manpagez: man pages & more
man kinit(1)
Home | html | info | man
kinit(1)                         MIT Kerberos                         kinit(1)


       kinit - obtain and cache Kerberos ticket-granting ticket


       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
       [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-i | -t keytab_file]]  [-c
       cache_name]  [-n] [-S service_name] [-I input_ccache] [-T armor_ccache]
       [-X attribute[=value]] [--request-pac | --no-request-pac] [principal]


       kinit obtains and caches an initial ticket-granting ticket for  princi-
       pal.   If  principal  is absent, kinit chooses an appropriate principal
       name based on existing credential cache contents or the local  username
       of  the user invoking kinit.  Some options modify the choice of princi-
       pal name.


       -V     display verbose output.

       -l lifetime
              (duration string.)  Requests a ticket with  the  lifetime  life-

              For example, kinit -l 5:30 or kinit -l 5h30m.

              If  the  -l option is not specified, the default ticket lifetime
              (configured by each site) is used.  Specifying a ticket lifetime
              longer  than  the  maximum  ticket  lifetime (configured by each
              site) will not override the configured maximum ticket  lifetime.

       -s start_time
              (duration  string.)   Requests  a  postdated  ticket.  Postdated
              tickets are issued with the invalid flag set,  and  need  to  be
              resubmitted to the KDC for validation before use.

              start_time specifies the duration of the delay before the ticket
              can become valid.

       -r renewable_life
              (duration string.)  Requests renewable  tickets,  with  a  total
              lifetime of renewable_life.

       -f     requests forwardable tickets.

       -F     requests non-forwardable tickets.

       -p     requests proxiable tickets.

       -P     requests non-proxiable tickets.

       -a     requests tickets restricted to the host's local address[es].

       -A     requests tickets not restricted by address.

       -C     requests  canonicalization of the principal name, and allows the
              KDC to reply with a different  client  principal  from  the  one

       -E     treats the principal name as an enterprise name.

       -v     requests  that the ticket-granting ticket in the cache (with the
              invalid flag set) be passed to the KDC for validation.   If  the
              ticket is within its requested time range, the cache is replaced
              with the validated ticket.

       -R     requests renewal of the ticket-granting ticket.   Note  that  an
              expired  ticket  cannot  be renewed, even if the ticket is still
              within its renewable life.

              Note that renewable tickets that have  expired  as  reported  by
              klist(1) may sometimes be renewed using this option, because the
              KDC applies a grace period to account for client-KDC clock skew.
              See krb5.conf(5) clockskew setting.

       -k [-i | -t keytab_file]
              requests  a  ticket,  obtained  from  a  key in the local host's
              keytab.  The location of the keytab may be specified with the -t
              keytab_file  option, or with the -i option to specify the use of
              the default client keytab; otherwise the default keytab will  be
              used.   By  default,  a  host  ticket  for  the  local  host  is
              requested, but any principal may be specified.  On  a  KDC,  the
              special  keytab location KDB: can be used to indicate that kinit
              should open the KDC database and look up the key directly.  This
              permits an administrator to obtain tickets as any principal that
              supports authentication based on the key.

       -n     Requests anonymous processing.  Two types of  anonymous  princi-
              pals are supported.

              For  fully  anonymous  Kerberos, configure pkinit on the KDC and
              configure pkinit_anchors in the client's krb5.conf(5).  Then use
              the  -n  option  with  a  principal of the form @REALM (an empty
              principal name followed by the at-sign and a  realm  name).   If
              permitted by the KDC, an anonymous ticket will be returned.

              A   second   form  of  anonymous  tickets  is  supported;  these
              realm-exposed tickets hide the identity of the  client  but  not
              the  client's  realm.  For this mode, use kinit -n with a normal
              principal name.  If supported by the KDC, the principal (but not
              realm) will be replaced by the anonymous principal.

              As  of  release  1.8,  the  MIT Kerberos KDC only supports fully
              anonymous operation.

       -I input_ccache
          Specifies the name of a credentials cache that  already  contains  a
          ticket.   When  obtaining that ticket, if information about how that
          ticket was obtained was also stored to the cache,  that  information
          will  be  used to affect how new credentials are obtained, including
          preselecting the same methods of authenticating to the KDC.

       -T armor_ccache
              Specifies the name of a credentials cache that already  contains
              a  ticket.   If supported by the KDC, this cache will be used to
              armor the request, preventing  offline  dictionary  attacks  and
              allowing  the  use  of  additional preauthentication mechanisms.
              Armoring also makes sure that the response from the KDC  is  not
              modified in transit.

       -c cache_name
              use  cache_name  as  the  Kerberos  5 credentials (ticket) cache
              location.  If this option is not used, the default  cache  loca-
              tion is used.

              The  default  cache  location  may vary between systems.  If the
              KRB5CCNAME environment variable is set, its  value  is  used  to
              locate  the default cache.  If a principal name is specified and
              the type of the default cache supports a collection (such as the
              DIR  type),  an  existing  cache  containing credentials for the
              principal is selected or a new one is created  and  becomes  the
              new  primary  cache.   Otherwise,  any  existing contents of the
              default cache are destroyed by kinit.

       -S service_name
              specify an alternate service name to use  when  getting  initial

       -X attribute[=value]
              specify  a  pre-authentication  attribute and value to be inter-
              preted by pre-authentication modules.  The acceptable  attribute
              and value values vary from module to module.  This option may be
              specified multiple times to specify multiple attributes.  If  no
              value is specified, it is assumed to be "yes".

              The   following   attributes   are   recognized  by  the  PKINIT
              pre-authentication mechanism:

                     specify where to find user's X509 identity information

                     specify where to find trusted X509 anchor information

                     specify use of RSA, rather than the default  Diffie-Hell-
                     man protocol

                     disable  sending  freshness  tokens (for testing purposes

       --request-pac | --no-request-pac
              mutually exclusive.  If --request-pac is set,  ask  the  KDC  to
              include  a  PAC in authdata; if --no-request-pac is set, ask the
              KDC not to include a PAC; if neither are set,  the KDC will fol-
              low its default, which is typically is to include a PAC if doing
              so is supported.


       See kerberos(7) for a description of Kerberos environment variables.


       KCM:   default location of Kerberos 5 credentials cache

              default location for the local host's keytab.


       klist(1), kdestroy(1), kerberos(7)




       1985-2021, MIT

1.19.1                                                                kinit(1)

kerberos5 1.19.1 - Generated Tue Mar 9 15:39:43 CST 2021
© 2000-2021
Individual documents may contain additional copyright information.