|
jpayne@68
|
1 .\" Man page generated from reStructuredText.
|
|
jpayne@68
|
2 .
|
|
jpayne@68
|
3 .TH "KINIT" "1" " " "1.20.1" "MIT Kerberos"
|
|
jpayne@68
|
4 .SH NAME
|
|
jpayne@68
|
5 kinit \- obtain and cache Kerberos ticket-granting ticket
|
|
jpayne@68
|
6 .
|
|
jpayne@68
|
7 .nr rst2man-indent-level 0
|
|
jpayne@68
|
8 .
|
|
jpayne@68
|
9 .de1 rstReportMargin
|
|
jpayne@68
|
10 \\$1 \\n[an-margin]
|
|
jpayne@68
|
11 level \\n[rst2man-indent-level]
|
|
jpayne@68
|
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
13 -
|
|
jpayne@68
|
14 \\n[rst2man-indent0]
|
|
jpayne@68
|
15 \\n[rst2man-indent1]
|
|
jpayne@68
|
16 \\n[rst2man-indent2]
|
|
jpayne@68
|
17 ..
|
|
jpayne@68
|
18 .de1 INDENT
|
|
jpayne@68
|
19 .\" .rstReportMargin pre:
|
|
jpayne@68
|
20 . RS \\$1
|
|
jpayne@68
|
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
jpayne@68
|
22 . nr rst2man-indent-level +1
|
|
jpayne@68
|
23 .\" .rstReportMargin post:
|
|
jpayne@68
|
24 ..
|
|
jpayne@68
|
25 .de UNINDENT
|
|
jpayne@68
|
26 . RE
|
|
jpayne@68
|
27 .\" indent \\n[an-margin]
|
|
jpayne@68
|
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
29 .nr rst2man-indent-level -1
|
|
jpayne@68
|
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
jpayne@68
|
32 ..
|
|
jpayne@68
|
33 .SH SYNOPSIS
|
|
jpayne@68
|
34 .sp
|
|
jpayne@68
|
35 \fBkinit\fP
|
|
jpayne@68
|
36 [\fB\-V\fP]
|
|
jpayne@68
|
37 [\fB\-l\fP \fIlifetime\fP]
|
|
jpayne@68
|
38 [\fB\-s\fP \fIstart_time\fP]
|
|
jpayne@68
|
39 [\fB\-r\fP \fIrenewable_life\fP]
|
|
jpayne@68
|
40 [\fB\-p\fP | \-\fBP\fP]
|
|
jpayne@68
|
41 [\fB\-f\fP | \-\fBF\fP]
|
|
jpayne@68
|
42 [\fB\-a\fP]
|
|
jpayne@68
|
43 [\fB\-A\fP]
|
|
jpayne@68
|
44 [\fB\-C\fP]
|
|
jpayne@68
|
45 [\fB\-E\fP]
|
|
jpayne@68
|
46 [\fB\-v\fP]
|
|
jpayne@68
|
47 [\fB\-R\fP]
|
|
jpayne@68
|
48 [\fB\-k\fP [\fB\-i\fP | \-\fBt\fP \fIkeytab_file\fP]]
|
|
jpayne@68
|
49 [\fB\-c\fP \fIcache_name\fP]
|
|
jpayne@68
|
50 [\fB\-n\fP]
|
|
jpayne@68
|
51 [\fB\-S\fP \fIservice_name\fP]
|
|
jpayne@68
|
52 [\fB\-I\fP \fIinput_ccache\fP]
|
|
jpayne@68
|
53 [\fB\-T\fP \fIarmor_ccache\fP]
|
|
jpayne@68
|
54 [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
|
|
jpayne@68
|
55 [\fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP]
|
|
jpayne@68
|
56 [\fIprincipal\fP]
|
|
jpayne@68
|
57 .SH DESCRIPTION
|
|
jpayne@68
|
58 .sp
|
|
jpayne@68
|
59 kinit obtains and caches an initial ticket\-granting ticket for
|
|
jpayne@68
|
60 \fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate
|
|
jpayne@68
|
61 principal name based on existing credential cache contents or the
|
|
jpayne@68
|
62 local username of the user invoking kinit. Some options modify the
|
|
jpayne@68
|
63 choice of principal name.
|
|
jpayne@68
|
64 .SH OPTIONS
|
|
jpayne@68
|
65 .INDENT 0.0
|
|
jpayne@68
|
66 .TP
|
|
jpayne@68
|
67 \fB\-V\fP
|
|
jpayne@68
|
68 display verbose output.
|
|
jpayne@68
|
69 .TP
|
|
jpayne@68
|
70 \fB\-l\fP \fIlifetime\fP
|
|
jpayne@68
|
71 (duration string.) Requests a ticket with the lifetime
|
|
jpayne@68
|
72 \fIlifetime\fP\&.
|
|
jpayne@68
|
73 .sp
|
|
jpayne@68
|
74 For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
|
|
jpayne@68
|
75 .sp
|
|
jpayne@68
|
76 If the \fB\-l\fP option is not specified, the default ticket lifetime
|
|
jpayne@68
|
77 (configured by each site) is used. Specifying a ticket lifetime
|
|
jpayne@68
|
78 longer than the maximum ticket lifetime (configured by each site)
|
|
jpayne@68
|
79 will not override the configured maximum ticket lifetime.
|
|
jpayne@68
|
80 .TP
|
|
jpayne@68
|
81 \fB\-s\fP \fIstart_time\fP
|
|
jpayne@68
|
82 (duration string.) Requests a postdated ticket. Postdated
|
|
jpayne@68
|
83 tickets are issued with the \fBinvalid\fP flag set, and need to be
|
|
jpayne@68
|
84 resubmitted to the KDC for validation before use.
|
|
jpayne@68
|
85 .sp
|
|
jpayne@68
|
86 \fIstart_time\fP specifies the duration of the delay before the ticket
|
|
jpayne@68
|
87 can become valid.
|
|
jpayne@68
|
88 .TP
|
|
jpayne@68
|
89 \fB\-r\fP \fIrenewable_life\fP
|
|
jpayne@68
|
90 (duration string.) Requests renewable tickets, with a total
|
|
jpayne@68
|
91 lifetime of \fIrenewable_life\fP\&.
|
|
jpayne@68
|
92 .TP
|
|
jpayne@68
|
93 \fB\-f\fP
|
|
jpayne@68
|
94 requests forwardable tickets.
|
|
jpayne@68
|
95 .TP
|
|
jpayne@68
|
96 \fB\-F\fP
|
|
jpayne@68
|
97 requests non\-forwardable tickets.
|
|
jpayne@68
|
98 .TP
|
|
jpayne@68
|
99 \fB\-p\fP
|
|
jpayne@68
|
100 requests proxiable tickets.
|
|
jpayne@68
|
101 .TP
|
|
jpayne@68
|
102 \fB\-P\fP
|
|
jpayne@68
|
103 requests non\-proxiable tickets.
|
|
jpayne@68
|
104 .TP
|
|
jpayne@68
|
105 \fB\-a\fP
|
|
jpayne@68
|
106 requests tickets restricted to the host\(aqs local address[es].
|
|
jpayne@68
|
107 .TP
|
|
jpayne@68
|
108 \fB\-A\fP
|
|
jpayne@68
|
109 requests tickets not restricted by address.
|
|
jpayne@68
|
110 .TP
|
|
jpayne@68
|
111 \fB\-C\fP
|
|
jpayne@68
|
112 requests canonicalization of the principal name, and allows the
|
|
jpayne@68
|
113 KDC to reply with a different client principal from the one
|
|
jpayne@68
|
114 requested.
|
|
jpayne@68
|
115 .TP
|
|
jpayne@68
|
116 \fB\-E\fP
|
|
jpayne@68
|
117 treats the principal name as an enterprise name.
|
|
jpayne@68
|
118 .TP
|
|
jpayne@68
|
119 \fB\-v\fP
|
|
jpayne@68
|
120 requests that the ticket\-granting ticket in the cache (with the
|
|
jpayne@68
|
121 \fBinvalid\fP flag set) be passed to the KDC for validation. If the
|
|
jpayne@68
|
122 ticket is within its requested time range, the cache is replaced
|
|
jpayne@68
|
123 with the validated ticket.
|
|
jpayne@68
|
124 .TP
|
|
jpayne@68
|
125 \fB\-R\fP
|
|
jpayne@68
|
126 requests renewal of the ticket\-granting ticket. Note that an
|
|
jpayne@68
|
127 expired ticket cannot be renewed, even if the ticket is still
|
|
jpayne@68
|
128 within its renewable life.
|
|
jpayne@68
|
129 .sp
|
|
jpayne@68
|
130 Note that renewable tickets that have expired as reported by
|
|
jpayne@68
|
131 klist(1) may sometimes be renewed using this option,
|
|
jpayne@68
|
132 because the KDC applies a grace period to account for client\-KDC
|
|
jpayne@68
|
133 clock skew. See krb5.conf(5) \fBclockskew\fP setting.
|
|
jpayne@68
|
134 .TP
|
|
jpayne@68
|
135 \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
|
|
jpayne@68
|
136 requests a ticket, obtained from a key in the local host\(aqs keytab.
|
|
jpayne@68
|
137 The location of the keytab may be specified with the \fB\-t\fP
|
|
jpayne@68
|
138 \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
|
|
jpayne@68
|
139 of the default client keytab; otherwise the default keytab will be
|
|
jpayne@68
|
140 used. By default, a host ticket for the local host is requested,
|
|
jpayne@68
|
141 but any principal may be specified. On a KDC, the special keytab
|
|
jpayne@68
|
142 location \fBKDB:\fP can be used to indicate that kinit should open
|
|
jpayne@68
|
143 the KDC database and look up the key directly. This permits an
|
|
jpayne@68
|
144 administrator to obtain tickets as any principal that supports
|
|
jpayne@68
|
145 authentication based on the key.
|
|
jpayne@68
|
146 .TP
|
|
jpayne@68
|
147 \fB\-n\fP
|
|
jpayne@68
|
148 Requests anonymous processing. Two types of anonymous principals
|
|
jpayne@68
|
149 are supported.
|
|
jpayne@68
|
150 .sp
|
|
jpayne@68
|
151 For fully anonymous Kerberos, configure pkinit on the KDC and
|
|
jpayne@68
|
152 configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&.
|
|
jpayne@68
|
153 Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
|
|
jpayne@68
|
154 (an empty principal name followed by the at\-sign and a realm
|
|
jpayne@68
|
155 name). If permitted by the KDC, an anonymous ticket will be
|
|
jpayne@68
|
156 returned.
|
|
jpayne@68
|
157 .sp
|
|
jpayne@68
|
158 A second form of anonymous tickets is supported; these
|
|
jpayne@68
|
159 realm\-exposed tickets hide the identity of the client but not the
|
|
jpayne@68
|
160 client\(aqs realm. For this mode, use \fBkinit \-n\fP with a normal
|
|
jpayne@68
|
161 principal name. If supported by the KDC, the principal (but not
|
|
jpayne@68
|
162 realm) will be replaced by the anonymous principal.
|
|
jpayne@68
|
163 .sp
|
|
jpayne@68
|
164 As of release 1.8, the MIT Kerberos KDC only supports fully
|
|
jpayne@68
|
165 anonymous operation.
|
|
jpayne@68
|
166 .UNINDENT
|
|
jpayne@68
|
167 .sp
|
|
jpayne@68
|
168 \fB\-I\fP \fIinput_ccache\fP
|
|
jpayne@68
|
169 .INDENT 0.0
|
|
jpayne@68
|
170 .INDENT 3.5
|
|
jpayne@68
|
171 Specifies the name of a credentials cache that already contains a
|
|
jpayne@68
|
172 ticket. When obtaining that ticket, if information about how that
|
|
jpayne@68
|
173 ticket was obtained was also stored to the cache, that information
|
|
jpayne@68
|
174 will be used to affect how new credentials are obtained, including
|
|
jpayne@68
|
175 preselecting the same methods of authenticating to the KDC.
|
|
jpayne@68
|
176 .UNINDENT
|
|
jpayne@68
|
177 .UNINDENT
|
|
jpayne@68
|
178 .INDENT 0.0
|
|
jpayne@68
|
179 .TP
|
|
jpayne@68
|
180 \fB\-T\fP \fIarmor_ccache\fP
|
|
jpayne@68
|
181 Specifies the name of a credentials cache that already contains a
|
|
jpayne@68
|
182 ticket. If supported by the KDC, this cache will be used to armor
|
|
jpayne@68
|
183 the request, preventing offline dictionary attacks and allowing
|
|
jpayne@68
|
184 the use of additional preauthentication mechanisms. Armoring also
|
|
jpayne@68
|
185 makes sure that the response from the KDC is not modified in
|
|
jpayne@68
|
186 transit.
|
|
jpayne@68
|
187 .TP
|
|
jpayne@68
|
188 \fB\-c\fP \fIcache_name\fP
|
|
jpayne@68
|
189 use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
|
|
jpayne@68
|
190 location. If this option is not used, the default cache location
|
|
jpayne@68
|
191 is used.
|
|
jpayne@68
|
192 .sp
|
|
jpayne@68
|
193 The default cache location may vary between systems. If the
|
|
jpayne@68
|
194 \fBKRB5CCNAME\fP environment variable is set, its value is used to
|
|
jpayne@68
|
195 locate the default cache. If a principal name is specified and
|
|
jpayne@68
|
196 the type of the default cache supports a collection (such as the
|
|
jpayne@68
|
197 DIR type), an existing cache containing credentials for the
|
|
jpayne@68
|
198 principal is selected or a new one is created and becomes the new
|
|
jpayne@68
|
199 primary cache. Otherwise, any existing contents of the default
|
|
jpayne@68
|
200 cache are destroyed by kinit.
|
|
jpayne@68
|
201 .TP
|
|
jpayne@68
|
202 \fB\-S\fP \fIservice_name\fP
|
|
jpayne@68
|
203 specify an alternate service name to use when getting initial
|
|
jpayne@68
|
204 tickets.
|
|
jpayne@68
|
205 .TP
|
|
jpayne@68
|
206 \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
|
|
jpayne@68
|
207 specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
|
|
jpayne@68
|
208 interpreted by pre\-authentication modules. The acceptable
|
|
jpayne@68
|
209 attribute and value values vary from module to module. This
|
|
jpayne@68
|
210 option may be specified multiple times to specify multiple
|
|
jpayne@68
|
211 attributes. If no value is specified, it is assumed to be "yes".
|
|
jpayne@68
|
212 .sp
|
|
jpayne@68
|
213 The following attributes are recognized by the PKINIT
|
|
jpayne@68
|
214 pre\-authentication mechanism:
|
|
jpayne@68
|
215 .INDENT 7.0
|
|
jpayne@68
|
216 .TP
|
|
jpayne@68
|
217 \fBX509_user_identity\fP=\fIvalue\fP
|
|
jpayne@68
|
218 specify where to find user\(aqs X509 identity information
|
|
jpayne@68
|
219 .TP
|
|
jpayne@68
|
220 \fBX509_anchors\fP=\fIvalue\fP
|
|
jpayne@68
|
221 specify where to find trusted X509 anchor information
|
|
jpayne@68
|
222 .TP
|
|
jpayne@68
|
223 \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
|
|
jpayne@68
|
224 specify use of RSA, rather than the default Diffie\-Hellman
|
|
jpayne@68
|
225 protocol
|
|
jpayne@68
|
226 .TP
|
|
jpayne@68
|
227 \fBdisable_freshness\fP[\fB=yes\fP]
|
|
jpayne@68
|
228 disable sending freshness tokens (for testing purposes only)
|
|
jpayne@68
|
229 .UNINDENT
|
|
jpayne@68
|
230 .TP
|
|
jpayne@68
|
231 \fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP
|
|
jpayne@68
|
232 mutually exclusive. If \fB\-\-request\-pac\fP is set, ask the KDC to
|
|
jpayne@68
|
233 include a PAC in authdata; if \fB\-\-no\-request\-pac\fP is set, ask the
|
|
jpayne@68
|
234 KDC not to include a PAC; if neither are set, the KDC will follow
|
|
jpayne@68
|
235 its default, which is typically is to include a PAC if doing so is
|
|
jpayne@68
|
236 supported.
|
|
jpayne@68
|
237 .UNINDENT
|
|
jpayne@68
|
238 .SH ENVIRONMENT
|
|
jpayne@68
|
239 .sp
|
|
jpayne@68
|
240 See kerberos(7) for a description of Kerberos environment
|
|
jpayne@68
|
241 variables.
|
|
jpayne@68
|
242 .SH FILES
|
|
jpayne@68
|
243 .INDENT 0.0
|
|
jpayne@68
|
244 .TP
|
|
jpayne@68
|
245 .B \fBFILE:/tmp/krb5cc_%{uid}\fP
|
|
jpayne@68
|
246 default location of Kerberos 5 credentials cache
|
|
jpayne@68
|
247 .TP
|
|
jpayne@68
|
248 .B \fBFILE:/etc/krb5.keytab\fP
|
|
jpayne@68
|
249 default location for the local host\(aqs keytab.
|
|
jpayne@68
|
250 .UNINDENT
|
|
jpayne@68
|
251 .SH SEE ALSO
|
|
jpayne@68
|
252 .sp
|
|
jpayne@68
|
253 klist(1), kdestroy(1), kerberos(7)
|
|
jpayne@68
|
254 .SH AUTHOR
|
|
jpayne@68
|
255 MIT
|
|
jpayne@68
|
256 .SH COPYRIGHT
|
|
jpayne@68
|
257 1985-2022, MIT
|
|
jpayne@68
|
258 .\" Generated by docutils manpage writer.
|
|
jpayne@68
|
259 .
|
