1KINIT(1)                         MIT Kerberos                         KINIT(1)
2
3
4

NAME

6       kinit - obtain and cache Kerberos ticket-granting ticket
7

SYNOPSIS

9       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
10       [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-i | -t keytab_file]]  [-c
11       cache_name]  [-n] [-S service_name] [-I input_ccache] [-T armor_ccache]
12       [-X attribute[=value]] [--request-pac | --no-request-pac] [principal]
13

DESCRIPTION

15       kinit obtains and caches an initial ticket-granting ticket for  princi‐
16       pal.   If  principal  is absent, kinit chooses an appropriate principal
17       name based on existing credential cache contents or the local  username
18       of  the user invoking kinit.  Some options modify the choice of princi‐
19       pal name.
20

OPTIONS

22       -V     display verbose output.
23
24       -l lifetime
25              (duration string.)  Requests a ticket with  the  lifetime  life‐
26              time.
27
28              For example, kinit -l 5:30 or kinit -l 5h30m.
29
30              If  the  -l option is not specified, the default ticket lifetime
31              (configured by each site) is used.  Specifying a ticket lifetime
32              longer  than  the  maximum  ticket  lifetime (configured by each
33              site) will not override the configured maximum ticket lifetime.
34
35       -s start_time
36              (duration string.)   Requests  a  postdated  ticket.   Postdated
37              tickets are issued with the invalid flag set, and need to be re‐
38              submitted to the KDC for validation before use.
39
40              start_time specifies the duration of the delay before the ticket
41              can become valid.
42
43       -r renewable_life
44              (duration  string.)   Requests  renewable  tickets, with a total
45              lifetime of renewable_life.
46
47       -f     requests forwardable tickets.
48
49       -F     requests non-forwardable tickets.
50
51       -p     requests proxiable tickets.
52
53       -P     requests non-proxiable tickets.
54
55       -a     requests tickets restricted to the host's local address[es].
56
57       -A     requests tickets not restricted by address.
58
59       -C     requests canonicalization of the principal name, and allows  the
60              KDC  to reply with a different client principal from the one re‐
61              quested.
62
63       -E     treats the principal name as an enterprise name.
64
65       -v     requests that the ticket-granting ticket in the cache (with  the
66              invalid  flag  set) be passed to the KDC for validation.  If the
67              ticket is within its requested time range, the cache is replaced
68              with the validated ticket.
69
70       -R     requests  renewal  of  the ticket-granting ticket.  Note that an
71              expired ticket cannot be renewed, even if the  ticket  is  still
72              within its renewable life.
73
74              Note  that  renewable  tickets  that have expired as reported by
75              klist(1) may sometimes be renewed using this option, because the
76              KDC applies a grace period to account for client-KDC clock skew.
77              See krb5.conf(5) clockskew setting.
78
79       -k [-i | -t keytab_file]
80              requests a ticket, obtained from  a  key  in  the  local  host's
81              keytab.  The location of the keytab may be specified with the -t
82              keytab_file option, or with the -i option to specify the use  of
83              the  default client keytab; otherwise the default keytab will be
84              used.  By default, a host ticket  for  the  local  host  is  re‐
85              quested, but any principal may be specified.  On a KDC, the spe‐
86              cial keytab location KDB: can be used  to  indicate  that  kinit
87              should open the KDC database and look up the key directly.  This
88              permits an administrator to obtain tickets as any principal that
89              supports authentication based on the key.
90
91       -n     Requests  anonymous  processing.  Two types of anonymous princi‐
92              pals are supported.
93
94              For fully anonymous Kerberos, configure pkinit on  the  KDC  and
95              configure pkinit_anchors in the client's krb5.conf(5).  Then use
96              the -n option with a principal of  the  form  @REALM  (an  empty
97              principal  name  followed  by the at-sign and a realm name).  If
98              permitted by the KDC, an anonymous ticket will be returned.
99
100              A second form of anonymous tickets is supported; these realm-ex‐
101              posed  tickets  hide  the  identity  of  the  client but not the
102              client's realm.  For this mode, use kinit -n with a normal prin‐
103              cipal  name.   If  supported  by the KDC, the principal (but not
104              realm) will be replaced by the anonymous principal.
105
106              As of release 1.8, the MIT  Kerberos  KDC  only  supports  fully
107              anonymous operation.
108
109       -I input_ccache
110          Specifies  the  name  of a credentials cache that already contains a
111          ticket.  When obtaining that ticket, if information about  how  that
112          ticket  was  obtained was also stored to the cache, that information
113          will be used to affect how new credentials are  obtained,  including
114          preselecting the same methods of authenticating to the KDC.
115
116       -T armor_ccache
117              Specifies  the name of a credentials cache that already contains
118              a ticket.  If supported by the KDC, this cache will be  used  to
119              armor the request, preventing offline dictionary attacks and al‐
120              lowing the use of additional preauthentication mechanisms.   Ar‐
121              moring  also  makes  sure  that the response from the KDC is not
122              modified in transit.
123
124       -c cache_name
125              use cache_name as the Kerberos 5 credentials (ticket) cache  lo‐
126              cation.   If this option is not used, the default cache location
127              is used.
128
129              The default cache location may vary  between  systems.   If  the
130              KRB5CCNAME environment variable is set, its value is used to lo‐
131              cate the default cache.  If a principal name  is  specified  and
132              the type of the default cache supports a collection (such as the
133              DIR type), an existing  cache  containing  credentials  for  the
134              principal  is  selected  or a new one is created and becomes the
135              new primary cache.  Otherwise, any existing contents of the  de‐
136              fault cache are destroyed by kinit.
137
138       -S service_name
139              specify  an  alternate  service name to use when getting initial
140              tickets.
141
142       -X attribute[=value]
143              specify a pre-authentication attribute and value  to  be  inter‐
144              preted  by pre-authentication modules.  The acceptable attribute
145              and value values vary from module to module.  This option may be
146              specified  multiple times to specify multiple attributes.  If no
147              value is specified, it is assumed to be "yes".
148
149              The following attributes are recognized by  the  PKINIT  pre-au‐
150              thentication mechanism:
151
152              X509_user_identity=value
153                     specify where to find user's X509 identity information
154
155              X509_anchors=value
156                     specify where to find trusted X509 anchor information
157
158              flag_RSA_PROTOCOL[=yes]
159                     specify  use of RSA, rather than the default Diffie-Hell‐
160                     man protocol
161
162              disable_freshness[=yes]
163                     disable sending freshness tokens  (for  testing  purposes
164                     only)
165
166       --request-pac | --no-request-pac
167              mutually exclusive.  If --request-pac is set, ask the KDC to in‐
168              clude a PAC in authdata; if --no-request-pac is set, ask the KDC
169              not  to  include a PAC; if neither are set,  the KDC will follow
170              its default, which is typically is to include a PAC if doing  so
171              is supported.
172

ENVIRONMENT

174       See kerberos(7) for a description of Kerberos environment variables.
175

FILES

177       FILE:/tmp/krb5cc_%{uid}
178              default location of Kerberos 5 credentials cache
179
180       FILE:/etc/krb5.keytab
181              default location for the local host's keytab.
182

SEE ALSO

184       klist(1), kdestroy(1), kerberos(7)
185

AUTHOR

187       MIT
188
190       1985-2021, MIT
191
192
193
194
1951.19.2                                                                KINIT(1)
Impressum