xref: /freebsd/crypto/heimdal/kuser/kinit.1 (revision dd41de95a84d979615a2ef11df6850622bf6184e) 
1.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska Högskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id$
33.\"
34.Dd April 25, 2006
35.Dt KINIT 1
36.Os HEIMDAL
37.Sh NAME
38.Nm kinit
39.Nd acquire initial tickets
40.Sh SYNOPSIS
41.Nm kinit
42.Op Fl Fl afslog
43.Oo Fl c Ar cachename \*(Ba Xo
44.Fl Fl cache= Ns Ar cachename
45.Xc
46.Oc
47.Op Fl f | Fl Fl no-forwardable
48.Oo Fl t Ar keytabname \*(Ba Xo
49.Fl Fl keytab= Ns Ar keytabname
50.Xc
51.Oc
52.Oo Fl l Ar time \*(Ba Xo
53.Fl Fl lifetime= Ns Ar time
54.Xc
55.Oc
56.Op Fl p | Fl Fl proxiable
57.Op Fl R | Fl Fl renew
58.Op Fl Fl renewable
59.Oo Fl r Ar time \*(Ba Xo
60.Fl Fl renewable-life= Ns Ar time
61.Xc
62.Oc
63.Oo Fl S Ar principal \*(Ba Xo
64.Fl Fl server= Ns Ar principal
65.Xc
66.Oc
67.Oo Fl s Ar time \*(Ba Xo
68.Fl Fl start-time= Ns Ar time
69.Xc
70.Oc
71.Op Fl k | Fl Fl use-keytab
72.Op Fl v | Fl Fl validate
73.Oo Fl e Ar enctypes \*(Ba Xo
74.Fl Fl enctypes= Ns Ar enctypes
75.Xc
76.Oc
77.Oo Fl a Ar addresses \*(Ba Xo
78.Fl Fl extra-addresses= Ns Ar addresses
79.Xc
80.Oc
81.Op Fl Fl password-file= Ns Ar filename
82.Op Fl Fl fcache-version= Ns Ar version-number
83.Op Fl A | Fl Fl no-addresses
84.Op Fl Fl anonymous
85.Op Fl Fl enterprise
86.Op Fl Fl version
87.Op Fl Fl help
88.Op Ar principal Op Ar command
89.Sh DESCRIPTION
90.Nm
91is used to authenticate to the Kerberos server as
92.Ar principal ,
93or if none is given, a system generated default (typically your login
94name at the default realm), and acquire a ticket granting ticket that
95can later be used to obtain tickets for other services.
96.Pp
97Supported options:
98.Bl -tag -width Ds
99.It Fl c Ar cachename Fl Fl cache= Ns Ar cachename
100The credentials cache to put the acquired ticket in, if other than
101default.
102.It Fl f Fl Fl no-forwardable
103Get ticket that can be forwarded to another host, or if the negative
104flags use, don't get a forwardable flag.
105.It Fl t Ar keytabname , Fl Fl keytab= Ns Ar keytabname
106Don't ask for a password, but instead get the key from the specified
107keytab.
108.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
109Specifies the lifetime of the ticket.
110The argument can either be in seconds, or a more human readable string
111like
112.Sq 1h .
113.It Fl p , Fl Fl proxiable
114Request tickets with the proxiable flag set.
115.It Fl R , Fl Fl renew
116Try to renew ticket.
117The ticket must have the
118.Sq renewable
119flag set, and must not be expired.
120.It Fl Fl renewable
121The same as
122.Fl Fl renewable-life ,
123with an infinite time.
124.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
125The max renewable ticket life.
126.It Fl S Ar principal , Fl Fl server= Ns Ar principal
127Get a ticket for a service other than krbtgt/LOCAL.REALM.
128.It Fl s Ar time , Fl Fl start-time= Ns Ar time
129Obtain a ticket that starts to be valid
130.Ar time
131(which can really be a generic time specification, like
132.Sq 1h )
133seconds into the future.
134.It Fl k , Fl Fl use-keytab
135The same as
136.Fl Fl keytab ,
137but with the default keytab name (normally
138.Ar FILE:/etc/krb5.keytab ) .
139.It Fl v , Fl Fl validate
140Try to validate an invalid ticket.
141.It Fl e , Fl Fl enctypes= Ns Ar enctypes
142Request tickets with this particular enctype.
143.It Fl Fl password-file= Ns Ar filename
144read the password from the first line of
145.Ar filename .
146If the
147.Ar filename
148is
149.Ar STDIN ,
150the password will be read from the standard input.
151.It Fl Fl fcache-version= Ns Ar version-number
152Create a credentials cache of version
153.Ar version-number .
154.It Fl a , Fl Fl extra-addresses= Ns Ar enctypes
155Adds a set of addresses that will, in addition to the systems local
156addresses, be put in the ticket.
157This can be useful if all addresses a client can use can't be
158automatically figured out.
159One such example is if the client is behind a firewall.
160Also settable via
161.Li libdefaults/extra_addresses
162in
163.Xr krb5.conf 5 .
164.It Fl A , Fl Fl no-addresses
165Request a ticket with no addresses.
166.It Fl Fl anonymous
167Request an anonymous ticket (which means that the ticket will be
168issued to an anonymous principal, typically
169.Dq anonymous@REALM ) .
170.It Fl Fl enterprise
171Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
172names are email like principals that are stored in the name part of
173the principal, and since there are two @ characters the parser needs
174to know that the first is not a realm.
175An example of an enterprise name is
176.Dq lha@e.kth.se@KTH.SE ,
177and this option is usually used with canonicalize so that the
178principal returned from the KDC will typically be the real principal
179name.
180.It Fl Fl afslog
181Gets AFS tickets, converts them to version 4 format, and stores them
182in the kernel.
183Only useful if you have AFS.
184.El
185.Pp
186The
187.Ar forwardable ,
188.Ar proxiable ,
189.Ar ticket_life ,
190and
191.Ar renewable_life
192options can be set to a default value from the
193.Dv appdefaults
194section in krb5.conf, see
195.Xr krb5_appdefault 3 .
196.Pp
197If  a
198.Ar command
199is given,
200.Nm
201will set up new credentials caches, and AFS PAG, and then run the given
202command.
203When it finishes the credentials will be removed.
204.Sh ENVIRONMENT
205.Bl -tag -width Ds
206.It Ev KRB5CCNAME
207Specifies the default credentials cache.
208.It Ev KRB5_CONFIG
209The file name of
210.Pa krb5.conf ,
211the default being
212.Pa /etc/krb5.conf .
213.It Ev KRBTKFILE
214Specifies the Kerberos 4 ticket file to store version 4 tickets in.
215.El
216.\".Sh FILES
217.\".Sh EXAMPLES
218.\".Sh DIAGNOSTICS
219.Sh SEE ALSO
220.Xr kdestroy 1 ,
221.Xr klist 1 ,
222.Xr krb5_appdefault 3 ,
223.Xr krb5.conf 5
224.\".Sh STANDARDS
225.\".Sh HISTORY
226.\".Sh AUTHORS
227.\".Sh BUGS
228