xref: /freebsd/crypto/heimdal/kuser/kinit.1 (revision 8373020d34ceb1ac55d8f43333c1ca3680185b39) 
1.\" $Id: kinit.1,v 1.20 2002/08/28 16:09:36 joda Exp $
2.\"
3.Dd May 29, 1998
4.Dt KINIT 1
5.Os HEIMDAL
6.Sh NAME
7.Nm kinit
8.Nm kauth
9.Nd acquire initial tickets
10.Sh SYNOPSIS
11.Nm kinit
12.Op Fl 4 | Fl -524init
13.Op Fl 9 | Fl -524convert
14.Op Fl -afslog
15.Oo Fl c Ar cachename \*(Ba Xo
16.Fl -cache= Ns Ar cachename
17.Xc
18.Oc
19.Op Fl f | Fl -forwardable
20.Oo Fl t Ar keytabname \*(Ba Xo
21.Fl -keytab= Ns Ar keytabname
22.Xc
23.Oc
24.Oo Fl l Ar time \*(Ba Xo
25.Fl -lifetime= Ns Ar time
26.Xc
27.Oc
28.Op Fl p | Fl -proxiable
29.Op Fl R | Fl -renew
30.Op Fl -renewable
31.Oo Fl r Ar time \*(Ba Xo
32.Fl -renewable-life= Ns Ar time
33.Xc
34.Oc
35.Oo Fl S Ar principal \*(Ba Xo
36.Fl -server= Ns Ar principal
37.Xc
38.Oc
39.Oo Fl s Ar time \*(Ba Xo
40.Fl -start-time= Ns Ar time
41.Xc
42.Oc
43.Op Fl k | Fl -use-keytab
44.Op Fl v | Fl -validate
45.Oo Fl e Ar enctypes \*(Ba Xo
46.Fl -enctypes= Ns Ar enctypes
47.Xc
48.Oc
49.Oo Fl a Ar addresses \*(Ba Xo
50.Fl -extra-addresses= Ns Ar addresses
51.Xc
52.Oc
53.Op Fl -fcache-version= Ns Ar integer
54.Op Fl -no-addresses
55.Op Fl -anonymous
56.Op Fl -version
57.Op Fl -help
58.Op Ar principal Op Ar command
59.Sh DESCRIPTION
60.Nm
61is used to authenticate to the kerberos server as
62.Ar principal ,
63or if none is given, a system generated default (typically your login
64name at the default realm), and acquire a ticket granting ticket that
65can later be used to obtain tickets for other services.
66.Pp
67If you have compiled
68.Nm kinit
69with Kerberos 4 support and you have a
70Kerberos 4 server,
71.Nm
72will detect this and get you Kerberos 4 tickets.
73.Pp
74Supported options:
75.Bl -tag -width Ds
76.It Xo
77.Fl c Ar cachename
78.Fl -cache= Ns Ar cachename
79.Xc
80The credentials cache to put the acquired ticket in, if other than
81default.
82.It Xo
83.Fl f ,
84.Fl -forwardable
85.Xc
86Get ticket that can be forwarded to another host.
87.It Xo
88.Fl t Ar keytabname ,
89.Fl -keytab= Ns Ar keytabname
90.Xc
91Don't ask for a password, but instead get the key from the specified
92keytab.
93.It Xo
94.Fl l Ar time Ns ,
95.Fl -lifetime= Ns Ar time
96.Xc
97Specifies the lifetime of the ticket. The argument can either be in
98seconds, or a more human readable string like
99.Sq 1h .
100.It Xo
101.Fl p ,
102.Fl -proxiable
103.Xc
104Request tickets with the proxiable flag set.
105.It Xo
106.Fl R ,
107.Fl -renew
108.Xc
109Try to renew ticket. The ticket must have the
110.Sq renewable
111flag set, and must not be expired.
112.It Fl -renewable
113The same as
114.Fl -renewable-life ,
115with an infinite time.
116.It Xo
117.Fl r Ar time ,
118.Fl -renewable-life= Ns Ar time
119.Xc
120The max renewable ticket life.
121.It Xo
122.Fl S Ar principal ,
123.Fl -server= Ns Ar principal
124.Xc
125Get a ticket for a service other than krbtgt/LOCAL.REALM.
126.It Xo
127.Fl s Ar time ,
128.Fl -start-time= Ns Ar time
129.Xc
130Obtain a ticket that starts to be valid
131.Ar time
132(which can really be a generic time specification, like
133.Sq 1h )
134seconds into the future.
135.It Xo
136.Fl k ,
137.Fl -use-keytab
138.Xc
139The same as
140.Fl -keytab ,
141but with the default keytab name (normally
142.Ar FILE:/etc/krb5.keytab ) .
143.It Xo
144.Fl v ,
145.Fl -validate
146.Xc
147Try to validate an invalid ticket.
148.It Xo
149.Fl e ,
150.Fl -enctypes= Ns Ar enctypes
151.Xc
152Request tickets with this particular enctype.
153.It Xo
154.Fl -fcache-version= Ns Ar version
155.Xc
156Create a credentials cache of version
157.Nm version .
158.It Xo
159.Fl a ,
160.Fl -extra-addresses= Ns Ar enctypes
161.Xc
162Adds a set of addresses that will, in addition to the systems local
163addresses, be put in the ticket. This can be useful if all addresses a
164client can use can't be automatically figured out. One such example is
165if the client is behind a firewall. Also settable via
166.Li libdefaults/extra_addresses
167in
168.Xr krb5.conf 5 .
169.It Xo
170.Fl -no-addresses
171.Xc
172Request a ticket with no addresses.
173.It Xo
174.Fl -anonymous
175.Xc
176Request an anonymous ticket (which means that the ticket will be
177issued to an anonymous principal, typically
178.Dq anonymous@REALM ) .
179.El
180.Pp
181The following options are only available if
182.Nm
183has been compiled with support for Kerberos 4.
184.Bl -tag -width Ds
185.It Xo
186.Fl 4 ,
187.Fl -524init
188.Xc
189Try to convert the obtained Kerberos 5 krbtgt to a version 4
190compatible ticket. It will store this ticket in the default Kerberos 4
191ticket file.
192.It Xo
193.Fl 9 ,
194.Fl -524convert
195.Xc
196only convert ticket to version 4
197.It Fl -afslog
198Gets AFS tickets, converts them to version 4 format, and stores them
199in the kernel. Only useful if you have AFS.
200.El
201.Pp
202The
203.Ar forwardable ,
204.Ar proxiable ,
205.Ar ticket_life ,
206and
207.Ar renewable_life
208options can be set to a default value from the
209.Dv appdefaults
210section in krb5.conf, see
211.Xr krb5_appdefault 3 .
212.Pp
213If  a
214.Ar command
215is given,
216.Nm kinit
217will setup new credentials caches, and AFS PAG, and then run the given
218command. When it finishes the credentials will be removed.
219.Sh ENVIRONMENT
220.Bl -tag -width Ds
221.It Ev KRB5CCNAME
222Specifies the default credentials cache.
223.It Ev KRB5_CONFIG
224The file name of
225.Pa krb5.conf
226, the default being
227.Pa /etc/krb5.conf .
228.It Ev KRBTKFILE
229Specifies the Kerberos 4 ticket file to store version 4 tickets in.
230.El
231.\".Sh FILES
232.\".Sh EXAMPLES
233.\".Sh DIAGNOSTICS
234.Sh SEE ALSO
235.Xr kdestroy 1 ,
236.Xr klist 1 ,
237.Xr krb5_appdefault 3 ,
238.Xr krb5.conf 5
239.\".Sh STANDARDS
240.\".Sh HISTORY
241.\".Sh AUTHORS
242.\".Sh BUGS
243