1KINIT(1) General Commands Manual KINIT(1)
2
6 kinit - obtain and cache Kerberos ticket-granting ticket
7
9 kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
10 [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]]
11 [-c cache_name] [-n] [-S service_name][-T armor_ccache] [-X
12 attribute[=value]] [principal]
13
15 kinit obtains and caches an initial ticket-granting ticket for princi‐
16 pal.
17
19 -V display verbose output.
20 -l lifetime
22 requests a ticket with the lifetime lifetime. The value for
23 lifetime must be followed immediately by one of the following
24 delimiters:
25 s seconds
27 m minutes
28 h hours
29 d days
30 as in "kinit -l 90m". You cannot mix units; a value of `3h30m'
32 will result in an error.
33 If the -l option is not specified, the default ticket lifetime
35 (configured by each site) is used. Specifying a ticket lifetime
36 longer than the maximum ticket lifetime (configured by each
37 site) results in a ticket with the maximum lifetime.
38 -s start_time
40 requests a postdated ticket, valid starting at start_time.
41 Postdated tickets are issued with the invalid flag set, and need
42 to be fed back to the kdc before use.
43 -r renewable_life
45 requests renewable tickets, with a total lifetime of renew‐
46 able_life. The duration is in the same format as the -l option,
47 with the same delimiters.
48 -f request forwardable tickets.
50 -F do not request forwardable tickets.
52 -p request proxiable tickets.
54 -P do not request proxiable tickets.
56 -a request tickets with the local address[es].
58 -A request address-less tickets.
60 -C requests canonicalization of the principal name.
62 -E treats the principal name as an enterprise name.
64 -v requests that the ticket granting ticket in the cache (with the
66 invalid flag set) be passed to the kdc for validation. If the
67 ticket is within its requested time range, the cache is replaced
68 with the validated ticket.
69 -R requests renewal of the ticket-granting ticket. Note that an
71 expired ticket cannot be renewed, even if the ticket is still
72 within its renewable life.
73 -k [-t keytab_file]
75 requests a ticket, obtained from a key in the local host's
76 keytab file. The name and location of the keytab file may be
77 specified with the -t keytab_file option; otherwise the default
78 name and location will be used. By default a host ticket is
79 requested but any principal may be specified. On a KDC, the spe‐
80 cial keytab location KDB: can be used to indicate that kinit
81 should open the KDC database and look up the key directly. This
82 permits an administrator to obtain tickets as any principal that
83 supports password-based authentication.
84 -n Requests anonymous processing. Two types of anonymous princi‐
86 pals are supported. For fully anonymous Kerberos, configure
87 pkinit on the KDC and configure pkinit_anchors in the client's
88 krb5.conf. Then use the -n option with a principal of the form
89 @REALM (an empty principal name followed by the at-sign and a
90 realm name). If permitted by the KDC, an anonymous ticket will
91 be returned. A second form of anonymous tickets is supported;
92 these realm-exposed tickets hide the identity of the client but
93 not the client's realm. For this mode, use kinit -n with a nor‐
94 mal principal name. If supported by the KDC, the principal (but
95 not realm) will be replaced by the anonymous principal. As of
96 release 1.8, the MIT Kerberos KDC only supports fully anonymous
97 operation.
98 -T armor_ccache
100 Specifies the name of a credential cache that already contains a
101 ticket. If supported by the KDC, This ccache will be used to
102 armor the request so that an attacker would have to know both
103 the key of the armor ticket and the key of the principal used
104 for authentication in order to attack the request. Armoring also
105 makes sure that the response from the KDC is not modified in
106 transit.
107 -c cache_name
109 use cache_name as the Kerberos 5 credentials (ticket) cache name
110 and location; if this option is not used, the default cache name
111 and location are used.
112 The default credentials cache may vary between systems. If the
114 KRB5CCNAME environment variable is set, its value is used to
115 name the default ticket cache. If a principal name is specified
116 and the type of the default credentials cache supports a collec‐
117 tion (such as the DIR type), an existing cache containing cre‐
118 dentials for the principal is selected or a new one is created
119 and becomes the new primary cache. Otherwise, any existing con‐
120 tents of the default cache are destroyed by kinit.
121 -S service_name
123 specify an alternate service name to use when getting initial
124 tickets.
125 -X attribute[=value]
127 specify a pre-authentication attribute and value to be passed to
128 pre-authentication plugins. The acceptable attribute and value
129 values vary from pre-authentication plugin to plugin. This
130 option may be specified multiple times to specify multiple
131 attributes. If no value is specified, it is assumed to be
132 "yes".
133 The following attributes are recognized by the OpenSSL pkinit
135 pre-authentication mechanism:
136 X509_user_identity=value
137 specify where to find user's X509 identity information
138 X509_anchors=value
139 specify where to find trusted X509 anchor information
140 flag_RSA_PROTOCOL[=yes]
141 specify use of RSA, rather than the default Diffie-Hellman protocol
142
145 Kinit uses the following environment variables:
146 KRB5CCNAME Location of the default Kerberos 5 credentials (ticket)
148 cache, in the form type:residual. If no type prefix is
149 present, the FILE type is assumed. The type of the
150 default cache may determine the availability of a cache
151 collection; for instance, a default cache of type DIR
152 causes caches within the directory to be present in the
153 collection.
154
156 /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
157 ([uid] is the decimal UID of the user).
158 /etc/krb5.keytab default location for the local host's keytab file.
160
162 klist(1), kdestroy(1), kswitch(1), kerberos(1)
163 KINIT(1)