cram-md5-validate
Validate CRAM-MD5 challenge and response
interactively.
(default=off)
--disable-cleartext-validate
Disable cleartext validate hook, forcing server
to prompt for password.
(default=off)
--quality-of-protection=TYPE
How application payload will be protected.
'qop-auth' means no protection, 'qop-int'
means integrity protection, 'qop-conf' means integrity and confidentialiy protection. Currently
only used by DIGEST-MD5, where the default is 'qop-int'.
--iteration-count=NUMBER
Indicate PBKDF2 hash iteration count (SCRAM only). (default=`65536')
--salt=B64DATA
Indicate PBKDF2 salt as base64-encoded string (SCRAM only).
--scram-salted-password=STRING
Salted SCRAM password for authentication (SCRAM
only; 40 hex characters for SCRAM-SHA-1 and
64 characters for SCRAM-SHA-256).
STARTTLS options:
--starttls
Force use of STARTTLS. The default is to use STARTTLS when available. (default=off)
--no-starttls
Unconditionally disable STARTTLS. (default=off)
--no-cb
Don't use channel bindings from TLS. (default=off)
--x509-ca-file=FILE
File containing one or more X.509 Certificate Authorities certificates in PEM format, used to
verify the certificate received from the server. If not specified, verification uses system trust
settings. If FILE is the empty string, don't fail on X.509 server certificates verification
errors.
--x509-cert-file=FILE
File containing client X.509 certificate in PEM format. Used together with --x509-key-file to
specify the certificate/key pair.
--x509-key-file=FILE
Private key for the client X.509 certificate in PEM format. Used together with --x509-key-file to
specify the certificate/key pair.
--priority=STRING
Cipher priority string.
Other options:
--verbose
Produce verbose output. (default=off)
--quiet
Don't produce any diagnostic output. (default=off)
AUTHOR
Written by Simon Josefsson.
REPORTING BUGS
Report bugs to: bug-gsasl@gnu.org
GNU SASL home page: <https://www.gnu.org/software/gsasl/>
General help using GNU software: <https://www.gnu.org/gethelp/>
COPYRIGHT
Copyright © 2024 Simon Josefsson. License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent
permitted by law.
SEE ALSO
The full documentation for gsasl is maintained as a Texinfo manual. If the info and gsasl programs are
properly installed at your site, the command
info gsasl
should give you access to the complete manual.
GNU SASL 2.2.0.35-d394d January 2024 GSASL(1)