myproxy-retrieve - retrieve an end-entity credential
myproxy-retrieve [ options ]
The myproxy-retrieve command retrieves a credential
directly from the myproxy-server(8) that was previously stored using
myproxy-init(1) or myproxy-store(1). Unlike
myproxy-logon(1), this command transfers the private key in the
repository over the network (over a private channel). To obtain a proxy
credential, we recommend using myproxy-logon(1) instead.
In the default mode, the command prompts for the pass phrase
associated with the credential to be retrieved and stores the retrieved
credential in the standard location ( ~/.globus/usercert.pem and
~/.globus/userkey.pem). You could then run grid-proxy-init to
create a proxy credential from the retrieved credentials.
- -h, --help
- Displays command usage text and exits.
- -u, --usage
- Displays command usage text and exits.
- -v, --verbose
- Enables verbose debugging output to the terminal.
- -V, --version
- Displays version information and exits.
- -s hostname[:port],
--pshost hostname[:port]
- Specifies the hostname(s) of the myproxy-server(s). Multiple hostnames,
each hostname optionally followed by a ':' and port number, may be
specified in a comma-separated list. This option is required if the
MYPROXY_SERVER environment variable is not defined. If specified,
this option overrides the MYPROXY_SERVER environment variable. If a
port number is specified with a hostname, it will override the -p option
as well as the MYPROXY_SERVER_PORT environment variable for that
host.
- -p port,
--psport port
- Specifies the TCP port number of the myproxy-server(8). Default:
7512
- -l username,
--username username
- Specifies the MyProxy account under which the credential to retrieve is
stored. By default, the command uses the value of the LOGNAME
environment variable. Use this option to specify a different account
username on the MyProxy server. The MyProxy username need not correspond
to a real Unix username.
- -d,
--dn_as_username
- Use the certificate subject (DN) as the default username, instead of the
LOGNAME environment variable. When used with the -a option,
the certificate subject of the authorization credential is used.
Otherwise, the certificate subject of the default credential is used.
- -t hours,
--proxy_lifetime hours
- Specifies the lifetime of credentials retrieved from the
myproxy-server(8) using the stored credential. The resulting
lifetime is the shorter of the requested lifetime and the lifetime
specified when the credential was stored using myproxy-init(1).
Default: 12 hours
- -c filename,
--certfile filename
- Specifies the filename of where the certificate will be stored.
- -y filename,
--keyfile filename
- Specifies the filename of where the private key will be stored.
- -a file,
--authorization file
- Use this option to specify an existing, valid credential that you want to
renew. Renewing a credential generally requires two certificate-based
authentications. The client authenticates with its identity, using the
credential in the standard location or specified by X509_USER_PROXY
or X509_USER_CERT and X509_USER_KEY in addition to
authenticating with the existing credential, in the location specified by
this option, that it wants to renew.
- -k name,
--credname name
- Specifies the name of the credential that is to be retrieved or
renewed.
- -S, --stdin_pass
- By default, the command prompts for a passphrase and reads the passphrase
from the active tty. When running the command non-interactively, there may
be no associated tty. Specifying this option tells the command to read
passphrases from standard input without prompts or confirmation.
- -T, --trustroots
- Retrieve CA certificates directory from server (if available) to store in
the location specified by the X509_CERT_DIR environment variable if
set or /etc/grid-security/certificates if running as root or
~/.globus/certificates if running as non-root.
- -n,
--no_passphrase
- Don't prompt for a credential passphrase. Use other methods for
authentication, such as Kerberos ticket or X.509 certificate.
0 on success, >0 on error
- GLOBUS_GSSAPI_NAME_COMPATIBILITY
- This client will, by default, perform a reverse-DNS lookup to determine
the FQHN (Fully Qualified Host Name) to use in verifying the identity of
the server by checking the FQHN against the CN in server's certificate.
Setting this variable to STRICT_RFC2818 will cause the reverse-DNS
lookup to NOT be performed and the user-specified name to be used instead.
This variable setting will be ignored if MYPROXY_SERVER_DN
(described later) is set.
- MYPROXY_SERVER
- Specifies the hostname(s) where the myproxy-server(8) is running.
Multiple hostnames can be specified in a comma separated list with each
hostname optionally followed by a ':' and port number. This environment
variable can be used in place of the -s option.
- MYPROXY_SERVER_PORT
- Specifies the port where the myproxy-server(8) is running. This
environment variable can be used in place of the -p option.
- MYPROXY_SERVER_DN
- Specifies the distinguished name (DN) of the myproxy-server(8). All
MyProxy client programs authenticate the server's identity. By default,
MyProxy servers run with host credentials, so the MyProxy client programs
expect the server to have a distinguished name with
"/CN=host/<fqhn>" or "/CN=myproxy/<fqhn>"
or "/CN=<fqhn>" (where <fqhn> is the fully-qualified
hostname of the server). If the server is running with some other DN, you
can set this environment variable to tell the MyProxy clients to accept
the alternative DN. Also see GLOBUS_GSSAPI_NAME_COMPATIBILITY
above.
- MYPROXY_TCP_PORT_RANGE
- Specifies a range of valid port numbers in the form "min,max"
for the client side of the network connection to the server. By default,
the client will bind to any available port. Use this environment variable
to restrict the ports used to a range allowed by your firewall. If unset,
MyProxy will follow the setting of the GLOBUS_TCP_PORT_RANGE
environment variable.
- X509_USER_CERT
- Specifies a non-standard location for the certificate to be used for
authentication to the myproxy-server(8). Also specifies the
location for where the retrieved certificate will be stored unless the
-c option is given.
- X509_USER_KEY
- Specifies a non-standard location for the private key to be used for
authentication to the myproxy-server(8). Also specifies the
location for where the retrieved private key will be stored unless the
-y option is given.
- X509_USER_PROXY
- Specifies a non-standard location for the proxy credential to be used for
authentication to the myproxy-server(8).
- X509_CERT_DIR
- Specifies a non-standard location for the CA certificates directory.
See http://grid.ncsa.illinois.edu/myproxy/about for the
list of MyProxy authors.
myproxy-change-pass-phrase(1), myproxy-destroy(1),
myproxy-get-trustroots(1), myproxy-info(1),
myproxy-init(1), myproxy-logon(1), myproxy-store(1),
myproxy-server.config(5), myproxy-admin-adduser(8),
myproxy-admin-change-pass(8),
myproxy-admin-load-credential(8), myproxy-admin-query(8),
myproxy-server(8)