xref: /freebsd/crypto/heimdal/kuser/kinit.1 (revision 6fd05b64b5b65dd4ba9b86482a0634a5f0b96c29)
1.\" Copyright (c) 1998 - 2002 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id: kinit.1,v 1.23 2003/04/06 17:49:05 lha Exp $
33.\"
34.Dd May 29, 1998
35.Dt KINIT 1
36.Os HEIMDAL
37.Sh NAME
38.Nm kinit
39.Nm kauth
40.Nd acquire initial tickets
41.Sh SYNOPSIS
42.Nm kinit
43.Op Fl 4 | Fl -524init
44.Op Fl 9 | Fl -524convert
45.Op Fl -afslog
46.Oo Fl c Ar cachename \*(Ba Xo
47.Fl -cache= Ns Ar cachename
48.Xc
49.Oc
50.Op Fl f | Fl -forwardable
51.Oo Fl t Ar keytabname \*(Ba Xo
52.Fl -keytab= Ns Ar keytabname
53.Xc
54.Oc
55.Oo Fl l Ar time \*(Ba Xo
56.Fl -lifetime= Ns Ar time
57.Xc
58.Oc
59.Op Fl p | Fl -proxiable
60.Op Fl R | Fl -renew
61.Op Fl -renewable
62.Oo Fl r Ar time \*(Ba Xo
63.Fl -renewable-life= Ns Ar time
64.Xc
65.Oc
66.Oo Fl S Ar principal \*(Ba Xo
67.Fl -server= Ns Ar principal
68.Xc
69.Oc
70.Oo Fl s Ar time \*(Ba Xo
71.Fl -start-time= Ns Ar time
72.Xc
73.Oc
74.Op Fl k | Fl -use-keytab
75.Op Fl v | Fl -validate
76.Oo Fl e Ar enctypes \*(Ba Xo
77.Fl -enctypes= Ns Ar enctypes
78.Xc
79.Oc
80.Oo Fl a Ar addresses \*(Ba Xo
81.Fl -extra-addresses= Ns Ar addresses
82.Xc
83.Oc
84.Op Fl -fcache-version= Ns Ar integer
85.Op Fl -no-addresses
86.Op Fl -anonymous
87.Op Fl -version
88.Op Fl -help
89.Op Ar principal Op Ar command
90.Sh DESCRIPTION
91.Nm
92is used to authenticate to the Kerberos server as
93.Ar principal ,
94or if none is given, a system generated default (typically your login
95name at the default realm), and acquire a ticket granting ticket that
96can later be used to obtain tickets for other services.
97.Pp
98If you have compiled
99.Nm kinit
100with Kerberos 4 support and you have a
101Kerberos 4 server,
102.Nm
103will detect this and get you Kerberos 4 tickets.
104.Pp
105Supported options:
106.Bl -tag -width Ds
107.It Xo
108.Fl c Ar cachename
109.Fl -cache= Ns Ar cachename
110.Xc
111The credentials cache to put the acquired ticket in, if other than
112default.
113.It Xo
114.Fl f ,
115.Fl -forwardable
116.Xc
117Get ticket that can be forwarded to another host.
118.It Xo
119.Fl t Ar keytabname ,
120.Fl -keytab= Ns Ar keytabname
121.Xc
122Don't ask for a password, but instead get the key from the specified
123keytab.
124.It Xo
125.Fl l Ar time ,
126.Fl -lifetime= Ns Ar time
127.Xc
128Specifies the lifetime of the ticket. The argument can either be in
129seconds, or a more human readable string like
130.Sq 1h .
131.It Xo
132.Fl p ,
133.Fl -proxiable
134.Xc
135Request tickets with the proxiable flag set.
136.It Xo
137.Fl R ,
138.Fl -renew
139.Xc
140Try to renew ticket. The ticket must have the
141.Sq renewable
142flag set, and must not be expired.
143.It Fl -renewable
144The same as
145.Fl -renewable-life ,
146with an infinite time.
147.It Xo
148.Fl r Ar time ,
149.Fl -renewable-life= Ns Ar time
150.Xc
151The max renewable ticket life.
152.It Xo
153.Fl S Ar principal ,
154.Fl -server= Ns Ar principal
155.Xc
156Get a ticket for a service other than krbtgt/LOCAL.REALM.
157.It Xo
158.Fl s Ar time ,
159.Fl -start-time= Ns Ar time
160.Xc
161Obtain a ticket that starts to be valid
162.Ar time
163(which can really be a generic time specification, like
164.Sq 1h )
165seconds into the future.
166.It Xo
167.Fl k ,
168.Fl -use-keytab
169.Xc
170The same as
171.Fl -keytab ,
172but with the default keytab name (normally
173.Ar FILE:/etc/krb5.keytab ) .
174.It Xo
175.Fl v ,
176.Fl -validate
177.Xc
178Try to validate an invalid ticket.
179.It Xo
180.Fl e ,
181.Fl -enctypes= Ns Ar enctypes
182.Xc
183Request tickets with this particular enctype.
184.It Xo
185.Fl -fcache-version= Ns Ar version
186.Xc
187Create a credentials cache of version
188.Nm version .
189.It Xo
190.Fl a ,
191.Fl -extra-addresses= Ns Ar enctypes
192.Xc
193Adds a set of addresses that will, in addition to the systems local
194addresses, be put in the ticket. This can be useful if all addresses a
195client can use can't be automatically figured out. One such example is
196if the client is behind a firewall. Also settable via
197.Li libdefaults/extra_addresses
198in
199.Xr krb5.conf 5 .
200.It Xo
201.Fl -no-addresses
202.Xc
203Request a ticket with no addresses.
204.It Xo
205.Fl -anonymous
206.Xc
207Request an anonymous ticket (which means that the ticket will be
208issued to an anonymous principal, typically
209.Dq anonymous@REALM ) .
210.El
211.Pp
212The following options are only available if
213.Nm
214has been compiled with support for Kerberos 4.
215.Bl -tag -width Ds
216.It Xo
217.Fl 4 ,
218.Fl -524init
219.Xc
220Try to convert the obtained Kerberos 5 krbtgt to a version 4
221compatible ticket. It will store this ticket in the default Kerberos 4
222ticket file.
223.It Xo
224.Fl 9 ,
225.Fl -524convert
226.Xc
227only convert ticket to version 4
228.It Fl -afslog
229Gets AFS tickets, converts them to version 4 format, and stores them
230in the kernel. Only useful if you have AFS.
231.El
232.Pp
233The
234.Ar forwardable ,
235.Ar proxiable ,
236.Ar ticket_life ,
237and
238.Ar renewable_life
239options can be set to a default value from the
240.Dv appdefaults
241section in krb5.conf, see
242.Xr krb5_appdefault 3 .
243.Pp
244If  a
245.Ar command
246is given,
247.Nm kinit
248will setup new credentials caches, and AFS PAG, and then run the given
249command. When it finishes the credentials will be removed.
250.Sh ENVIRONMENT
251.Bl -tag -width Ds
252.It Ev KRB5CCNAME
253Specifies the default credentials cache.
254.It Ev KRB5_CONFIG
255The file name of
256.Pa krb5.conf
257, the default being
258.Pa /etc/krb5.conf .
259.It Ev KRBTKFILE
260Specifies the Kerberos 4 ticket file to store version 4 tickets in.
261.El
262.\".Sh FILES
263.\".Sh EXAMPLES
264.\".Sh DIAGNOSTICS
265.Sh SEE ALSO
266.Xr kdestroy 1 ,
267.Xr klist 1 ,
268.Xr krb5_appdefault 3 ,
269.Xr krb5.conf 5
270.\".Sh STANDARDS
271.\".Sh HISTORY
272.\".Sh AUTHORS
273.\".Sh BUGS
274