KINIT(1) User Commands KINIT(1)
NAME
kinit - obtain and cache Kerberos ticket-granting ticket
SYNOPSIS
/usr/bin/kinit [
-ARvV] [
-p |
-P] [
-f |
-F] [
-a] [
-c cache_name]
[
-k [
-t keytab_file]] [
-l lifetime]
[
-r renewable_life] [
-s start_time] [
-S service_name]
[
principal]
DESCRIPTION
The
kinit command is used to obtain and cache an initial ticket-
granting ticket (credential) for
principal. This ticket is used for
authentication by the Kerberos system. Only users with Kerberos
principals can use the Kerberos system. For information about
Kerberos principals, see
kerberos(7).
When you use
kinit without options, the utility prompts for your
principal and Kerberos password, and tries to authenticate your login
with the local Kerberos server. The
principal can be specified on the
command line if desired.
If Kerberos authenticates the login attempt,
kinit retrieves your
initial ticket-granting ticket and puts it in the ticket cache. By
default your ticket is stored in the file
/tmp/krb5cc_uid, where
uid specifies your user identification number. Tickets expire after a
specified lifetime, after which
kinit must be run again. Any existing
contents of the cache are destroyed by
kinit.
Values specified in the command line override the values specified in
the Kerberos configuration file for
lifetime and
renewable_life.
The
kdestroy(1) command can be used to destroy any active tickets
before you end your login session.
OPTIONS
The following options are supported:
-a Requests tickets with the local addresses.
-A Requests address-less tickets.
-c cache_name Uses
cache_name as the credentials (ticket)
cache name and location. If this option is
not used, the default cache name and location
are used.
-f Requests forwardable tickets.
-F Not forwardable. Does not request forwardable
tickets.
Tickets that have been acquired on one host
cannot normally be used on another host. A
client can request that the ticket be marked
forwardable. Once the
TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use
this ticket to request a new ticket, but with
a different
IP address. Thus, users can use
their current credentials to get credentials
valid on another machine. This option allows
a user to explicitly obtain a non-forwardable
ticket.
-k [
-t keytab_file]
Requests a host ticket, obtained from a key
in the local host's
keytab file. The name and
location of the keytab file can be specified
with the
-t keytab_file option. Otherwise,
the default name and location is used.
-l lifetime Requests a ticket with the lifetime
lifetime.
If the
-l option is not specified, the
default ticket lifetime (configured by each
site) is used. Specifying a ticket lifetime
longer than the maximum ticket lifetime
(configured by each site) results in a ticket
with the maximum lifetime. See the
Time Formats section for the valid time duration
formats that you can specify for
lifetime.
See
kdc.conf(5) and
kadmin(8) (for
getprinc command to verify the lifetime values for the
server principal).
The lifetime of the tickets returned is the
minimum of the following:
o Value specified in the command
line.
o Value specified in the
KDC configuration file.
o Value specified in the Kerberos
data base for the server
principal. In the case of
kinit,
it is
krbtgt/realm name.
o Value specified in the Kerberos
database for the user principal.
-p Requests proxiable tickets.
-P Not proxiable. Does not request proxiable
tickets.
A proxiable ticket is a ticket that allows
you to get a ticket for a service with
IP addresses other than the ones in the Ticket
Granting Ticket. This option allows a user to
explicitly obtain a non-proxiable ticket.
-r renewable_life Requests renewable tickets, with a total
lifetime of
renewable_life. See the
Time Formats section for the valid time duration
formats that you can specify for
renewable_life. See
kdc.conf(5) and
kadmin(8) (for
getprinc command to verify the lifetime
values for the server principal).
The renewable lifetime of the tickets
returned is the minimum of the following:
o Value specified in the command
line.
o Value specified in the
KDC configuration file.
o Value specified in the Kerberos
data base for the server
principal. In the case of
kinit,
it is
krbtgt/realm name.
o Value specified in the Kerberos
database for the user principal.
-R Requests renewal of the ticket-granting
ticket. Notice that an expired ticket cannot
be renewed, even if the ticket is still
within its renewable life.
-s start_time Requests a postdated ticket, valid starting
at
start_time. Postdated tickets are issued
with the
invalid flag set, and need to be fed
back to the
KDC before use. See the
Time Formats section for either the valid absolute
time or time duration formats that you can
specify for
start_time.
kinit attempts to
match an absolute time first before trying to
match a time duration.
-S service_name Specifies an alternate service name to use
when getting initial tickets.
-v Requests that the ticket granting ticket in
the cache (with the
invalid flag set) be
passed to the
KDC for validation. If the
ticket is within its requested time range,
the cache is replaced with the validated
ticket.
-V Verbose output. Displays further information
to the user, such as confirmation of
authentication and version.
-X attribute[=
value]
Specifies a pre-authentication attribute and
value to be passed to pre-authentication
plugins. The acceptable
attribute and
value values vary from pre-authentication plugin to
plugin. This option can be specified multiple
times to specify multiple attributes. If no
value is specified, it is assumed to be
yes.
The following attributes are recognized by
the OpenSSL
pkinit pre-authentication
mechanism:
X509_user_identity=URI Specifies where to
find user's X509
identity
information.
Valid URI types
are
FILE,
DIR,
PKCS11,
PKCS12,
and
ENV. See the
PKINIT URI Types section for
details.
X509_anchors=URI Specifies where to
find trusted X509
anchor
information.
Valid URI types
are
FILE and
DIR.
See the
PKINIT URI Types section for
details.
flag_RSA_PROTOCOL[=yes] Specifies the use
of RSA, rather
than the default
Diffie-Hellman
protocol.
PKINIT URI Types
FILE:file-name[,
key-file-name]
This option has context-specific behavior.
X509_user_identity file-name specifies the name of a PEM-
format file containing the user's
certificate. If
key-file-name is not
specified, the user's private key is
expected to be in
file-name as well.
Otherwise,
key-file-name is the name of the
file containing the private key.
X509_anchors file-name is assumed to be the name of an
OpenSSL-style ca-bundle file. The
ca- bundle file should be base-64 encoded.
DIR:directory-name This option has context-specific behavior.
X509_user_identity directory-name specifies a directory with
files named
*.crt and
*.key, where the
first part of the file name is the same for
matching pairs of certificate and private
key files. When a file with a name ending
with
.crt is found, a matching file ending
with
.key is assumed to contain the private
key. If no such file is found, then the
certificate in the
.crt is not used.
X509_anchors directory-name is assumed to be an OpenSSL-
style hashed CA directory where each CA
cert is stored in a file named
hash-of-ca- cert.#. This infrastructure is encouraged,
but all files in the directory are examined
and if they contain certificates (in PEM
format), and are used.
PKCS12:pkcs12-file-name pkcs12-file-name is the name of a
PKCS #12 format file,
containing the user's certificate and private key.
PKCS11:[slotid=slot-id][:token=
token-label][:certid=
cert- id][:certlabel=
cert-label]
All keyword and values are optional. PKCS11 modules (for example,
opensc-pkcs11.so) must be installed as a crypto provider under
libpkcs11(3LIB).
slotid= and/or
token= can be specified to force
the use of a particular smard card reader or token if there is
more than one available.
certid= and/or
certlabel= can be
specified to force the selection of a particular certificate on
the device. See the
pkinit_cert_match configuration option for
more ways to select a particular certificate to use for
pkinit.
ENV:environment-variable-name environment-variable-name specifies the name of an environment
variable which has been set to a value conforming to one of the
previous values. For example,
ENV:X509_PROXY, where environment
variable
X509_PROXY has been set to
FILE:/tmp/my_proxy.pem.
Time Formats
The following absolute time formats can be used for the
-s start_time option. The examples are based on the date and time of July 2, 1999,
1:35:30 p.m.
+-------------------------------------------------+
| Absolute Time Format Example |
|
yymmddhhmm[
ss] 990702133530 |
|
hhmm[
ss] 133530 |
|
yy.
mm.
dd.
hh.
mm.
ss 99:07:02:13:35:30 |
|
hh:
mm[:
ss] 13:35:30 |
|
ldate:
ltime 07-07-99:13:35:30 |
|
dd-
month-
yyyy:
hh:
mm[:
ss] 02-july-1999:13:35:30 |
+-------------------------------------------------+
Variable Description
dd day
hh hour (24-hour clock)
mm minutes
ss seconds
yy year within century (0-68 is 2000 to
2068; 69-99 is 1969 to 1999)
yyyy year including century
month locale's full or abbreviated month name
ldate locale's appropriate date representation
ltime locale's appropriate time representation
The following time duration formats can be used for the
-l lifetime,
-r renewable_life, and
-s start_time options. The examples are based
on the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.
+-----------------------------------+
|Time Duration Format Example |
|
#d 14d |
|
#h 7h |
|
#m 5m |
|
#s 30s |
|
#d
#h
#m
#s 14d7h5m30s |
|
#h
#m[
#s] 7h5m30s |
|
days-
hh:
mm:
ss 14-07:05:30 |
|
hours:
mm[:
ss] 7:05:30 |
+-----------------------------------+
Delimiter Description
d number of days
h number of hours
m number of minutes
s number of seconds
Variable Description
# number
days number of days
hours number of hours
hh hour (24-hour clock)
mm minutes
ss seconds
ENVIRONMENT VARIABLES
kinit uses the following environment variable:
KRB5CCNAME Location of the credentials (ticket) cache. See
krb5envvar(7) for syntax and details.
FILES
/tmp/krb5cc_uid Default credentials cache (
uid is the
decimal
UID of the user).
/etc/krb5/krb5.keytab Default location for the local host's
keytab file.
/etc/krb5/krb5.conf Default location for the local host's
configuration file. See
krb5.conf(5).
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+
The command arguments are Evolving. The command output is Unstable.
SEE ALSO
kdestroy(1),
klist(1),
libpkcs11(3LIB),
kdc.conf(5),
krb5.conf(5),
attributes(7),
kerberos(7),
krb5envvar(7),
pam_krb5(7),
kadmin(8),
ktkt_warnd(8)NOTES
On success,
kinit notifies
ktkt_warnd(8) to alert the user when the
initial credentials (ticket-granting ticket) are about to expire.
June 20, 2021 KINIT(1)
