1.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: kinit.1 17822 2006-07-10 14:46:58Z lha $ 33.\" 34.Dd April 25, 2006 35.Dt KINIT 1 36.Os HEIMDAL 37.Sh NAME 38.Nm kinit 39.Nm kauth 40.Nd acquire initial tickets 41.Sh SYNOPSIS 42.Nm kinit 43.Op Fl 4 | Fl -524init 44.Op Fl 9 | Fl -524convert 45.Op Fl -afslog 46.Oo Fl c Ar cachename \*(Ba Xo 47.Fl -cache= Ns Ar cachename 48.Xc 49.Oc 50.Op Fl f | Fl -forwardable 51.Oo Fl t Ar keytabname \*(Ba Xo 52.Fl -keytab= Ns Ar keytabname 53.Xc 54.Oc 55.Oo Fl l Ar time \*(Ba Xo 56.Fl -lifetime= Ns Ar time 57.Xc 58.Oc 59.Op Fl p | Fl -proxiable 60.Op Fl R | Fl -renew 61.Op Fl -renewable 62.Oo Fl r Ar time \*(Ba Xo 63.Fl -renewable-life= Ns Ar time 64.Xc 65.Oc 66.Oo Fl S Ar principal \*(Ba Xo 67.Fl -server= Ns Ar principal 68.Xc 69.Oc 70.Oo Fl s Ar time \*(Ba Xo 71.Fl -start-time= Ns Ar time 72.Xc 73.Oc 74.Op Fl k | Fl -use-keytab 75.Op Fl v | Fl -validate 76.Oo Fl e Ar enctypes \*(Ba Xo 77.Fl -enctypes= Ns Ar enctypes 78.Xc 79.Oc 80.Oo Fl a Ar addresses \*(Ba Xo 81.Fl -extra-addresses= Ns Ar addresses 82.Xc 83.Oc 84.Op Fl -password-file= Ns Ar filename 85.Op Fl -fcache-version= Ns Ar version-number 86.Op Fl A | Fl -no-addresses 87.Op Fl -anonymous 88.Op Fl -version 89.Op Fl -help 90.Op Ar principal Op Ar command 91.Sh DESCRIPTION 92.Nm 93is used to authenticate to the Kerberos server as 94.Ar principal , 95or if none is given, a system generated default (typically your login 96name at the default realm), and acquire a ticket granting ticket that 97can later be used to obtain tickets for other services. 98.Pp 99If you have compiled 100.Nm kinit 101with Kerberos 4 support and you have a 102Kerberos 4 server, 103.Nm 104will detect this and get you Kerberos 4 tickets. 105.Pp 106Supported options: 107.Bl -tag -width Ds 108.It Xo 109.Fl c Ar cachename 110.Fl -cache= Ns Ar cachename 111.Xc 112The credentials cache to put the acquired ticket in, if other than 113default. 114.It Xo 115.Fl f , 116.Fl -forwardable 117.Xc 118Get ticket that can be forwarded to another host. 119.It Xo 120.Fl t Ar keytabname , 121.Fl -keytab= Ns Ar keytabname 122.Xc 123Don't ask for a password, but instead get the key from the specified 124keytab. 125.It Xo 126.Fl l Ar time , 127.Fl -lifetime= Ns Ar time 128.Xc 129Specifies the lifetime of the ticket. 130The argument can either be in seconds, or a more human readable string 131like 132.Sq 1h . 133.It Xo 134.Fl p , 135.Fl -proxiable 136.Xc 137Request tickets with the proxiable flag set. 138.It Xo 139.Fl R , 140.Fl -renew 141.Xc 142Try to renew ticket. 143The ticket must have the 144.Sq renewable 145flag set, and must not be expired. 146.It Fl -renewable 147The same as 148.Fl -renewable-life , 149with an infinite time. 150.It Xo 151.Fl r Ar time , 152.Fl -renewable-life= Ns Ar time 153.Xc 154The max renewable ticket life. 155.It Xo 156.Fl S Ar principal , 157.Fl -server= Ns Ar principal 158.Xc 159Get a ticket for a service other than krbtgt/LOCAL.REALM. 160.It Xo 161.Fl s Ar time , 162.Fl -start-time= Ns Ar time 163.Xc 164Obtain a ticket that starts to be valid 165.Ar time 166(which can really be a generic time specification, like 167.Sq 1h ) 168seconds into the future. 169.It Xo 170.Fl k , 171.Fl -use-keytab 172.Xc 173The same as 174.Fl -keytab , 175but with the default keytab name (normally 176.Ar FILE:/etc/krb5.keytab ) . 177.It Xo 178.Fl v , 179.Fl -validate 180.Xc 181Try to validate an invalid ticket. 182.It Xo 183.Fl e , 184.Fl -enctypes= Ns Ar enctypes 185.Xc 186Request tickets with this particular enctype. 187.It Xo 188.Fl -password-file= Ns Ar filename 189.Xc 190read the password from the first line of 191.Ar filename . 192If the 193.Ar filename 194is 195.Ar STDIN , 196the password will be read from the standard input. 197.It Xo 198.Fl -fcache-version= Ns Ar version-number 199.Xc 200Create a credentials cache of version 201.Ar version-number . 202.It Xo 203.Fl a , 204.Fl -extra-addresses= Ns Ar enctypes 205.Xc 206Adds a set of addresses that will, in addition to the systems local 207addresses, be put in the ticket. 208This can be useful if all addresses a client can use can't be 209automatically figured out. 210One such example is if the client is behind a firewall. 211Also settable via 212.Li libdefaults/extra_addresses 213in 214.Xr krb5.conf 5 . 215.It Xo 216.Fl A , 217.Fl -no-addresses 218.Xc 219Request a ticket with no addresses. 220.It Xo 221.Fl -anonymous 222.Xc 223Request an anonymous ticket (which means that the ticket will be 224issued to an anonymous principal, typically 225.Dq anonymous@REALM ) . 226.El 227.Pp 228The following options are only available if 229.Nm 230has been compiled with support for Kerberos 4. 231.Bl -tag -width Ds 232.It Xo 233.Fl 4 , 234.Fl -524init 235.Xc 236Try to convert the obtained Kerberos 5 krbtgt to a version 4 237compatible ticket. 238It will store this ticket in the default Kerberos 4 ticket file. 239.It Xo 240.Fl 9 , 241.Fl -524convert 242.Xc 243only convert ticket to version 4 244.It Fl -afslog 245Gets AFS tickets, converts them to version 4 format, and stores them 246in the kernel. 247Only useful if you have AFS. 248.El 249.Pp 250The 251.Ar forwardable , 252.Ar proxiable , 253.Ar ticket_life , 254and 255.Ar renewable_life 256options can be set to a default value from the 257.Dv appdefaults 258section in krb5.conf, see 259.Xr krb5_appdefault 3 . 260.Pp 261If a 262.Ar command 263is given, 264.Nm kinit 265will set up new credentials caches, and AFS PAG, and then run the given 266command. 267When it finishes the credentials will be removed. 268.Sh ENVIRONMENT 269.Bl -tag -width Ds 270.It Ev KRB5CCNAME 271Specifies the default credentials cache. 272.It Ev KRB5_CONFIG 273The file name of 274.Pa krb5.conf , 275the default being 276.Pa /etc/krb5.conf . 277.It Ev KRBTKFILE 278Specifies the Kerberos 4 ticket file to store version 4 tickets in. 279.El 280.\".Sh FILES 281.\".Sh EXAMPLES 282.\".Sh DIAGNOSTICS 283.Sh SEE ALSO 284.Xr kdestroy 1 , 285.Xr klist 1 , 286.Xr krb5_appdefault 3 , 287.Xr krb5.conf 5 288.\".Sh STANDARDS 289.\".Sh HISTORY 290.\".Sh AUTHORS 291.\".Sh BUGS 292