Authentication

If the server you are attempting to contact requires authentication, you will need to supply a username and password.  The username should be added in front of the server name with an @ character in between.  You will then be prompted to enter a password.

movedat user@example.com:/path/downloadme /local/destination

You may also specify the password on the command line by adding a colon after the username.

movedat user:passwd@example.com:/path/downloadme /local/destination

This is useful in scripts, but is not generally recommended as it could allow your password to be viewed by other persons using your system and some password characters may conflict with the command line syntax.  Instead, it is recommended that you use the Password Storage method below when preparing for scripts.

movedat will not prompt for a password if the terminal is non-interactive (except for -A).  For example, if it is run within a script and the password cannot be found in the cache or on the command line, movedat will fail immediately with an authentication error.

The username and password are always encrypted when communicating with the server, even when content encryption is not enabled.

Characters

Usernames and passwords must each be less than 63 bytes when UTF-8 encoded.

Usernames and passwords should consist of only ASCII letters, numbers, and printable symbols.  The use of other characters, such as extended unicode characters, may work in some environments but is not assured and may compromise security.

Windows Domains

If the server is running on a Windows system with Active Directory or LDAP enabled, you may specify an authentication domain by using the "-W" option.  For example:

movedat -W domain username@example.com:/path/downloadme /local/destination

When using Shadow Authentication, the username field of AuthFile must match "username@domain" and is case sensitive.  When using "-W" with a non-windows server, the username will be presented as "username@domain", which may or may not make sense to the operating system.

TOTP Multifactor Authentication

User accounts with TOTP enabled require the use of the "-V" option to start a TOTP session.  With this option, the user will be prompted to enter a TOTP code.  For example:

movedat -V user@example.com: Password for user@example.com: Enter TOTP: 999999

If the code and password are successfully validated, and password caching is enabled, then subsequent transactions to the same user and server will be authenticated into the same session.  The "-V" option should not be used again until there is a need to start a new session.  For example, when contacting a different server or after the current session as expired, use "-V" to prompt for a new code.

movedat allows you to establish sessions with multiple users and servers.  Each session will persist for as long as the credentials remain in the client password cache or until the server purges the TOTP session.  When used with a host group, you will need to enter a new TOTP code whenever a new server is selected from the group.

Password Caching

movedat will encrypt and store the password for each combination of username, host IP address, and port number so that you do not need to retype it every time.  This includes valid TOTP session tokens.  Cached credentials remain valid for four hours or until the server returns an authentication error.

Credentials are automatically cached only after an operation completes successfully.  A "Bad Credentials" or "MFA token" error will invalidate a cache entry.

You may disable caching by using the -C option or the NoPWCache configuration variable.  Doing so will require that you provide a password and, if applicable, TOTP code for every invocation of movedat.

In unix systems, the password cache is $HOME/.dei-pwcache3.  In Windows, it is %APPDATA%\DEI\dei-pwcache3.dat.  You may reset the cache by deleting this file.

The contents of the password cache are encrypted.  To view an index of currently cached credentials, enable diagnostics with " -d 1 " in any authenticated movedat command.  For example:

# movedat -d 1 user@example.com: Seeking /Users/me/.dei-pwcache3 Cached user@69.60.121.178:8080 PERMANENT Expired user@192.168.1.1:8080 Password for user@example.com: Caching password for user@192.168.1.1:8080

Password Storage

Passwords may be permanently stored in the encrypted dei-pwcache3 file.  This is useful for scripts or frequently accessed servers.

Use the -A command line option to add to a set of credentials to storage:

movedat [-p port] [-W domain] -A user[:password]@example.com:

The username, port number, domain if present, and server IP address must match for the credentials to be used.  When using "-W" to specify a domain, this must come before -A on the command line.  If you do not specify a port, the default 8080 will be assumed.  If you do not specify a password, you will be prompted for one.  For example:

movedat -A username@example.com:

If the password contains special characters that conflict with the command syntax, such as an @, or to avoid placing the password on the command line in a script, you may pipe the password instead:

cat password.txt | movedat -A username@example.com:

To expire and remove credentials, including those cached temporarily, use the -E command line option:

movedat [-p port] -E username@example.com:

A password entry will be automatically removed from storage if the server returns a "Bad Credentials" or "MFA token" error.