1kinit(1)                         User Commands                        kinit(1)
2
3
4

NAME

6       kinit - obtain and cache Kerberos ticket-granting ticket
7

SYNOPSIS

9       /usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
10            [-k [-t keytab_file]] [-l lifetime]
11            [-r renewable_life] [-s start_time] [-S service_name]
12            [principal]
13
14

DESCRIPTION

16       The  kinit command is used to obtain and cache an initial ticket-grant‐
17       ing ticket (credential) for principal. This ticket is used for  authen‐
18       tication  by  the  Kerberos system. Only users with Kerberos principals
19       can use the Kerberos system. For information about Kerberos principals,
20       see kerberos(5).
21
22
23       When  you use kinit without options, the utility prompts for your prin‐
24       cipal and Kerberos password, and tries to authenticate your login  with
25       the  local  Kerberos server. The principal can be specified on the com‐
26       mand line if desired.
27
28
29       If Kerberos authenticates the login attempt, kinit retrieves your  ini‐
30       tial ticket-granting ticket and puts it in the ticket cache. By default
31       your ticket is stored in the file /tmp/krb5cc_uid, where uid  specifies
32       your user identification number. Tickets expire after a specified life‐
33       time, after which kinit must be run again. Any existing contents of the
34       cache are destroyed by kinit.
35
36
37       Values  specified  in the command line override the values specified in
38       the Kerberos configuration file for lifetime and renewable_life.
39
40
41       The kdestroy(1) command can be  used  to  destroy  any  active  tickets
42       before you end your login session.
43

OPTIONS

45       The following options are supported:
46
47       -a                      Requests tickets with the local addresses.
48
49
50       -A                      Requests address-less tickets.
51
52
53       -c cache_name           Uses  cache_name  as  the  credentials (ticket)
54                               cache name and location. If this option is  not
55                               used,  the  default cache name and location are
56                               used.
57
58
59       -f                      Requests forwardable tickets.
60
61
62       -F                      Not forwardable. Does not  request  forwardable
63                               tickets.
64
65                               Tickets  that  have  been  acquired on one host
66                               cannot normally be  used  on  another  host.  A
67                               client  can  request  that the ticket be marked
68                               forwardable. Once the TKT_FLG_FORWARDABLE  flag
69                               is  set  on  a  ticket,  the  user can use this
70                               ticket to request a new ticket, but with a dif‐
71                               ferent  IP  address.  Thus, users can use their
72                               current credentials to get credentials valid on
73                               another  machine.  This option allows a user to
74                               explicitly obtain a non-forwardable ticket.
75
76
77       -k [-t keytab_file]     Requests a host ticket, obtained from a key  in
78                               the  local  host's  keytab  file.  The name and
79                               location of the keytab file  can  be  specified
80                               with  the -t keytab_file option. Otherwise, the
81                               default name and location is used.
82
83
84       -l lifetime             Requests a ticket with the  lifetime  lifetime.
85                               If  the -l option is not specified, the default
86                               ticket lifetime (configured by  each  site)  is
87                               used.  Specifying a ticket lifetime longer than
88                               the maximum ticket lifetime (configured by each
89                               site)  results  in  a  ticket  with the maximum
90                               lifetime. See the Time Formats section for  the
91                               valid  time duration formats that you can spec‐
92                               ify for  lifetime.  See  kdc.conf(4)  and  kad‐
93                               min(1M)  (for  getprinc  command  to verify the
94                               lifetime values for the server principal).
95
96                               The lifetime of the  tickets  returned  is  the
97                               minimum of the following:
98
99                                   o      Value specified in the command line.
100
101                                   o      Value  specified in the KDC configu‐
102                                          ration file.
103
104                                   o      Value specified in the Kerberos data
105                                          base  for  the  server principal. In
106                                          the   case   of   kinit,    it    is
107                                          krbtgt/realm name.
108
109                                   o      Value   specified  in  the  Kerberos
110                                          database for the user principal.
111
112
113       -p                      Requests proxiable tickets.
114
115
116       -P                      Not proxiable. Does not request proxiable tick‐
117                               ets.
118
119                               A  proxiable ticket is a ticket that allows you
120                               to get a ticket for a service with IP addresses
121                               other  than  the  ones  in  the Ticket Granting
122                               Ticket. This option allows a user to explicitly
123                               obtain a non-proxiable ticket.
124
125
126       -r renewable_life       Requests  renewable tickets, with a total life‐
127                               time of renewable_life. See  the  Time  Formats
128                               section  for  the  valid  time duration formats
129                               that you can specify  for  renewable_life.  See
130                               kdc.conf(4)  and  kadmin(1M) (for getprinc com‐
131                               mand to verify  the  lifetime  values  for  the
132                               server principal).
133
134                               The  renewable lifetime of the tickets returned
135                               is the minimum of the following:
136
137                                   o      Value specified in the command line.
138
139                                   o      Value specified in the KDC  configu‐
140                                          ration file.
141
142                                   o      Value specified in the Kerberos data
143                                          base for the  server  principal.  In
144                                          the    case    of   kinit,   it   is
145                                          krbtgt/realm name.
146
147                                   o      Value  specified  in  the   Kerberos
148                                          database for the user principal.
149
150
151       -R                      Requests renewal of the ticket-granting ticket.
152                               Notice  that  an  expired  ticket   cannot   be
153                               renewed, even if the ticket is still within its
154                               renewable life.
155
156
157       -s start_time           Requests a postdated ticket, valid starting  at
158                               start_time.  Postdated  tickets are issued with
159                               the invalid flag set, and need to be  fed  back
160                               to  the  KDC  before  use. See the Time Formats
161                               section for either the valid absolute  time  or
162                               time  duration formats that you can specify for
163                               start_time. kinit attempts to match an absolute
164                               time  first before trying to match a time dura‐
165                               tion.
166
167
168       -S service_name         Specifies an alternate service name to use when
169                               getting initial tickets.
170
171
172       -v                      Requests that the ticket granting ticket in the
173                               cache (with the invalid flag set) be passed  to
174                               the KDC for validation. If the ticket is within
175                               its requested time range, the cache is replaced
176                               with the validated ticket.
177
178
179       -V                      Verbose output. Displays further information to
180                               the user, such as confirmation  of  authentica‐
181                               tion and version.
182
183
184       -X attribute[=value]    Specifies  a  pre-authentication  attribute and
185                               value to be passed to pre-authentication  plug‐
186                               ins.  The acceptable attribute and value values
187                               vary from pre-authentication plugin to  plugin.
188                               This  option can be specified multiple times to
189                               specify multiple attributes.  If  no  value  is
190                               specified, it is assumed to be yes.
191
192                               The  following attributes are recognized by the
193                               OpenSSL pkinit pre-authentication mechanism:
194
195                               X509_user_identity=URI     Specifies  where  to
196                                                          find   user's   X509
197                                                          identity    informa‐
198                                                          tion.
199
200                                                          Valid  URI types are
201                                                          FILE,  DIR,  PKCS11,
202                                                          PKCS12, and ENV. See
203                                                          the PKINIT URI Types
204                                                          section for details.
205
206
207                               X509_anchors=URI           Specifies  where  to
208                                                          find  trusted   X509
209                                                          anchor information.
210
211                                                          Valid  URI types are
212                                                          FILE  and  DIR.  See
213                                                          thePKINIT  URI Types
214                                                          section for details.
215
216
217                               flag_RSA_PROTOCOL[=yes]    Specifies the use of
218                                                          RSA, rather than the
219                                                          default Diffie-Hell‐
220                                                          man protoco.
221
222
223
224   PKINIT URI Types
225       FILE:file-name[,key-file-name]
226
227           This option has context-specific behavior.
228
229           X509_user_identity    file-name  specifies the name of a PEM-format
230                                 file containing the  user's  certificate.  If
231                                 key-file-name  is  not  specified, the user's
232                                 private key is expected to be in file-name as
233                                 well. Otherwise, key-file-name is the name of
234                                 the file  containing the private key.
235
236
237           X509_anchors          file-name is assumed to be  the  name  of  an
238                                 OpenSSL-style  ca-bundle  file. The ca-bundle
239                                 file should be base-64 encoded.
240
241
242
243       DIR:directory-name
244
245           This option has context-specific behavior.
246
247           X509_user_identity    directory-name  specifies  a  directory  with
248                                 files  named *.crt and *.key, where the first
249                                 part of the file name is the same for  match‐
250                                 ing  pairs  of  certificate  and  private key
251                                 files. When a file with a  name  ending  with
252                                 .crt  is  found,  a matching file ending with
253                                 .key is assumed to contain the  private  key.
254                                 If  no  such file is found, then the certifi‐
255                                 cate in the .crt is not used.
256
257
258           X509_anchors          directory-name is assumed to be  an  OpenSSL-
259                                 style  hashed CA directory where each CA cert
260                                 is stored in a file named  hash-of-ca-cert.#.
261                                 This  infrastructure  is  encouraged, but all
262                                 files in the directory are  examined  and  if
263                                 they  contain  certificates  (in PEM format),
264                                 and are used.
265
266
267
268       PKCS12:pkcs12-file-name
269
270           pkcs12-file-name is the name of a PKCS #12 format file,  containing
271           the user's certificate and private key.
272
273
274       PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
275       bel=cert-label]
276
277           All keyword and values are optional. PKCS11 modules  (for  example,
278           opensc-pkcs11.so) must be installed as a crypto provider underlibp‐
279           kcs11(3LIB). slotid= and/or token= can be specified  to  force  the
280           use  of  a  particular  smard card reader or token if there is more
281           than one available. certid= and/or certlabel= can be  specified  to
282           force  the selection of a particular certificate on the device. See
283           the pkinit_cert_match configuration option for more ways to  select
284           a particular certificate to use for pkinit.
285
286
287       ENV:environment-variable-name
288
289           environment-variable-name  specifies  the  name  of  an environment
290           variable which has been set to a value conforming  to  one  of  the
291           previous  values.  For  example,  ENV:X509_PROXY, where environment
292           variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
293
294
295   Time Formats
296       The following absolute time formats can be used for the  -s  start_time
297       option.  The  examples  are based on the date and time of July 2, 1999,
298       1:35:30 p.m.
299
300
301
302
303       ┌───────────────────────────────────────────────────────────┐
304       │   Absolute Time Format                 Example            │
305yymmddhhmm[ss]                990702133530                 │
306hhmm[ss]                      133530                       │
307yy.mm.dd.hh.mm.ss             99:07:02:13:35:30            │
308hh:mm[:ss]                    13:35:30                     │
309ldate:ltime                   07-07-99:13:35:30            │
310dd-month-yyyy:hh:mm[:ss]      02-july-1999:13:35:30        │
311       └───────────────────────────────────────────────────────────┘
312
313
314
315
316                Variable                           Description
317       dd                            day
318       hh                            hour (24-hour clock)
319       mm                            minutes
320       ss                            seconds
321       yy                            year within century  (0-68  is  2000  to
322                                     2068; 69-99 is 1969 to 1999)
323       yyyy                          year including century
324       month                         locale's full or abbreviated month name
325       ldate                         locale's appropriate date representation
326       ltime                         locale's appropriate time representation
327
328
329
330       The following time duration formats can be used for the -l lifetime, -r
331       renewable_life, and -s start_time options. The examples  are  based  on
332       the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.
333
334
335
336
337       ┌───────────────────────────────────────────────────────────┐
338       │   Time Duration Format                 Example            │
339#d                            14d                          │
340#h                            7h                           │
341#m                            5m                           │
342#s                            30s                          │
343#d#h#m#s                      14d7h5m30s                   │
344#h#m[#s]                      7h5m30s                      │
345days-hh:mm:ss                 14-07:05:30                  │
346hours:mm[:ss]                 7:05:30                      │
347       └───────────────────────────────────────────────────────────┘
348
349
350
351
352                Delimiter                    Description
353       d                             number of days
354       h                             number of hours
355       m                             number of minutes
356       s                             number of seconds
357
358
359
360
361
362                Variable                     Description
363       #                             number
364       days                          number of days
365       hours                         number of hours
366       hh                            hour (24-hour clock)
367       mm                            minutes
368       ss                            seconds
369
370

ENVIRONMENT VARIABLES

372       kinit uses the following environment variable:
373
374       KRB5CCNAME    Location   of   the   credentials   (ticket)  cache.  See
375                     krb5envvar(5) for syntax and details.
376
377

FILES

379       /tmp/krb5cc_uid          Default credentials cache (uid is the  decimal
380                                UID of the user).
381
382
383       /etc/krb5/krb5.keytab    Default  location  for the local host's keytab
384                                file.
385
386
387       /etc/krb5/krb5.conf      Default location for the local host's configu‐
388                                ration file. See krb5.conf(4).
389
390

ATTRIBUTES

392       See attributes(5) for descriptions of the following attributes:
393
394
395
396
397       ┌─────────────────────────────┬─────────────────────────────┐
398       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
399       ├─────────────────────────────┼─────────────────────────────┤
400       │Availability                 │SUNWkrbu                     │
401       ├─────────────────────────────┼─────────────────────────────┤
402       │Interface Stability          │See below.                   │
403       └─────────────────────────────┴─────────────────────────────┘
404
405
406       The command arguments are Evolving. The command output is Unstable.
407

SEE ALSO

409       kdestroy(1),  klist(1),  kadmin(1M),  ktkt_warnd(1M),  libpkcs11(3LIB),
410       kdc.conf(4), krb5.conf(4), attributes(5),  kerberos(5),  krb5envvar(5),
411       pam_krb5(5)
412

NOTES

414       On  success,  kinit  notifies ktkt_warnd(1M) to alert the user when the
415       initial credentials (ticket-granting ticket) are about to expire.
416
417
418
419SunOS 5.11                        12 Nov 2008                         kinit(1)
Impressum