xref: /freebsd/crypto/heimdal/kuser/kinit.1 (revision 7aa383846770374466b1dcb2cefd71bde9acf463)
1.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id: kinit.1 17822 2006-07-10 14:46:58Z lha $
33.\"
34.Dd April 25, 2006
35.Dt KINIT 1
36.Os HEIMDAL
37.Sh NAME
38.Nm kinit
39.Nm kauth
40.Nd acquire initial tickets
41.Sh SYNOPSIS
42.Nm kinit
43.Op Fl 4 | Fl -524init
44.Op Fl 9 | Fl -524convert
45.Op Fl -afslog
46.Oo Fl c Ar cachename \*(Ba Xo
47.Fl -cache= Ns Ar cachename
48.Xc
49.Oc
50.Op Fl f | Fl -forwardable
51.Oo Fl t Ar keytabname \*(Ba Xo
52.Fl -keytab= Ns Ar keytabname
53.Xc
54.Oc
55.Oo Fl l Ar time \*(Ba Xo
56.Fl -lifetime= Ns Ar time
57.Xc
58.Oc
59.Op Fl p | Fl -proxiable
60.Op Fl R | Fl -renew
61.Op Fl -renewable
62.Oo Fl r Ar time \*(Ba Xo
63.Fl -renewable-life= Ns Ar time
64.Xc
65.Oc
66.Oo Fl S Ar principal \*(Ba Xo
67.Fl -server= Ns Ar principal
68.Xc
69.Oc
70.Oo Fl s Ar time \*(Ba Xo
71.Fl -start-time= Ns Ar time
72.Xc
73.Oc
74.Op Fl k | Fl -use-keytab
75.Op Fl v | Fl -validate
76.Oo Fl e Ar enctypes \*(Ba Xo
77.Fl -enctypes= Ns Ar enctypes
78.Xc
79.Oc
80.Oo Fl a Ar addresses \*(Ba Xo
81.Fl -extra-addresses= Ns Ar addresses
82.Xc
83.Oc
84.Op Fl -password-file= Ns Ar filename
85.Op Fl -fcache-version= Ns Ar version-number
86.Op Fl A | Fl -no-addresses
87.Op Fl -anonymous
88.Op Fl -version
89.Op Fl -help
90.Op Ar principal Op Ar command
91.Sh DESCRIPTION
92.Nm
93is used to authenticate to the Kerberos server as
94.Ar principal ,
95or if none is given, a system generated default (typically your login
96name at the default realm), and acquire a ticket granting ticket that
97can later be used to obtain tickets for other services.
98.Pp
99If you have compiled
100.Nm kinit
101with Kerberos 4 support and you have a
102Kerberos 4 server,
103.Nm
104will detect this and get you Kerberos 4 tickets.
105.Pp
106Supported options:
107.Bl -tag -width Ds
108.It Xo
109.Fl c Ar cachename
110.Fl -cache= Ns Ar cachename
111.Xc
112The credentials cache to put the acquired ticket in, if other than
113default.
114.It Xo
115.Fl f ,
116.Fl -forwardable
117.Xc
118Get ticket that can be forwarded to another host.
119.It Xo
120.Fl t Ar keytabname ,
121.Fl -keytab= Ns Ar keytabname
122.Xc
123Don't ask for a password, but instead get the key from the specified
124keytab.
125.It Xo
126.Fl l Ar time ,
127.Fl -lifetime= Ns Ar time
128.Xc
129Specifies the lifetime of the ticket.
130The argument can either be in seconds, or a more human readable string
131like
132.Sq 1h .
133.It Xo
134.Fl p ,
135.Fl -proxiable
136.Xc
137Request tickets with the proxiable flag set.
138.It Xo
139.Fl R ,
140.Fl -renew
141.Xc
142Try to renew ticket.
143The ticket must have the
144.Sq renewable
145flag set, and must not be expired.
146.It Fl -renewable
147The same as
148.Fl -renewable-life ,
149with an infinite time.
150.It Xo
151.Fl r Ar time ,
152.Fl -renewable-life= Ns Ar time
153.Xc
154The max renewable ticket life.
155.It Xo
156.Fl S Ar principal ,
157.Fl -server= Ns Ar principal
158.Xc
159Get a ticket for a service other than krbtgt/LOCAL.REALM.
160.It Xo
161.Fl s Ar time ,
162.Fl -start-time= Ns Ar time
163.Xc
164Obtain a ticket that starts to be valid
165.Ar time
166(which can really be a generic time specification, like
167.Sq 1h )
168seconds into the future.
169.It Xo
170.Fl k ,
171.Fl -use-keytab
172.Xc
173The same as
174.Fl -keytab ,
175but with the default keytab name (normally
176.Ar FILE:/etc/krb5.keytab ) .
177.It Xo
178.Fl v ,
179.Fl -validate
180.Xc
181Try to validate an invalid ticket.
182.It Xo
183.Fl e ,
184.Fl -enctypes= Ns Ar enctypes
185.Xc
186Request tickets with this particular enctype.
187.It Xo
188.Fl -password-file= Ns Ar filename
189.Xc
190read the password from the first line of
191.Ar filename .
192If the
193.Ar filename
194is
195.Ar STDIN ,
196the password will be read from the standard input.
197.It Xo
198.Fl -fcache-version= Ns Ar version-number
199.Xc
200Create a credentials cache of version
201.Ar version-number .
202.It Xo
203.Fl a ,
204.Fl -extra-addresses= Ns Ar enctypes
205.Xc
206Adds a set of addresses that will, in addition to the systems local
207addresses, be put in the ticket.
208This can be useful if all addresses a client can use can't be
209automatically figured out.
210One such example is if the client is behind a firewall.
211Also settable via
212.Li libdefaults/extra_addresses
213in
214.Xr krb5.conf 5 .
215.It Xo
216.Fl A ,
217.Fl -no-addresses
218.Xc
219Request a ticket with no addresses.
220.It Xo
221.Fl -anonymous
222.Xc
223Request an anonymous ticket (which means that the ticket will be
224issued to an anonymous principal, typically
225.Dq anonymous@REALM ) .
226.El
227.Pp
228The following options are only available if
229.Nm
230has been compiled with support for Kerberos 4.
231.Bl -tag -width Ds
232.It Xo
233.Fl 4 ,
234.Fl -524init
235.Xc
236Try to convert the obtained Kerberos 5 krbtgt to a version 4
237compatible ticket.
238It will store this ticket in the default Kerberos 4 ticket file.
239.It Xo
240.Fl 9 ,
241.Fl -524convert
242.Xc
243only convert ticket to version 4
244.It Fl -afslog
245Gets AFS tickets, converts them to version 4 format, and stores them
246in the kernel.
247Only useful if you have AFS.
248.El
249.Pp
250The
251.Ar forwardable ,
252.Ar proxiable ,
253.Ar ticket_life ,
254and
255.Ar renewable_life
256options can be set to a default value from the
257.Dv appdefaults
258section in krb5.conf, see
259.Xr krb5_appdefault 3 .
260.Pp
261If  a
262.Ar command
263is given,
264.Nm kinit
265will set up new credentials caches, and AFS PAG, and then run the given
266command.
267When it finishes the credentials will be removed.
268.Sh ENVIRONMENT
269.Bl -tag -width Ds
270.It Ev KRB5CCNAME
271Specifies the default credentials cache.
272.It Ev KRB5_CONFIG
273The file name of
274.Pa krb5.conf ,
275the default being
276.Pa /etc/krb5.conf .
277.It Ev KRBTKFILE
278Specifies the Kerberos 4 ticket file to store version 4 tickets in.
279.El
280.\".Sh FILES
281.\".Sh EXAMPLES
282.\".Sh DIAGNOSTICS
283.Sh SEE ALSO
284.Xr kdestroy 1 ,
285.Xr klist 1 ,
286.Xr krb5_appdefault 3 ,
287.Xr krb5.conf 5
288.\".Sh STANDARDS
289.\".Sh HISTORY
290.\".Sh AUTHORS
291.\".Sh BUGS
292