1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>kinit — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> 13 <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> 14 <script src="../../_static/jquery.js"></script> 15 <script src="../../_static/underscore.js"></script> 16 <script src="../../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../../about.html" /> 18 <link rel="index" title="Index" href="../../genindex.html" /> 19 <link rel="search" title="Search" href="../../search.html" /> 20 <link rel="copyright" title="Copyright" href="../../copyright.html" /> 21 <link rel="next" title="klist" href="klist.html" /> 22 <link rel="prev" title="kdestroy" href="kdestroy.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="kdestroy.html" title="kdestroy" 35 accesskey="P">previous</a> | 36 <a href="klist.html" title="klist" 37 accesskey="N">next</a> | 38 <a href="../../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kinit">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="kinit"> 56<span id="kinit-1"></span><h1>kinit<a class="headerlink" href="#kinit" title="Permalink to this headline">¶</a></h1> 57<section id="synopsis"> 58<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> 59<p><strong>kinit</strong> 60[<strong>-V</strong>] 61[<strong>-l</strong> <em>lifetime</em>] 62[<strong>-s</strong> <em>start_time</em>] 63[<strong>-r</strong> <em>renewable_life</em>] 64[<strong>-p</strong> | -<strong>P</strong>] 65[<strong>-f</strong> | -<strong>F</strong>] 66[<strong>-a</strong>] 67[<strong>-A</strong>] 68[<strong>-C</strong>] 69[<strong>-E</strong>] 70[<strong>-v</strong>] 71[<strong>-R</strong>] 72[<strong>-k</strong> [<strong>-i</strong> | -<strong>t</strong> <em>keytab_file</em>]] 73[<strong>-c</strong> <em>cache_name</em>] 74[<strong>-n</strong>] 75[<strong>-S</strong> <em>service_name</em>] 76[<strong>-I</strong> <em>input_ccache</em>] 77[<strong>-T</strong> <em>armor_ccache</em>] 78[<strong>-X</strong> <em>attribute</em>[=<em>value</em>]] 79[<strong>–request-pac</strong> | <strong>–no-request-pac</strong>] 80[<em>principal</em>]</p> 81</section> 82<section id="description"> 83<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> 84<p>kinit obtains and caches an initial ticket-granting ticket for 85<em>principal</em>. If <em>principal</em> is absent, kinit chooses an appropriate 86principal name based on existing credential cache contents or the 87local username of the user invoking kinit. Some options modify the 88choice of principal name.</p> 89</section> 90<section id="options"> 91<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> 92<dl> 93<dt><strong>-V</strong></dt><dd><p>display verbose output.</p> 94</dd> 95<dt><strong>-l</strong> <em>lifetime</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests a ticket with the lifetime 96<em>lifetime</em>.</p> 97<p>For example, <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5:30</span></code> or <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5h30m</span></code>.</p> 98<p>If the <strong>-l</strong> option is not specified, the default ticket lifetime 99(configured by each site) is used. Specifying a ticket lifetime 100longer than the maximum ticket lifetime (configured by each site) 101will not override the configured maximum ticket lifetime.</p> 102</dd> 103<dt><strong>-s</strong> <em>start_time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests a postdated ticket. Postdated 104tickets are issued with the <strong>invalid</strong> flag set, and need to be 105resubmitted to the KDC for validation before use.</p> 106<p><em>start_time</em> specifies the duration of the delay before the ticket 107can become valid.</p> 108</dd> 109<dt><strong>-r</strong> <em>renewable_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Requests renewable tickets, with a total 110lifetime of <em>renewable_life</em>.</p> 111</dd> 112<dt><strong>-f</strong></dt><dd><p>requests forwardable tickets.</p> 113</dd> 114<dt><strong>-F</strong></dt><dd><p>requests non-forwardable tickets.</p> 115</dd> 116<dt><strong>-p</strong></dt><dd><p>requests proxiable tickets.</p> 117</dd> 118<dt><strong>-P</strong></dt><dd><p>requests non-proxiable tickets.</p> 119</dd> 120<dt><strong>-a</strong></dt><dd><p>requests tickets restricted to the host’s local address[es].</p> 121</dd> 122<dt><strong>-A</strong></dt><dd><p>requests tickets not restricted by address.</p> 123</dd> 124<dt><strong>-C</strong></dt><dd><p>requests canonicalization of the principal name, and allows the 125KDC to reply with a different client principal from the one 126requested.</p> 127</dd> 128<dt><strong>-E</strong></dt><dd><p>treats the principal name as an enterprise name.</p> 129</dd> 130<dt><strong>-v</strong></dt><dd><p>requests that the ticket-granting ticket in the cache (with the 131<strong>invalid</strong> flag set) be passed to the KDC for validation. If the 132ticket is within its requested time range, the cache is replaced 133with the validated ticket.</p> 134</dd> 135<dt><strong>-R</strong></dt><dd><p>requests renewal of the ticket-granting ticket. Note that an 136expired ticket cannot be renewed, even if the ticket is still 137within its renewable life.</p> 138<p>Note that renewable tickets that have expired as reported by 139<a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a> may sometimes be renewed using this option, 140because the KDC applies a grace period to account for client-KDC 141clock skew. See <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> <strong>clockskew</strong> setting.</p> 142</dd> 143<dt><strong>-k</strong> [<strong>-i</strong> | <strong>-t</strong> <em>keytab_file</em>]</dt><dd><p>requests a ticket, obtained from a key in the local host’s keytab. 144The location of the keytab may be specified with the <strong>-t</strong> 145<em>keytab_file</em> option, or with the <strong>-i</strong> option to specify the use 146of the default client keytab; otherwise the default keytab will be 147used. By default, a host ticket for the local host is requested, 148but any principal may be specified. On a KDC, the special keytab 149location <code class="docutils literal notranslate"><span class="pre">KDB:</span></code> can be used to indicate that kinit should open 150the KDC database and look up the key directly. This permits an 151administrator to obtain tickets as any principal that supports 152authentication based on the key.</p> 153</dd> 154<dt><strong>-n</strong></dt><dd><p>Requests anonymous processing. Two types of anonymous principals 155are supported.</p> 156<p>For fully anonymous Kerberos, configure pkinit on the KDC and 157configure <strong>pkinit_anchors</strong> in the client’s <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. 158Then use the <strong>-n</strong> option with a principal of the form <code class="docutils literal notranslate"><span class="pre">@REALM</span></code> 159(an empty principal name followed by the at-sign and a realm 160name). If permitted by the KDC, an anonymous ticket will be 161returned.</p> 162<p>A second form of anonymous tickets is supported; these 163realm-exposed tickets hide the identity of the client but not the 164client’s realm. For this mode, use <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-n</span></code> with a normal 165principal name. If supported by the KDC, the principal (but not 166realm) will be replaced by the anonymous principal.</p> 167<p>As of release 1.8, the MIT Kerberos KDC only supports fully 168anonymous operation.</p> 169</dd> 170</dl> 171<p><strong>-I</strong> <em>input_ccache</em></p> 172<blockquote> 173<div><p>Specifies the name of a credentials cache that already contains a 174ticket. When obtaining that ticket, if information about how that 175ticket was obtained was also stored to the cache, that information 176will be used to affect how new credentials are obtained, including 177preselecting the same methods of authenticating to the KDC.</p> 178</div></blockquote> 179<dl> 180<dt><strong>-T</strong> <em>armor_ccache</em></dt><dd><p>Specifies the name of a credentials cache that already contains a 181ticket. If supported by the KDC, this cache will be used to armor 182the request, preventing offline dictionary attacks and allowing 183the use of additional preauthentication mechanisms. Armoring also 184makes sure that the response from the KDC is not modified in 185transit.</p> 186</dd> 187<dt><strong>-c</strong> <em>cache_name</em></dt><dd><p>use <em>cache_name</em> as the Kerberos 5 credentials (ticket) cache 188location. If this option is not used, the default cache location 189is used.</p> 190<p>The default cache location may vary between systems. If the 191<strong>KRB5CCNAME</strong> environment variable is set, its value is used to 192locate the default cache. If a principal name is specified and 193the type of the default cache supports a collection (such as the 194DIR type), an existing cache containing credentials for the 195principal is selected or a new one is created and becomes the new 196primary cache. Otherwise, any existing contents of the default 197cache are destroyed by kinit.</p> 198</dd> 199<dt><strong>-S</strong> <em>service_name</em></dt><dd><p>specify an alternate service name to use when getting initial 200tickets.</p> 201</dd> 202<dt><strong>-X</strong> <em>attribute</em>[=<em>value</em>]</dt><dd><p>specify a pre-authentication <em>attribute</em> and <em>value</em> to be 203interpreted by pre-authentication modules. The acceptable 204attribute and value values vary from module to module. This 205option may be specified multiple times to specify multiple 206attributes. If no value is specified, it is assumed to be “yes”.</p> 207<p>The following attributes are recognized by the PKINIT 208pre-authentication mechanism:</p> 209<dl class="simple"> 210<dt><strong>X509_user_identity</strong>=<em>value</em></dt><dd><p>specify where to find user’s X509 identity information</p> 211</dd> 212<dt><strong>X509_anchors</strong>=<em>value</em></dt><dd><p>specify where to find trusted X509 anchor information</p> 213</dd> 214<dt><strong>flag_RSA_PROTOCOL</strong>[<strong>=yes</strong>]</dt><dd><p>specify use of RSA, rather than the default Diffie-Hellman 215protocol</p> 216</dd> 217<dt><strong>disable_freshness</strong>[<strong>=yes</strong>]</dt><dd><p>disable sending freshness tokens (for testing purposes only)</p> 218</dd> 219</dl> 220</dd> 221<dt><strong>–request-pac</strong> | <strong>–no-request-pac</strong></dt><dd><p>mutually exclusive. If <strong>–request-pac</strong> is set, ask the KDC to 222include a PAC in authdata; if <strong>–no-request-pac</strong> is set, ask the 223KDC not to include a PAC; if neither are set, the KDC will follow 224its default, which is typically is to include a PAC if doing so is 225supported.</p> 226</dd> 227</dl> 228</section> 229<section id="environment"> 230<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> 231<p>See <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment 232variables.</p> 233</section> 234<section id="files"> 235<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> 236<dl class="simple"> 237<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCCNAME</span></a></dt><dd><p>default location of Kerberos 5 credentials cache</p> 238</dd> 239<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a></dt><dd><p>default location for the local host’s keytab.</p> 240</dd> 241</dl> 242</section> 243<section id="see-also"> 244<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> 245<p><a class="reference internal" href="klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, <a class="reference internal" href="../user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> 246</section> 247</section> 248 249 250 <div class="clearer"></div> 251 </div> 252 </div> 253 </div> 254 </div> 255 <div class="sidebar"> 256 257 <h2>On this page</h2> 258 <ul> 259<li><a class="reference internal" href="#">kinit</a><ul> 260<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> 261<li><a class="reference internal" href="#description">DESCRIPTION</a></li> 262<li><a class="reference internal" href="#options">OPTIONS</a></li> 263<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> 264<li><a class="reference internal" href="#files">FILES</a></li> 265<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> 266</ul> 267</li> 268</ul> 269 270 <br/> 271 <h2>Table of contents</h2> 272 <ul class="current"> 273<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For users</a><ul class="current"> 274<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li> 275<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li> 276<li class="toctree-l2"><a class="reference internal" href="../user_config/index.html">User config files</a></li> 277<li class="toctree-l2 current"><a class="reference internal" href="index.html">User commands</a><ul class="current"> 278<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li> 279<li class="toctree-l3 current"><a class="current reference internal" href="#">kinit</a></li> 280<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li> 281<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li> 282<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li> 283<li class="toctree-l3"><a class="reference internal" href="ksu.html">ksu</a></li> 284<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li> 285<li class="toctree-l3"><a class="reference internal" href="kvno.html">kvno</a></li> 286<li class="toctree-l3"><a class="reference internal" href="sclient.html">sclient</a></li> 287</ul> 288</li> 289</ul> 290</li> 291<li class="toctree-l1"><a class="reference internal" href="../../admin/index.html">For administrators</a></li> 292<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> 293<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> 294<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> 295<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> 296<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> 297<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> 298<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> 299<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> 300<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> 301</ul> 302 303 <br/> 304 <h4><a href="../../index.html">Full Table of Contents</a></h4> 305 <h4>Search</h4> 306 <form class="search" action="../../search.html" method="get"> 307 <input type="text" name="q" size="18" /> 308 <input type="submit" value="Go" /> 309 <input type="hidden" name="check_keywords" value="yes" /> 310 <input type="hidden" name="area" value="default" /> 311 </form> 312 313 </div> 314 <div class="clearer"></div> 315 </div> 316 </div> 317 318 <div class="footer-wrapper"> 319 <div class="footer" > 320 <div class="right" ><i>Release: 1.21.3</i><br /> 321 © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. 322 </div> 323 <div class="left"> 324 325 <a href="../../index.html" title="Full Table of Contents" 326 >Contents</a> | 327 <a href="kdestroy.html" title="kdestroy" 328 >previous</a> | 329 <a href="klist.html" title="klist" 330 >next</a> | 331 <a href="../../genindex.html" title="General Index" 332 >index</a> | 333 <a href="../../search.html" title="Enter search criteria" 334 >Search</a> | 335 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kinit">feedback</a> 336 </div> 337 </div> 338 </div> 339 340 </body> 341</html>