kinit man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

kinit(1)			 User Commands			      kinit(1)

NAME
       kinit - obtain and cache Kerberos ticket-granting ticket

SYNOPSIS
       /usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
	    [-k [-t keytab_file]] [-l lifetime]
	    [-r renewable_life] [-s start_time] [-S service_name]
	    [principal]

DESCRIPTION
       The  kinit command is used to obtain and cache an initial ticket-grant‐
       ing ticket (credential) for principal. This ticket is used for  authen‐
       tication	 by  the  Kerberos system. Only users with Kerberos principals
       can use the Kerberos system. For information about Kerberos principals,
       see kerberos(5).

       When  you use kinit without options, the utility prompts for your prin‐
       cipal and Kerberos password, and tries to authenticate your login  with
       the  local  Kerberos server. The principal can be specified on the com‐
       mand line if desired.

       If Kerberos authenticates the login attempt, kinit retrieves your  ini‐
       tial ticket-granting ticket and puts it in the ticket cache. By default
       your ticket is stored in the file /tmp/krb5cc_uid, where uid  specifies
       your user identification number. Tickets expire after a specified life‐
       time, after which kinit must be run again. Any existing contents of the
       cache are destroyed by kinit.

       Values  specified  in the command line override the values specified in
       the Kerberos configuration file for lifetime and renewable_life.

       The kdestroy(1) command can be  used  to	 destroy  any  active  tickets
       before you end your login session.

OPTIONS
       The following options are supported:

       -a		       Requests tickets with the local addresses.

       -A		       Requests address-less tickets.

       -c cache_name	       Uses  cache_name	 as  the  credentials (ticket)
			       cache name and location. If this option is  not
			       used,  the  default cache name and location are
			       used.

       -f		       Requests forwardable tickets.

       -F		       Not forwardable. Does not  request  forwardable
			       tickets.

			       Tickets	that  have  been  acquired on one host
			       cannot normally be  used	 on  another  host.  A
			       client  can  request  that the ticket be marked
			       forwardable. Once the TKT_FLG_FORWARDABLE  flag
			       is  set	on  a  ticket,	the  user can use this
			       ticket to request a new ticket, but with a dif‐
			       ferent  IP  address.  Thus, users can use their
			       current credentials to get credentials valid on
			       another	machine.  This option allows a user to
			       explicitly obtain a non-forwardable ticket.

       -k [-t keytab_file]     Requests a host ticket, obtained from a key  in
			       the  local  host's  keytab  file.  The name and
			       location of the keytab file  can	 be  specified
			       with  the -t keytab_file option. Otherwise, the
			       default name and location is used.

       -l lifetime	       Requests a ticket with the  lifetime  lifetime.
			       If  the -l option is not specified, the default
			       ticket lifetime (configured by  each  site)  is
			       used.  Specifying a ticket lifetime longer than
			       the maximum ticket lifetime (configured by each
			       site)  results  in  a  ticket  with the maximum
			       lifetime. See the Time Formats section for  the
			       valid  time duration formats that you can spec‐
			       ify for	lifetime.  See	kdc.conf(4)  and  kad‐
			       min(1M)	(for  getprinc	command	 to verify the
			       lifetime values for the server principal).

			       The lifetime of the  tickets  returned  is  the
			       minimum of the following:

				   o	  Value specified in the command line.

				   o	  Value	 specified in the KDC configu‐
					  ration file.

				   o	  Value specified in the Kerberos data
					  base	for  the  server principal. In
					  the	case   of   kinit,    it    is
					  krbtgt/realm name.

				   o	  Value	  specified  in	 the  Kerberos
					  database for the user principal.

       -p		       Requests proxiable tickets.

       -P		       Not proxiable. Does not request proxiable tick‐
			       ets.

			       A  proxiable ticket is a ticket that allows you
			       to get a ticket for a service with IP addresses
			       other  than  the	 ones  in  the Ticket Granting
			       Ticket. This option allows a user to explicitly
			       obtain a non-proxiable ticket.

       -r renewable_life       Requests	 renewable tickets, with a total life‐
			       time of renewable_life. See  the	 Time  Formats
			       section	for  the  valid	 time duration formats
			       that you can specify  for  renewable_life.  See
			       kdc.conf(4)  and	 kadmin(1M) (for getprinc com‐
			       mand to verify  the  lifetime  values  for  the
			       server principal).

			       The  renewable lifetime of the tickets returned
			       is the minimum of the following:

				   o	  Value specified in the command line.

				   o	  Value specified in the KDC  configu‐
					  ration file.

				   o	  Value specified in the Kerberos data
					  base for the	server	principal.  In
					  the	 case	 of   kinit,   it   is
					  krbtgt/realm name.

				   o	  Value	 specified  in	the   Kerberos
					  database for the user principal.

       -R		       Requests renewal of the ticket-granting ticket.
			       Notice  that  an	 expired  ticket   cannot   be
			       renewed, even if the ticket is still within its
			       renewable life.

       -s start_time	       Requests a postdated ticket, valid starting  at
			       start_time.  Postdated  tickets are issued with
			       the invalid flag set, and need to be  fed  back
			       to  the	KDC  before  use. See the Time Formats
			       section for either the valid absolute  time  or
			       time  duration formats that you can specify for
			       start_time. kinit attempts to match an absolute
			       time  first before trying to match a time dura‐
			       tion.

       -S service_name	       Specifies an alternate service name to use when
			       getting initial tickets.

       -v		       Requests that the ticket granting ticket in the
			       cache (with the invalid flag set) be passed  to
			       the KDC for validation. If the ticket is within
			       its requested time range, the cache is replaced
			       with the validated ticket.

       -V		       Verbose output. Displays further information to
			       the user, such as confirmation  of  authentica‐
			       tion and version.

       -X attribute[=value]    Specifies  a  pre-authentication	 attribute and
			       value to be passed to pre-authentication	 plug‐
			       ins.  The acceptable attribute and value values
			       vary from pre-authentication plugin to  plugin.
			       This  option can be specified multiple times to
			       specify multiple attributes.  If	 no  value  is
			       specified, it is assumed to be yes.

			       The  following attributes are recognized by the
			       OpenSSL pkinit pre-authentication mechanism:

			       X509_user_identity=URI	  Specifies  where  to
							  find	 user's	  X509
							  identity    informa‐
							  tion.

							  Valid	 URI types are
							  FILE,	 DIR,  PKCS11,
							  PKCS12, and ENV. See
							  the PKINIT URI Types
							  section for details.

			       X509_anchors=URI		  Specifies  where  to
							  find	trusted	  X509
							  anchor information.

							  Valid	 URI types are
							  FILE	and  DIR.  See
							  thePKINIT  URI Types
							  section for details.

			       flag_RSA_PROTOCOL[=yes]	  Specifies the use of
							  RSA, rather than the
							  default Diffie-Hell‐
							  man protoco.

   PKINIT URI Types
       FILE:file-name[,key-file-name]

	   This option has context-specific behavior.

	   X509_user_identity	 file-name  specifies the name of a PEM-format
				 file containing the  user's  certificate.  If
				 key-file-name	is  not	 specified, the user's
				 private key is expected to be in file-name as
				 well. Otherwise, key-file-name is the name of
				 the file  containing the private key.

	   X509_anchors		 file-name is assumed to be  the  name	of  an
				 OpenSSL-style	ca-bundle  file. The ca-bundle
				 file should be base-64 encoded.

       DIR:directory-name

	   This option has context-specific behavior.

	   X509_user_identity	 directory-name	 specifies  a  directory  with
				 files	named *.crt and *.key, where the first
				 part of the file name is the same for	match‐
				 ing  pairs  of	 certificate  and  private key
				 files. When a file with a  name  ending  with
				 .crt  is  found,  a matching file ending with
				 .key is assumed to contain the	 private  key.
				 If  no	 such file is found, then the certifi‐
				 cate in the .crt is not used.

	   X509_anchors		 directory-name is assumed to be  an  OpenSSL-
				 style	hashed CA directory where each CA cert
				 is stored in a file named  hash-of-ca-cert.#.
				 This  infrastructure  is  encouraged, but all
				 files in the directory are  examined  and  if
				 they  contain	certificates  (in PEM format),
				 and are used.

       PKCS12:pkcs12-file-name

	   pkcs12-file-name is the name of a PKCS #12 format file,  containing
	   the user's certificate and private key.

       PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
       bel=cert-label]

	   All keyword and values are optional. PKCS11 modules	(for  example,
	   opensc-pkcs11.so) must be installed as a crypto provider underlibp‐
	   kcs11(3LIB). slotid= and/or token= can be specified	to  force  the
	   use	of  a  particular  smard card reader or token if there is more
	   than one available. certid= and/or certlabel= can be	 specified  to
	   force  the selection of a particular certificate on the device. See
	   the pkinit_cert_match configuration option for more ways to	select
	   a particular certificate to use for pkinit.

       ENV:environment-variable-name

	   environment-variable-name  specifies	 the  name  of	an environment
	   variable which has been set to a value conforming  to  one  of  the
	   previous  values.  For  example,  ENV:X509_PROXY, where environment
	   variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

   Time Formats
       The following absolute time formats can be used for the	-s  start_time
       option.	The  examples  are based on the date and time of July 2, 1999,
       1:35:30 p.m.

       ┌───────────────────────────────────────────────────────────┐
       │   Absolute Time Format			Example		   │
       │yymmddhhmm[ss]		      990702133530		   │
       │hhmm[ss]		      133530			   │
       │yy.mm.dd.hh.mm.ss	      99:07:02:13:35:30		   │
       │hh:mm[:ss]		      13:35:30			   │
       │ldate:ltime		      07-07-99:13:35:30		   │
       │dd-month-yyyy:hh:mm[:ss]      02-july-1999:13:35:30	   │
       └───────────────────────────────────────────────────────────┘

		Variable			   Description
       dd			     day
       hh			     hour (24-hour clock)
       mm			     minutes
       ss			     seconds
       yy			     year within century  (0-68	 is  2000  to
				     2068; 69-99 is 1969 to 1999)
       yyyy			     year including century
       month			     locale's full or abbreviated month name
       ldate			     locale's appropriate date representation
       ltime			     locale's appropriate time representation

       The following time duration formats can be used for the -l lifetime, -r
       renewable_life, and -s start_time options. The examples	are  based  on
       the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.

       ┌───────────────────────────────────────────────────────────┐
       │   Time Duration Format			Example		   │
       │#d			      14d			   │
       │#h			      7h			   │
       │#m			      5m			   │
       │#s			      30s			   │
       │#d#h#m#s		      14d7h5m30s		   │
       │#h#m[#s]		      7h5m30s			   │
       │days-hh:mm:ss		      14-07:05:30		   │
       │hours:mm[:ss]		      7:05:30			   │
       └───────────────────────────────────────────────────────────┘

		Delimiter		     Description
       d			     number of days
       h			     number of hours
       m			     number of minutes
       s			     number of seconds

		Variable		     Description
       #			     number
       days			     number of days
       hours			     number of hours
       hh			     hour (24-hour clock)
       mm			     minutes
       ss			     seconds

ENVIRONMENT VARIABLES
       kinit uses the following environment variable:

       KRB5CCNAME    Location	of   the   credentials	 (ticket)  cache.  See
		     krb5envvar(5) for syntax and details.

FILES
       /tmp/krb5cc_uid		Default credentials cache (uid is the  decimal
				UID of the user).

       /etc/krb5/krb5.keytab	Default	 location  for the local host's keytab
				file.

       /etc/krb5/krb5.conf	Default location for the local host's configu‐
				ration file. See krb5.conf(4).

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │service/security/kerberos-5  │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │See below.		   │
       └─────────────────────────────┴─────────────────────────────┘

       The command arguments are Committed. The command output is Uncommitted.

SEE ALSO
       kdestroy(1),  klist(1),	kadmin(1M),  ktkt_warnd(1M),  libpkcs11(3LIB),
       kdc.conf(4), krb5.conf(4), attributes(5),  kerberos(5),	krb5envvar(5),
       pam_krb5(5)

NOTES
       On  success,  kinit  notifies ktkt_warnd(1M) to alert the user when the
       initial credentials (ticket-granting ticket) are about to expire.

SunOS 5.11			  12 Nov 2008			      kinit(1)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net