1KINIT(1)                         MIT Kerberos                         KINIT(1)
2
3
4

NAME

6       kinit - obtain and cache Kerberos ticket-granting ticket
7

SYNOPSIS

9       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
10       [-f | -F] [-a] [-A] [-C] [-E]  [-v]  [-R]  [-k  [-t  keytab_file]]  [-c
11       cache_name]  [-n] [-S service_name] [-I input_ccache] [-T armor_ccache]
12       [-X attribute[=value]] [principal]
13

DESCRIPTION

15       kinit obtains and caches an initial ticket-granting ticket for  princi‐
16       pal.   If  principal  is absent, kinit chooses an appropriate principal
17       name based on existing credential cache contents or the local  username
18       of  the user invoking kinit.  Some options modify the choice of princi‐
19       pal name.
20

OPTIONS

22       -V     display verbose output.
23
24       -l lifetime
25              (duration string.)  Requests a ticket with  the  lifetime  life‐
26              time.
27
28              For example, kinit -l 5:30 or kinit -l 5h30m.
29
30              If  the  -l option is not specified, the default ticket lifetime
31              (configured by each site) is used.  Specifying a ticket lifetime
32              longer  than  the  maximum  ticket  lifetime (configured by each
33              site) will not override the configured maximum ticket lifetime.
34
35       -s start_time
36              (duration string.)   Requests  a  postdated  ticket.   Postdated
37              tickets  are  issued  with  the invalid flag set, and need to be
38              resubmitted to the KDC for validation before use.
39
40              start_time specifies the duration of the delay before the ticket
41              can become valid.
42
43       -r renewable_life
44              (duration  string.)   Requests  renewable  tickets, with a total
45              lifetime of renewable_life.
46
47       -f     requests forwardable tickets.
48
49       -F     requests non-forwardable tickets.
50
51       -p     requests proxiable tickets.
52
53       -P     requests non-proxiable tickets.
54
55       -a     requests tickets restricted to the host's local address[es].
56
57       -A     requests tickets not restricted by address.
58
59       -C     requests canonicalization of the principal name, and allows  the
60              KDC  to  reply  with  a  different client principal from the one
61              requested.
62
63       -E     treats the principal name as an enterprise name (implies the  -C
64              option).
65
66       -v     requests  that the ticket-granting ticket in the cache (with the
67              invalid flag set) be passed to the KDC for validation.   If  the
68              ticket is within its requested time range, the cache is replaced
69              with the validated ticket.
70
71       -R     requests renewal of the ticket-granting ticket.   Note  that  an
72              expired  ticket  cannot  be renewed, even if the ticket is still
73              within its renewable life.
74
75              Note that renewable tickets that have  expired  as  reported  by
76              klist(1) may sometimes be renewed using this option, because the
77              KDC applies a grace period to account for client-KDC clock skew.
78              See krb5.conf(5) clockskew setting.
79
80       -k [-i | -t keytab_file]
81              requests  a  ticket,  obtained  from  a  key in the local host's
82              keytab.  The location of the keytab may be specified with the -t
83              keytab_file  option, or with the -i option to specify the use of
84              the default client keytab; otherwise the default keytab will  be
85              used.   By  default,  a  host  ticket  for  the  local  host  is
86              requested, but any principal may be specified.  On  a  KDC,  the
87              special  keytab location KDB: can be used to indicate that kinit
88              should open the KDC database and look up the key directly.  This
89              permits an administrator to obtain tickets as any principal that
90              supports authentication based on the key.
91
92       -n     Requests anonymous processing.  Two types of  anonymous  princi‐
93              pals are supported.
94
95              For  fully  anonymous  Kerberos, configure pkinit on the KDC and
96              configure pkinit_anchors in the client's krb5.conf(5).  Then use
97              the  -n  option  with  a  principal of the form @REALM (an empty
98              principal name followed by the at-sign and a  realm  name).   If
99              permitted by the KDC, an anonymous ticket will be returned.
100
101              A   second   form  of  anonymous  tickets  is  supported;  these
102              realm-exposed tickets hide the identity of the  client  but  not
103              the  client's  realm.  For this mode, use kinit -n with a normal
104              principal name.  If supported by the KDC, the principal (but not
105              realm) will be replaced by the anonymous principal.
106
107              As  of  release  1.8,  the  MIT Kerberos KDC only supports fully
108              anonymous operation.
109
110       -I input_ccache
111          Specifies the name of a credentials cache that  already  contains  a
112          ticket.   When  obtaining that ticket, if information about how that
113          ticket was obtained was also stored to the cache,  that  information
114          will  be  used to affect how new credentials are obtained, including
115          preselecting the same methods of authenticating to the KDC.
116
117       -T armor_ccache
118              Specifies the name of a credentials cache that already  contains
119              a  ticket.   If supported by the KDC, this cache will be used to
120              armor the request, preventing  offline  dictionary  attacks  and
121              allowing  the  use  of  additional preauthentication mechanisms.
122              Armoring also makes sure that the response from the KDC  is  not
123              modified in transit.
124
125       -c cache_name
126              use  cache_name  as  the  Kerberos  5 credentials (ticket) cache
127              location.  If this option is not used, the default  cache  loca‐
128              tion is used.
129
130              The  default  cache  location  may vary between systems.  If the
131              KRB5CCNAME environment variable is set, its  value  is  used  to
132              locate  the default cache.  If a principal name is specified and
133              the type of the default cache supports a collection (such as the
134              DIR  type),  an  existing  cache  containing credentials for the
135              principal is selected or a new one is created  and  becomes  the
136              new  primary  cache.   Otherwise,  any  existing contents of the
137              default cache are destroyed by kinit.
138
139       -S service_name
140              specify an alternate service name to use  when  getting  initial
141              tickets.
142
143       -X attribute[=value]
144              specify  a  pre-authentication  attribute and value to be inter‐
145              preted by pre-authentication modules.  The acceptable  attribute
146              and value values vary from module to module.  This option may be
147              specified multiple times to specify multiple attributes.  If  no
148              value is specified, it is assumed to be "yes".
149
150              The   following   attributes   are   recognized  by  the  PKINIT
151              pre-authentication mechanism:
152
153              X509_user_identity=value
154                     specify where to find user's X509 identity information
155
156              X509_anchors=value
157                     specify where to find trusted X509 anchor information
158
159              flag_RSA_PROTOCOL[=yes]
160                     specify use of RSA, rather than the default  Diffie-Hell‐
161                     man protocol
162

ENVIRONMENT

164       kinit uses the following environment variables:
165
166       KRB5CCNAME
167              Location  of  the  default  Kerberos 5 credentials cache, in the
168              form type:residual.  If no type prefix is present, the FILE type
169              is  assumed.   The  type  of the default cache may determine the
170              availability of a cache  collection;  for  instance,  a  default
171              cache  of  type  DIR  causes  caches  within the directory to be
172              present in the collection.
173

FILES

175       FILE:/tmp/krb5cc_%{uid}
176              default location of Kerberos 5 credentials cache
177
178       FILE:/etc/krb5.keytab
179              default location for the local host's keytab.
180

SEE ALSO

182       klist(1), kdestroy(1), kerberos(1)
183

AUTHOR

185       MIT
186
188       1985-2017, MIT
189
190
191
192
1931.15.1                                                                KINIT(1)
Impressum