1KINIT(1) General Commands Manual KINIT(1)
2
3
4
6 kinit - obtain and cache Kerberos ticket-granting ticket
7
9 kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
10 [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]]
11 [-c cache_name] [-n] [-S service_name][-T armor_ccache] [-X
12 attribute[=value]] [principal]
13
15 kinit obtains and caches an initial ticket-granting ticket for princi‐
16 pal.
17
19 -V display verbose output.
20
21 -l lifetime
22 requests a ticket with the lifetime lifetime. The value for
23 lifetime must be followed immediately by one of the following
24 delimiters:
25
26 s seconds
27 m minutes
28 h hours
29 d days
30
31 as in "kinit -l 90m". You cannot mix units; a value of `3h30m'
32 will result in an error.
33
34 If the -l option is not specified, the default ticket lifetime
35 (configured by each site) is used. Specifying a ticket lifetime
36 longer than the maximum ticket lifetime (configured by each
37 site) results in a ticket with the maximum lifetime.
38
39 -s start_time
40 requests a postdated ticket, valid starting at start_time.
41 Postdated tickets are issued with the invalid flag set, and need
42 to be fed back to the kdc before use.
43
44 -r renewable_life
45 requests renewable tickets, with a total lifetime of renew‐
46 able_life. The duration is in the same format as the -l option,
47 with the same delimiters.
48
49 -f request forwardable tickets.
50
51 -F do not request forwardable tickets.
52
53 -p request proxiable tickets.
54
55 -P do not request proxiable tickets.
56
57 -a request tickets with the local address[es].
58
59 -A request address-less tickets.
60
61 -C requests canonicalization of the principal name.
62
63 -E treats the principal name as an enterprise name.
64
65 -v requests that the ticket granting ticket in the cache (with the
66 invalid flag set) be passed to the kdc for validation. If the
67 ticket is within its requested time range, the cache is replaced
68 with the validated ticket.
69
70 -R requests renewal of the ticket-granting ticket. Note that an
71 expired ticket cannot be renewed, even if the ticket is still
72 within its renewable life.
73
74 -k [-t keytab_file]
75 requests a host ticket, obtained from a key in the local host's
76 keytab file. The name and location of the keytab file may be
77 specified with the -t keytab_file option; otherwise the default
78 name and location will be used.
79
80 -n Requests anonymous processing. Two types of anonymous princi‐
81 pals are supported. For fully anonymous Kerberos, configure
82 pkinit on the KDC and configure pkinit_anchors in the client's
83 krb5.conf. Then use the -n option with a principal of the form
84 @REALM (an empty principal name followed by the at-sign and a
85 realm name). If permitted by the KDC, an anonymous ticket will
86 be returned. A second form of anonymous tickets is supported;
87 these realm-exposed tickets hide the identity of the client but
88 not the client's realm. For this mode, use kinit -n with a nor‐
89 mal principal name. If supported by the KDC, the principal (but
90 not realm) will be replaced by the anonymous principal. As of
91 release 1.8, the MIT Kerberos KDC only supports fully anonymous
92 operation.
93
94 -T armor_ccache
95 Specifies the name of a credential cache that already contains a
96 ticket. If supported by the KDC, This ccache will be used to
97 armor the request so that an attacker would have to know both
98 the key of the armor ticket and the key of the principal used
99 for authentication in order to attack the request. Armoring also
100 makes sure that the response from the KDC is not modified in
101 transit.
102
103 -c cache_name
104 use cache_name as the Kerberos 5 credentials (ticket) cache name
105 and location; if this option is not used, the default cache name
106 and location are used.
107
108 The default credentials cache may vary between systems. If the
109 KRB5CCNAME environment variable is set, its value is used to
110 name the default ticket cache. Any existing contents of the
111 cache are destroyed by kinit.
112
113 -S service_name
114 specify an alternate service name to use when getting initial
115 tickets.
116
117 -X attribute[=value]
118 specify a pre-authentication attribute and value to be passed to
119 pre-authentication plugins. The acceptable attribute and value
120 values vary from pre-authentication plugin to plugin. This
121 option may be specified multiple times to specify multiple
122 attributes. If no value is specified, it is assumed to be
123 "yes".
124
125 The following attributes are recognized by the OpenSSL pkinit
126 pre-authentication mechanism:
127 X509_user_identity=value
128 specify where to find user's X509 identity information
129 X509_anchors=value
130 specify where to find trusted X509 anchor information
131 flag_RSA_PROTOCOL[=yes]
132 specify use of RSA, rather than the default Diffie-Hellman protocol
133
134
136 Kinit uses the following environment variables:
137
138 KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache.
139
141 /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
142 ([uid] is the decimal UID of the user).
143
144 /etc/krb5.keytab default location for the local host's keytab file.
145
147 klist(1), kdestroy(1), kerberos(1)
148
149
150
151 KINIT(1)