1kinit(1) User Commands kinit(1)
2
3
4
6 kinit - obtain and cache Kerberos ticket-granting ticket
7
9 /usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
10 [-k [-t keytab_file]] [-l lifetime]
11 [-r renewable_life] [-s start_time] [-S service_name]
12 [principal]
13
14
16 The kinit command is used to obtain and cache an initial ticket-grant‐
17 ing ticket (credential) for principal. This ticket is used for authen‐
18 tication by the Kerberos system. Only users with Kerberos principals
19 can use the Kerberos system. For information about Kerberos principals,
20 see kerberos(5).
21
22
23 When you use kinit without options, the utility prompts for your prin‐
24 cipal and Kerberos password, and tries to authenticate your login with
25 the local Kerberos server. The principal can be specified on the com‐
26 mand line if desired.
27
28
29 If Kerberos authenticates the login attempt, kinit retrieves your ini‐
30 tial ticket-granting ticket and puts it in the ticket cache. By default
31 your ticket is stored in the file /tmp/krb5cc_uid, where uid specifies
32 your user identification number. Tickets expire after a specified life‐
33 time, after which kinit must be run again. Any existing contents of the
34 cache are destroyed by kinit.
35
36
37 Values specified in the command line override the values specified in
38 the Kerberos configuration file for lifetime and renewable_life.
39
40
41 The kdestroy(1) command can be used to destroy any active tickets
42 before you end your login session.
43
45 The following options are supported:
46
47 -a Requests tickets with the local addresses.
48
49
50 -A Requests address-less tickets.
51
52
53 -c cache_name Uses cache_name as the credentials (ticket)
54 cache name and location. If this option is not
55 used, the default cache name and location are
56 used.
57
58
59 -f Requests forwardable tickets.
60
61
62 -F Not forwardable. Does not request forwardable
63 tickets.
64
65 Tickets that have been acquired on one host
66 cannot normally be used on another host. A
67 client can request that the ticket be marked
68 forwardable. Once the TKT_FLG_FORWARDABLE flag
69 is set on a ticket, the user can use this
70 ticket to request a new ticket, but with a dif‐
71 ferent IP address. Thus, users can use their
72 current credentials to get credentials valid on
73 another machine. This option allows a user to
74 explicitly obtain a non-forwardable ticket.
75
76
77 -k [-t keytab_file] Requests a host ticket, obtained from a key in
78 the local host's keytab file. The name and
79 location of the keytab file can be specified
80 with the -t keytab_file option. Otherwise, the
81 default name and location is used.
82
83
84 -l lifetime Requests a ticket with the lifetime lifetime.
85 If the -l option is not specified, the default
86 ticket lifetime (configured by each site) is
87 used. Specifying a ticket lifetime longer than
88 the maximum ticket lifetime (configured by each
89 site) results in a ticket with the maximum
90 lifetime. See the Time Formats section for the
91 valid time duration formats that you can spec‐
92 ify for lifetime. See kdc.conf(4) and kad‐
93 min(1M) (for getprinc command to verify the
94 lifetime values for the server principal).
95
96 The lifetime of the tickets returned is the
97 minimum of the following:
98
99 o Value specified in the command line.
100
101 o Value specified in the KDC configu‐
102 ration file.
103
104 o Value specified in the Kerberos data
105 base for the server principal. In
106 the case of kinit, it is
107 krbtgt/realm name.
108
109 o Value specified in the Kerberos
110 database for the user principal.
111
112
113 -p Requests proxiable tickets.
114
115
116 -P Not proxiable. Does not request proxiable tick‐
117 ets.
118
119 A proxiable ticket is a ticket that allows you
120 to get a ticket for a service with IP addresses
121 other than the ones in the Ticket Granting
122 Ticket. This option allows a user to explicitly
123 obtain a non-proxiable ticket.
124
125
126 -r renewable_life Requests renewable tickets, with a total life‐
127 time of renewable_life. See the Time Formats
128 section for the valid time duration formats
129 that you can specify for renewable_life. See
130 kdc.conf(4) and kadmin(1M) (for getprinc com‐
131 mand to verify the lifetime values for the
132 server principal).
133
134 The renewable lifetime of the tickets returned
135 is the minimum of the following:
136
137 o Value specified in the command line.
138
139 o Value specified in the KDC configu‐
140 ration file.
141
142 o Value specified in the Kerberos data
143 base for the server principal. In
144 the case of kinit, it is
145 krbtgt/realm name.
146
147 o Value specified in the Kerberos
148 database for the user principal.
149
150
151 -R Requests renewal of the ticket-granting ticket.
152 Notice that an expired ticket cannot be
153 renewed, even if the ticket is still within its
154 renewable life.
155
156
157 -s start_time Requests a postdated ticket, valid starting at
158 start_time. Postdated tickets are issued with
159 the invalid flag set, and need to be fed back
160 to the KDC before use. See the Time Formats
161 section for either the valid absolute time or
162 time duration formats that you can specify for
163 start_time. kinit attempts to match an absolute
164 time first before trying to match a time dura‐
165 tion.
166
167
168 -S service_name Specifies an alternate service name to use when
169 getting initial tickets.
170
171
172 -v Requests that the ticket granting ticket in the
173 cache (with the invalid flag set) be passed to
174 the KDC for validation. If the ticket is within
175 its requested time range, the cache is replaced
176 with the validated ticket.
177
178
179 -V Verbose output. Displays further information to
180 the user, such as confirmation of authentica‐
181 tion and version.
182
183
184 -X attribute[=value] Specifies a pre-authentication attribute and
185 value to be passed to pre-authentication plug‐
186 ins. The acceptable attribute and value values
187 vary from pre-authentication plugin to plugin.
188 This option can be specified multiple times to
189 specify multiple attributes. If no value is
190 specified, it is assumed to be yes.
191
192 The following attributes are recognized by the
193 OpenSSL pkinit pre-authentication mechanism:
194
195 X509_user_identity=URI Specifies where to
196 find user's X509
197 identity informa‐
198 tion.
199
200 Valid URI types are
201 FILE, DIR, PKCS11,
202 PKCS12, and ENV. See
203 the PKINIT URI Types
204 section for details.
205
206
207 X509_anchors=URI Specifies where to
208 find trusted X509
209 anchor information.
210
211 Valid URI types are
212 FILE and DIR. See
213 thePKINIT URI Types
214 section for details.
215
216
217 flag_RSA_PROTOCOL[=yes] Specifies the use of
218 RSA, rather than the
219 default Diffie-Hell‐
220 man protoco.
221
222
223
224 PKINIT URI Types
225 FILE:file-name[,key-file-name]
226
227 This option has context-specific behavior.
228
229 X509_user_identity file-name specifies the name of a PEM-format
230 file containing the user's certificate. If
231 key-file-name is not specified, the user's
232 private key is expected to be in file-name as
233 well. Otherwise, key-file-name is the name of
234 the file containing the private key.
235
236
237 X509_anchors file-name is assumed to be the name of an
238 OpenSSL-style ca-bundle file. The ca-bundle
239 file should be base-64 encoded.
240
241
242
243 DIR:directory-name
244
245 This option has context-specific behavior.
246
247 X509_user_identity directory-name specifies a directory with
248 files named *.crt and *.key, where the first
249 part of the file name is the same for match‐
250 ing pairs of certificate and private key
251 files. When a file with a name ending with
252 .crt is found, a matching file ending with
253 .key is assumed to contain the private key.
254 If no such file is found, then the certifi‐
255 cate in the .crt is not used.
256
257
258 X509_anchors directory-name is assumed to be an OpenSSL-
259 style hashed CA directory where each CA cert
260 is stored in a file named hash-of-ca-cert.#.
261 This infrastructure is encouraged, but all
262 files in the directory are examined and if
263 they contain certificates (in PEM format),
264 and are used.
265
266
267
268 PKCS12:pkcs12-file-name
269
270 pkcs12-file-name is the name of a PKCS #12 format file, containing
271 the user's certificate and private key.
272
273
274 PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
275 bel=cert-label]
276
277 All keyword and values are optional. PKCS11 modules (for example,
278 opensc-pkcs11.so) must be installed as a crypto provider underlibp‐
279 kcs11(3LIB). slotid= and/or token= can be specified to force the
280 use of a particular smard card reader or token if there is more
281 than one available. certid= and/or certlabel= can be specified to
282 force the selection of a particular certificate on the device. See
283 the pkinit_cert_match configuration option for more ways to select
284 a particular certificate to use for pkinit.
285
286
287 ENV:environment-variable-name
288
289 environment-variable-name specifies the name of an environment
290 variable which has been set to a value conforming to one of the
291 previous values. For example, ENV:X509_PROXY, where environment
292 variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
293
294
295 Time Formats
296 The following absolute time formats can be used for the -s start_time
297 option. The examples are based on the date and time of July 2, 1999,
298 1:35:30 p.m.
299
300
301
302
303 ┌───────────────────────────────────────────────────────────┐
304 │ Absolute Time Format Example │
305 │yymmddhhmm[ss] 990702133530 │
306 │hhmm[ss] 133530 │
307 │yy.mm.dd.hh.mm.ss 99:07:02:13:35:30 │
308 │hh:mm[:ss] 13:35:30 │
309 │ldate:ltime 07-07-99:13:35:30 │
310 │dd-month-yyyy:hh:mm[:ss] 02-july-1999:13:35:30 │
311 └───────────────────────────────────────────────────────────┘
312
313
314
315
316 Variable Description
317 dd day
318 hh hour (24-hour clock)
319 mm minutes
320 ss seconds
321 yy year within century (0-68 is 2000 to
322 2068; 69-99 is 1969 to 1999)
323 yyyy year including century
324 month locale's full or abbreviated month name
325 ldate locale's appropriate date representation
326 ltime locale's appropriate time representation
327
328
329
330 The following time duration formats can be used for the -l lifetime, -r
331 renewable_life, and -s start_time options. The examples are based on
332 the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.
333
334
335
336
337 ┌───────────────────────────────────────────────────────────┐
338 │ Time Duration Format Example │
339 │#d 14d │
340 │#h 7h │
341 │#m 5m │
342 │#s 30s │
343 │#d#h#m#s 14d7h5m30s │
344 │#h#m[#s] 7h5m30s │
345 │days-hh:mm:ss 14-07:05:30 │
346 │hours:mm[:ss] 7:05:30 │
347 └───────────────────────────────────────────────────────────┘
348
349
350
351
352 Delimiter Description
353 d number of days
354 h number of hours
355 m number of minutes
356 s number of seconds
357
358
359
360
361
362 Variable Description
363 # number
364 days number of days
365 hours number of hours
366 hh hour (24-hour clock)
367 mm minutes
368 ss seconds
369
370
372 kinit uses the following environment variable:
373
374 KRB5CCNAME Location of the credentials (ticket) cache. See
375 krb5envvar(5) for syntax and details.
376
377
379 /tmp/krb5cc_uid Default credentials cache (uid is the decimal
380 UID of the user).
381
382
383 /etc/krb5/krb5.keytab Default location for the local host's keytab
384 file.
385
386
387 /etc/krb5/krb5.conf Default location for the local host's configu‐
388 ration file. See krb5.conf(4).
389
390
392 See attributes(5) for descriptions of the following attributes:
393
394
395
396
397 ┌─────────────────────────────┬─────────────────────────────┐
398 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
399 ├─────────────────────────────┼─────────────────────────────┤
400 │Availability │SUNWkrbu │
401 ├─────────────────────────────┼─────────────────────────────┤
402 │Interface Stability │See below. │
403 └─────────────────────────────┴─────────────────────────────┘
404
405
406 The command arguments are Evolving. The command output is Unstable.
407
409 kdestroy(1), klist(1), kadmin(1M), ktkt_warnd(1M), libpkcs11(3LIB),
410 kdc.conf(4), krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5),
411 pam_krb5(5)
412
414 On success, kinit notifies ktkt_warnd(1M) to alert the user when the
415 initial credentials (ticket-granting ticket) are about to expire.
416
417
418
419SunOS 5.11 12 Nov 2008 kinit(1)