xref: /freebsd/crypto/heimdal/kuser/kinit.1 (revision ae77177087c655fc883075af4f425b37e032cd05)
1*ae771770SStanislav Sedov.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska Högskolan
2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden).
3bbd80c28SJacques Vidrine.\" All rights reserved.
4bbd80c28SJacques Vidrine.\"
5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without
6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions
7bbd80c28SJacques Vidrine.\" are met:
8bbd80c28SJacques Vidrine.\"
9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright
10bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer.
11bbd80c28SJacques Vidrine.\"
12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright
13bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer in the
14bbd80c28SJacques Vidrine.\"    documentation and/or other materials provided with the distribution.
15bbd80c28SJacques Vidrine.\"
16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors
17bbd80c28SJacques Vidrine.\"    may be used to endorse or promote products derived from this software
18bbd80c28SJacques Vidrine.\"    without specific prior written permission.
19bbd80c28SJacques Vidrine.\"
20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30bbd80c28SJacques Vidrine.\" SUCH DAMAGE.
31bbd80c28SJacques Vidrine.\"
32*ae771770SStanislav Sedov.\" $Id$
33b528cefcSMark Murray.\"
34c19800e8SDoug Rabson.Dd April 25, 2006
3513e3f4d6SMark Murray.Dt KINIT 1
36b528cefcSMark Murray.Os HEIMDAL
37b528cefcSMark Murray.Sh NAME
384137ff4cSJacques Vidrine.Nm kinit
3945524cd7SAssar Westerlund.Nd acquire initial tickets
40b528cefcSMark Murray.Sh SYNOPSIS
4113e3f4d6SMark Murray.Nm kinit
42*ae771770SStanislav Sedov.Op Fl Fl afslog
435e9cd1aeSAssar Westerlund.Oo Fl c Ar cachename \*(Ba Xo
44*ae771770SStanislav Sedov.Fl Fl cache= Ns Ar cachename
455e9cd1aeSAssar Westerlund.Xc
46adb0ddaeSAssar Westerlund.Oc
47*ae771770SStanislav Sedov.Op Fl f | Fl Fl no-forwardable
485e9cd1aeSAssar Westerlund.Oo Fl t Ar keytabname \*(Ba Xo
49*ae771770SStanislav Sedov.Fl Fl keytab= Ns Ar keytabname
505e9cd1aeSAssar Westerlund.Xc
51adb0ddaeSAssar Westerlund.Oc
525e9cd1aeSAssar Westerlund.Oo Fl l Ar time \*(Ba Xo
53*ae771770SStanislav Sedov.Fl Fl lifetime= Ns Ar time
545e9cd1aeSAssar Westerlund.Xc
55adb0ddaeSAssar Westerlund.Oc
56*ae771770SStanislav Sedov.Op Fl p | Fl Fl proxiable
57*ae771770SStanislav Sedov.Op Fl R | Fl Fl renew
58*ae771770SStanislav Sedov.Op Fl Fl renewable
595e9cd1aeSAssar Westerlund.Oo Fl r Ar time \*(Ba Xo
60*ae771770SStanislav Sedov.Fl Fl renewable-life= Ns Ar time
615e9cd1aeSAssar Westerlund.Xc
62adb0ddaeSAssar Westerlund.Oc
635e9cd1aeSAssar Westerlund.Oo Fl S Ar principal \*(Ba Xo
64*ae771770SStanislav Sedov.Fl Fl server= Ns Ar principal
655e9cd1aeSAssar Westerlund.Xc
66adb0ddaeSAssar Westerlund.Oc
675e9cd1aeSAssar Westerlund.Oo Fl s Ar time \*(Ba Xo
68*ae771770SStanislav Sedov.Fl Fl start-time= Ns Ar time
695e9cd1aeSAssar Westerlund.Xc
70adb0ddaeSAssar Westerlund.Oc
71*ae771770SStanislav Sedov.Op Fl k | Fl Fl use-keytab
72*ae771770SStanislav Sedov.Op Fl v | Fl Fl validate
734137ff4cSJacques Vidrine.Oo Fl e Ar enctypes \*(Ba Xo
74*ae771770SStanislav Sedov.Fl Fl enctypes= Ns Ar enctypes
755e9cd1aeSAssar Westerlund.Xc
76adb0ddaeSAssar Westerlund.Oc
778373020dSJacques Vidrine.Oo Fl a Ar addresses \*(Ba Xo
78*ae771770SStanislav Sedov.Fl Fl extra-addresses= Ns Ar addresses
798373020dSJacques Vidrine.Xc
808373020dSJacques Vidrine.Oc
81*ae771770SStanislav Sedov.Op Fl Fl password-file= Ns Ar filename
82*ae771770SStanislav Sedov.Op Fl Fl fcache-version= Ns Ar version-number
83*ae771770SStanislav Sedov.Op Fl A | Fl Fl no-addresses
84*ae771770SStanislav Sedov.Op Fl Fl anonymous
85*ae771770SStanislav Sedov.Op Fl Fl enterprise
86*ae771770SStanislav Sedov.Op Fl Fl version
87*ae771770SStanislav Sedov.Op Fl Fl help
88adb0ddaeSAssar Westerlund.Op Ar principal Op Ar command
89b528cefcSMark Murray.Sh DESCRIPTION
90b528cefcSMark Murray.Nm
91bbd80c28SJacques Vidrineis used to authenticate to the Kerberos server as
92b528cefcSMark Murray.Ar principal ,
935e9cd1aeSAssar Westerlundor if none is given, a system generated default (typically your login
945e9cd1aeSAssar Westerlundname at the default realm), and acquire a ticket granting ticket that
955e9cd1aeSAssar Westerlundcan later be used to obtain tickets for other services.
965e9cd1aeSAssar Westerlund.Pp
97b528cefcSMark MurraySupported options:
98b528cefcSMark Murray.Bl -tag -width Ds
99*ae771770SStanislav Sedov.It Fl c Ar cachename Fl Fl cache= Ns Ar cachename
100b528cefcSMark MurrayThe credentials cache to put the acquired ticket in, if other than
101b528cefcSMark Murraydefault.
102*ae771770SStanislav Sedov.It Fl f Fl Fl no-forwardable
103*ae771770SStanislav SedovGet ticket that can be forwarded to another host, or if the negative
104*ae771770SStanislav Sedovflags use, don't get a forwardable flag.
105*ae771770SStanislav Sedov.It Fl t Ar keytabname , Fl Fl keytab= Ns Ar keytabname
106b528cefcSMark MurrayDon't ask for a password, but instead get the key from the specified
107b528cefcSMark Murraykeytab.
108*ae771770SStanislav Sedov.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
109c19800e8SDoug RabsonSpecifies the lifetime of the ticket.
110c19800e8SDoug RabsonThe argument can either be in seconds, or a more human readable string
111c19800e8SDoug Rabsonlike
1125e9cd1aeSAssar Westerlund.Sq 1h .
113*ae771770SStanislav Sedov.It Fl p , Fl Fl proxiable
114b528cefcSMark MurrayRequest tickets with the proxiable flag set.
115*ae771770SStanislav Sedov.It Fl R , Fl Fl renew
116c19800e8SDoug RabsonTry to renew ticket.
117c19800e8SDoug RabsonThe ticket must have the
118b528cefcSMark Murray.Sq renewable
119b528cefcSMark Murrayflag set, and must not be expired.
120*ae771770SStanislav Sedov.It Fl Fl renewable
121b528cefcSMark MurrayThe same as
122*ae771770SStanislav Sedov.Fl Fl renewable-life ,
123b528cefcSMark Murraywith an infinite time.
124*ae771770SStanislav Sedov.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
125b528cefcSMark MurrayThe max renewable ticket life.
126*ae771770SStanislav Sedov.It Fl S Ar principal , Fl Fl server= Ns Ar principal
127b528cefcSMark MurrayGet a ticket for a service other than krbtgt/LOCAL.REALM.
128*ae771770SStanislav Sedov.It Fl s Ar time , Fl Fl start-time= Ns Ar time
1295e9cd1aeSAssar WesterlundObtain a ticket that starts to be valid
1305e9cd1aeSAssar Westerlund.Ar time
1315e9cd1aeSAssar Westerlund(which can really be a generic time specification, like
1325e9cd1aeSAssar Westerlund.Sq 1h )
1335e9cd1aeSAssar Westerlundseconds into the future.
134*ae771770SStanislav Sedov.It Fl k , Fl Fl use-keytab
135b528cefcSMark MurrayThe same as
136*ae771770SStanislav Sedov.Fl Fl keytab ,
137b528cefcSMark Murraybut with the default keytab name (normally
138b528cefcSMark Murray.Ar FILE:/etc/krb5.keytab ) .
139*ae771770SStanislav Sedov.It Fl v , Fl Fl validate
140b528cefcSMark MurrayTry to validate an invalid ticket.
141*ae771770SStanislav Sedov.It Fl e , Fl Fl enctypes= Ns Ar enctypes
142b528cefcSMark MurrayRequest tickets with this particular enctype.
143*ae771770SStanislav Sedov.It Fl Fl password-file= Ns Ar filename
144c19800e8SDoug Rabsonread the password from the first line of
145c19800e8SDoug Rabson.Ar filename .
146c19800e8SDoug RabsonIf the
147c19800e8SDoug Rabson.Ar filename
148c19800e8SDoug Rabsonis
149c19800e8SDoug Rabson.Ar STDIN ,
150c19800e8SDoug Rabsonthe password will be read from the standard input.
151*ae771770SStanislav Sedov.It Fl Fl fcache-version= Ns Ar version-number
152b528cefcSMark MurrayCreate a credentials cache of version
153c19800e8SDoug Rabson.Ar version-number .
154*ae771770SStanislav Sedov.It Fl a , Fl Fl extra-addresses= Ns Ar enctypes
1558373020dSJacques VidrineAdds a set of addresses that will, in addition to the systems local
156c19800e8SDoug Rabsonaddresses, be put in the ticket.
157c19800e8SDoug RabsonThis can be useful if all addresses a client can use can't be
158c19800e8SDoug Rabsonautomatically figured out.
159c19800e8SDoug RabsonOne such example is if the client is behind a firewall.
160c19800e8SDoug RabsonAlso settable via
1618373020dSJacques Vidrine.Li libdefaults/extra_addresses
1628373020dSJacques Vidrinein
1638373020dSJacques Vidrine.Xr krb5.conf 5 .
164*ae771770SStanislav Sedov.It Fl A , Fl Fl no-addresses
165b528cefcSMark MurrayRequest a ticket with no addresses.
166*ae771770SStanislav Sedov.It Fl Fl anonymous
1675e9cd1aeSAssar WesterlundRequest an anonymous ticket (which means that the ticket will be
1685e9cd1aeSAssar Westerlundissued to an anonymous principal, typically
1695e9cd1aeSAssar Westerlund.Dq anonymous@REALM ) .
170*ae771770SStanislav Sedov.It Fl Fl enterprise
171*ae771770SStanislav SedovParse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
172*ae771770SStanislav Sedovnames are email like principals that are stored in the name part of
173*ae771770SStanislav Sedovthe principal, and since there are two @ characters the parser needs
174*ae771770SStanislav Sedovto know that the first is not a realm.
175*ae771770SStanislav SedovAn example of an enterprise name is
176*ae771770SStanislav Sedov.Dq lha@e.kth.se@KTH.SE ,
177*ae771770SStanislav Sedovand this option is usually used with canonicalize so that the
178*ae771770SStanislav Sedovprincipal returned from the KDC will typically be the real principal
179*ae771770SStanislav Sedovname.
180*ae771770SStanislav Sedov.It Fl Fl afslog
181b528cefcSMark MurrayGets AFS tickets, converts them to version 4 format, and stores them
182c19800e8SDoug Rabsonin the kernel.
183c19800e8SDoug RabsonOnly useful if you have AFS.
184b528cefcSMark Murray.El
1855e9cd1aeSAssar Westerlund.Pp
1865e9cd1aeSAssar WesterlundThe
1875e9cd1aeSAssar Westerlund.Ar forwardable ,
1885e9cd1aeSAssar Westerlund.Ar proxiable ,
1895e9cd1aeSAssar Westerlund.Ar ticket_life ,
1905e9cd1aeSAssar Westerlundand
1915e9cd1aeSAssar Westerlund.Ar renewable_life
1925e9cd1aeSAssar Westerlundoptions can be set to a default value from the
1935e9cd1aeSAssar Westerlund.Dv appdefaults
1945e9cd1aeSAssar Westerlundsection in krb5.conf, see
1955e9cd1aeSAssar Westerlund.Xr krb5_appdefault 3 .
196adb0ddaeSAssar Westerlund.Pp
197adb0ddaeSAssar WesterlundIf  a
198adb0ddaeSAssar Westerlund.Ar command
199adb0ddaeSAssar Westerlundis given,
200*ae771770SStanislav Sedov.Nm
201adb0ddaeSAssar Westerlundwill set up new credentials caches, and AFS PAG, and then run the given
202c19800e8SDoug Rabsoncommand.
203c19800e8SDoug RabsonWhen it finishes the credentials will be removed.
204b528cefcSMark Murray.Sh ENVIRONMENT
205b528cefcSMark Murray.Bl -tag -width Ds
206b528cefcSMark Murray.It Ev KRB5CCNAME
2074137ff4cSJacques VidrineSpecifies the default credentials cache.
208b528cefcSMark Murray.It Ev KRB5_CONFIG
2094137ff4cSJacques VidrineThe file name of
210c19800e8SDoug Rabson.Pa krb5.conf ,
211c19800e8SDoug Rabsonthe default being
2124137ff4cSJacques Vidrine.Pa /etc/krb5.conf .
213b528cefcSMark Murray.It Ev KRBTKFILE
214b528cefcSMark MurraySpecifies the Kerberos 4 ticket file to store version 4 tickets in.
215b528cefcSMark Murray.El
216b528cefcSMark Murray.\".Sh FILES
217b528cefcSMark Murray.\".Sh EXAMPLES
218b528cefcSMark Murray.\".Sh DIAGNOSTICS
219b528cefcSMark Murray.Sh SEE ALSO
2205e9cd1aeSAssar Westerlund.Xr kdestroy 1 ,
221b528cefcSMark Murray.Xr klist 1 ,
2224137ff4cSJacques Vidrine.Xr krb5_appdefault 3 ,
2234137ff4cSJacques Vidrine.Xr krb5.conf 5
224b528cefcSMark Murray.\".Sh STANDARDS
225b528cefcSMark Murray.\".Sh HISTORY
226b528cefcSMark Murray.\".Sh AUTHORS
227b528cefcSMark Murray.\".Sh BUGS
228