6 subauth - A client to the sub-authentication service
11 *subauth* 'options' 'operation'
16 The sub-authentication service lets local users define sub-accounts
17 with different authentication tokens for specific services.
19 The system administrator defines one or more authentication zones,
20 each corresponding to a set of system services. You can use *subauth --zones*
21 to list all existing zones.
23 Each zone can contain an account for each system user. Depending on the
24 configuration of the zone, accounts can be managed manually by the administrator,
25 or they can be created automatically when the user sets an authentication
28 Every account can be endowed with one of more authentication tokens
29 of the following types. Depending on the configuration, all types need
30 not be available in all zones.
32 * *Password:* a user-specified string, usually easy to remember, but hard to
33 guess. This is useful when authenticating manually. Please note that the
34 password must not contain a "+-+" (minus) character, because it is used
35 as a separator in other token types. There may be at most one password
36 per account. You can use *subauth --passwd* to set a password
37 and *subauth --delete-passwd* to remove it.
39 * *Regular token:* such tokens are generated automatically. They consist
40 of a public identifier (4 hexadecimal digits) and a random secret string.
41 Multiple tokens can be defined for the same account, their public identifiers
42 and optional comments can be listed by the user. This can be useful if you
43 want to let multiple programs remember your credentials: each program can
44 get a unique token and when it ceases to be trusted, the token can be simply
45 removed. Use *subauth --create-token* to have a token generated and *subauth --delete-token*
48 * *Temporary token:* this is a randomly generated cryptographically signed string,
49 allowing access to the given user in the given zone for a limited time. Temporary tokens
50 can be useful for services which are used so scarcely that it does not make
51 sense to remember permanent credentials of any kind. Use *subauth --temp-token*
52 to obtain a temporary token. You can set how long will the token be valid
53 up to a limit configured by the administrator for the given zone.
55 The sub-accounts are managed by the *subauthd*(8) daemon.
56 The *subauth*(1) command is a front-end to this daemon, through which
57 accounts and tokens can be managed from the shell.
65 List all known authentication zones.
68 List all accounts of the current user (this can be the user running the
69 command, or a different user given as *--user* if ran by the super-user).
72 Set or replace a password for the given account. Requires *--zone*.
75 Delete password for the given account. Requires *--zone*.
78 Create a new token for the given account. Requires *--zone*.
79 Optionally, a *--comment* can be given.
82 Delete a given token. Requires *--zone* and *--ident*.
85 Change parameters of an existing token. Currently, only the comment
86 can be changed; setting to an empty string removes the comment.
87 Requires *--zone* and *--ident*.
90 Create a temporary token. Requires *--zone*.
91 Optionally, token validity can be set with *--expire* (otherwise,
92 a default of 5 minutes will be used).
95 Test if a given password or token (read from standard input) is valid
96 in the given zone. Requires *--zone*. Optionally, you can specify a *--user*
97 to test somebody else's credentials.
99 *--allow-passwd-auth*::
100 Allow administration of our account in a given zone to anybody, who
101 knows our password. Requires *--zone*. Depending on the local setup,
102 this may for example enable passowrd changes from webmail interface.
104 *--disallow-passwd-auth*::
105 Prevent other users from administration of our account in a given zone
106 using password authentication. Requires *--zone*.
108 *Administrator commands*
111 Create an account for the current user in the given zone. Requires *--zone*
115 Delete an account for the current user in the given zone. Requires *--zone*
119 Deletes all accounts of the current user. Requires *--user*.
124 *-u, --user=*'login'::
125 Operate on the given user instead of the user running the command.
126 Only the super-user can operate on somebody else.
128 *-z, --zone=*'zone'::
129 Specify authentication zone. This is required by most operations.
132 Specify token identifier. An asterisk can be used for "all tokens".
134 *-c, --comment=*'text'::
135 When creating a token, remember this comment with the token. Comments
136 make it easier to recognize the intentions behind different tokens.
138 *-x, --expire=*'time'::
139 Set lifetime of a temporary token. The time is followed by a unit,
140 which is either "*h*", "*m*", or "*s*". Maximum lifetime can be limited
141 by zone configuration.
144 Ask for target user's account passowrd to authorize the operation.
145 Note that password authentication has to be explicitly enabled on
146 target account. Requires *--zone* and *--user*.
149 Communicate with the subauth daemon through the given socket instead
153 For wizards: Dump raw communication with the daemon.