1KINIT(1)                         MIT Kerberos                         KINIT(1)
2
3
4

NAME

6       kinit - obtain and cache Kerberos ticket-granting ticket
7

SYNOPSIS

9       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
10       [-f | -F] [-a] [-A] [-C] [-E]  [-v]  [-R]  [-k  [-t  keytab_file]]  [-c
11       cache_name]  [-n] [-S service_name] [-I input_ccache] [-T armor_ccache]
12       [-X attribute[=value]] [principal]
13

DESCRIPTION

15       kinit obtains and caches an initial ticket-granting ticket for  princi‐
16       pal.   If  principal  is absent, kinit chooses an appropriate principal
17       name based on existing credential cache contents or the local  username
18       of  the user invoking kinit.  Some options modify the choice of princi‐
19       pal name.
20

OPTIONS

22       -V     display verbose output.
23
24       -l lifetime
25              (duration string.)  Requests a ticket with  the  lifetime  life‐
26              time.
27
28              For example, kinit -l 5:30 or kinit -l 5h30m.
29
30              If  the  -l option is not specified, the default ticket lifetime
31              (configured by each site) is used.  Specifying a ticket lifetime
32              longer  than  the  maximum  ticket  lifetime (configured by each
33              site) will not override the configured maximum ticket lifetime.
34
35       -s start_time
36              (duration string.)   Requests  a  postdated  ticket.   Postdated
37              tickets  are  issued  with  the invalid flag set, and need to be
38              resubmitted to the KDC for validation before use.
39
40              start_time specifies the duration of the delay before the ticket
41              can become valid.
42
43       -r renewable_life
44              (duration  string.)   Requests  renewable  tickets, with a total
45              lifetime of renewable_life.
46
47       -f     requests forwardable tickets.
48
49       -F     requests non-forwardable tickets.
50
51       -p     requests proxiable tickets.
52
53       -P     requests non-proxiable tickets.
54
55       -a     requests tickets restricted to the host's local address[es].
56
57       -A     requests tickets not restricted by address.
58
59       -C     requests canonicalization of the principal name, and allows  the
60              KDC  to  reply  with  a  different client principal from the one
61              requested.
62
63       -E     treats the principal name as an enterprise name.
64
65       -v     requests that the ticket-granting ticket in the cache (with  the
66              invalid  flag  set) be passed to the KDC for validation.  If the
67              ticket is within its requested time range, the cache is replaced
68              with the validated ticket.
69
70       -R     requests  renewal  of  the ticket-granting ticket.  Note that an
71              expired ticket cannot be renewed, even if the  ticket  is  still
72              within its renewable life.
73
74              Note  that  renewable  tickets  that have expired as reported by
75              klist(1) may sometimes be renewed using this option, because the
76              KDC applies a grace period to account for client-KDC clock skew.
77              See krb5.conf(5) clockskew setting.
78
79       -k [-i | -t keytab_file]
80              requests a ticket, obtained from  a  key  in  the  local  host's
81              keytab.  The location of the keytab may be specified with the -t
82              keytab_file option, or with the -i option to specify the use  of
83              the  default client keytab; otherwise the default keytab will be
84              used.   By  default,  a  host  ticket  for  the  local  host  is
85              requested,  but  any  principal may be specified.  On a KDC, the
86              special keytab location KDB: can be used to indicate that  kinit
87              should open the KDC database and look up the key directly.  This
88              permits an administrator to obtain tickets as any principal that
89              supports authentication based on the key.
90
91       -n     Requests  anonymous  processing.  Two types of anonymous princi‐
92              pals are supported.
93
94              For fully anonymous Kerberos, configure pkinit on  the  KDC  and
95              configure pkinit_anchors in the client's krb5.conf(5).  Then use
96              the -n option with a principal of  the  form  @REALM  (an  empty
97              principal  name  followed  by the at-sign and a realm name).  If
98              permitted by the KDC, an anonymous ticket will be returned.
99
100              A  second  form  of  anonymous  tickets  is   supported;   these
101              realm-exposed  tickets  hide  the identity of the client but not
102              the client's realm.  For this mode, use kinit -n with  a  normal
103              principal name.  If supported by the KDC, the principal (but not
104              realm) will be replaced by the anonymous principal.
105
106              As of release 1.8, the MIT  Kerberos  KDC  only  supports  fully
107              anonymous operation.
108
109       -I input_ccache
110          Specifies  the  name  of a credentials cache that already contains a
111          ticket.  When obtaining that ticket, if information about  how  that
112          ticket  was  obtained was also stored to the cache, that information
113          will be used to affect how new credentials are  obtained,  including
114          preselecting the same methods of authenticating to the KDC.
115
116       -T armor_ccache
117              Specifies  the name of a credentials cache that already contains
118              a ticket.  If supported by the KDC, this cache will be  used  to
119              armor  the  request,  preventing  offline dictionary attacks and
120              allowing the use  of  additional  preauthentication  mechanisms.
121              Armoring  also  makes sure that the response from the KDC is not
122              modified in transit.
123
124       -c cache_name
125              use cache_name as the  Kerberos  5  credentials  (ticket)  cache
126              location.   If  this option is not used, the default cache loca‐
127              tion is used.
128
129              The default cache location may vary  between  systems.   If  the
130              KRB5CCNAME  environment  variable  is  set, its value is used to
131              locate the default cache.  If a principal name is specified  and
132              the type of the default cache supports a collection (such as the
133              DIR type), an existing  cache  containing  credentials  for  the
134              principal  is  selected  or a new one is created and becomes the
135              new primary cache.  Otherwise,  any  existing  contents  of  the
136              default cache are destroyed by kinit.
137
138       -S service_name
139              specify  an  alternate  service name to use when getting initial
140              tickets.
141
142       -X attribute[=value]
143              specify a pre-authentication attribute and value  to  be  inter‐
144              preted  by pre-authentication modules.  The acceptable attribute
145              and value values vary from module to module.  This option may be
146              specified  multiple times to specify multiple attributes.  If no
147              value is specified, it is assumed to be "yes".
148
149              The  following  attributes  are   recognized   by   the   PKINIT
150              pre-authentication mechanism:
151
152              X509_user_identity=value
153                     specify where to find user's X509 identity information
154
155              X509_anchors=value
156                     specify where to find trusted X509 anchor information
157
158              flag_RSA_PROTOCOL[=yes]
159                     specify  use of RSA, rather than the default Diffie-Hell‐
160                     man protocol
161
162              disable_freshness[=yes]
163                     disable sending freshness tokens  (for  testing  purposes
164                     only)
165

ENVIRONMENT

167       See kerberos(7) for a description of Kerberos environment variables.
168

FILES

170       FILE:/tmp/krb5cc_%{uid}
171              default location of Kerberos 5 credentials cache
172
173       FILE:/etc/krb5.keytab
174              default location for the local host's keytab.
175

SEE ALSO

177       klist(1), kdestroy(1), kerberos(7)
178

AUTHOR

180       MIT
181
183       1985-2020, MIT
184
185
186
187
1881.18                                                                  KINIT(1)
Impressum