Provided by: condor_23.9.6+dfsg-2.1_amd64 bug

NAME
       condor_store_cred - HTCondor Manual

       securely stash a credential


SYNOPSIS
       condor_store_cred -h

       condor_store_cred action [ options ]


DESCRIPTION
       condor_store_cred  stores  credentials  in  a  secure manner.  There are three actions, each of which can
       optionally be followed by a hyphen and one of three types.

       The actions are:

          add[-type]
                 Add credential to secure storage

          delete[-type]
                 Remove credential from secure storage

          query[-type]
                 Check if a credential has been stored

       The types are:

          -pwd   Credential is a password (default)

          -krb   Credential is a Kerberos/AFS token

          -oauth Credential is Scitoken or Oauth2 token

       Credentials are stashed in a persistent manner; they are maintained across system reboots.  When adding a
       credential, if there is already a credential stashed, the old credential will be overwritten by  the  new
       one.

       There are two separate uses of the password actions of condor_store_cred:

       1. A  shared  pool  password  is  needed  in  order  to  implement  the  PASSWORD  authentication method.
          condor_store_cred   using   the   -c   option   deals   with   the   password    for    the    implied
          condor_pool@$(UID_DOMAIN) user name.

          On a Unix machine, condor_store_cred add[-pwd] with the -f option is used to set the pool password, as
          needed  when  used  with  the  PASSWORD  authentication  method. The pool password is placed in a file
          specified by the SEC_PASSWORD_FILE configuration variable.

       2. In order to submit a job from a Windows platform machine, or to execute a job on  a  Windows  platform
          machine utilizing the run_as_owner functionality, condor_store_cred add[-pwd] stores the password of a
          user/domain  pair  securely  in  the Windows registry. Using this stored password, HTCondor may act on
          behalf of the submitting user to access files, such as writing output or log files. HTCondor  is  able
          to  run jobs with the user ID of the submitting user. The password is stored in the same manner as the
          system does when setting or changing account passwords.

       Unless the -p argument is used with the add or add-pwd action, the user is prompted to enter the password
       twice for confirmation, and characters are not echoed.

       The add-krb and add-oauth actions must be used with the -i argument to specify a filename to read from.

       The -oauth actions require a -s service name argument.  The -S and -A options may be used with  add-oauth
       to  add  scopes  and/or  audience  to the credentials or with query-oauth to make sure that the scopes or
       audience match the previously stored credentials.  If either -S or -A are used then the credentials  must
       be in JSON format.


OPTIONS
          -h     Displays a brief summary of command options.

          -c     [-pwd] actions refer to the pool password, as used in the PASSWORD authentication method.

          -f filename
                 For Unix machines only, generates a pool password file named filename that may be used with the
                 PASSWORD authentication method.

          -i filename
                 Read  credential  from  filename.  If filename is -, read from stdin.  Required for add-krb and
                 add-oauth.

          -s service
                 The Oauth2 service.  Required for all -oauth actions.

          -H handle
                 Specify a handle for the given OAuth2 service.

          -S scopes
                 Optional comma-separated list of scopes to request for add-oauth  action.   If  used  with  the
                 query-oauth  action, makes sure that the same scopes were requested in the original credential.
                 Requires credentials to be in JSON format.

          -A audience
                 Optional audience to request for add-oauth action.  If used with the query-oauth action,  makes
                 sure  that the same audience was requested in the original credential.  Requires credentials to
                 be in JSON format.

          -n machinename
                 Apply the command on the given machine.

          -p password
                 Stores password, rather than prompting the user to enter a password.

          -u username
                 Specify the user name.


EXIT STATUS
       condor_store_cred will exit with a status value of 0 (zero) upon  success.   If  the  query-oauth  action
       finds  a  credential  but  the  scopes or audience don't match, condor_store_cred will exit with a status
       value 2 (two).  Otherwise, it will exit with the value 1 (one) upon failure.


AUTHOR
       HTCondor Team


COPYRIGHT
       1990-2024, Center for High Throughput Computing, Computer Sciences Department, University  of  Wisconsin-
       Madison, Madison, WI, US. Licensed under the Apache License, Version 2.0.

                                                  Jun 20, 2025                              CONDOR_STORE_CRED(1)