1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 2<html><head> 3<meta name="GENERATOR" content="Microsoft� HTML Help Workshop 4.1"> 4<link rel="stylesheet" type="text/css" href="Leash.css"> 5 6<title>KINIT</title></head> 7 8<body> 9<h1>KINIT Command</h1> 10<table> 11<tbody><tr><th id="th2"> The following information reproduces the information from UNIX man page for the KINIT command.</th> 12</tr> 13</tbody></table> 14 15 16 17 18<h2>SYNOPSIS</h2><table> 19<tbody><tr> 20<th id="th2">kinit</th> 21<td> 22<span class="command"> [<b>-V</b>] </span> 23<span class="command">[<b>-l</b> <i>lifetime</i>]</span> 24<span class="command"> [<b>-s</b> <i>start</i><b>_</b><i>time</i>] </span> 25<span class="command"> [<b>-r</b> <i>renewable</i><b>_</b><i>life</i>] </span> 26<span class="command"> [<b>-p</b> | <b>-P</b>]</span> 27<span class="command"> [<b>-f</b> | <b>-F</b>]</span> 28<span class="command"> [<b>-a</b>]</span> 29<span class="command"> [<b>-A</b>] </span> 30<span class="command"> [<b>-C</b>] </span> 31<span class="command"> [<b>-E</b>] </span> 32<span class="command"> [<b>-v</b>]</span> 33<span class="command"> [<b>-R</b>] </span> 34<span class="command">[<b>-k</b> [<b>-t</b> <i>keytab</i><b>_</b><i>file</i>]] </span> 35<span class="command"> [<b>-c</b> <i>cache</i><b>_</b><i>name</i>] </span> 36<span class="command"> [<b>-n</b>]</span> 37<span class="command"> [<b>-S</b> <i>service</i><b>_</b><i>name</i>]</span> 38<span class="command"> [<b>-T</b> <i>armor</i><b>_</b><i>ccache</i>] </span> 39<span class="command"> [<b>-X</b> <i>attribute</i>[=<i>value</i>]] </span> 40<span class="command"> [<i>principal</i>] </span> 41</td> 42</tr> 43</tbody></table> 44<h2>DESCRIPTION</h2> 45<p> 46 <i>kinit</i> obtains and caches an initial ticket-granting ticket for <i>principal</i>. 47</p> 48 49 50<h2>OPTIONS</h2> 51<table> 52<tbody><tr> 53<th id="th2"> <span class="command">-V</span></th> 54<td>display verbose output.</td></tr> 55<tr> 56<th id="th2"><span class="command">-l</span></th> 57<td> <i>lifetime</i> 58 requests a ticket with the lifetime <i>lifetime</i>. The value for 59 <i>lifetime</i> must be followed immediately by one of the following 60 delimiters: 61<ul id="helpul"> 62<li> <b>s</b> seconds </li> 63<li><b>m</b> minutes</li> 64 <li><b>h</b> hours</li> 65<li><b>d</b> days</li> 66</ul> 67 as in "kinit -l 90m". You cannot mix units; a value of `3h30m' 68 will result in an error. 69 70 If the <b>-l</b> option is not specified, the default ticket lifetime 71 (configured by each site) is used. Specifying a ticket lifetime 72 longer than the maximum ticket lifetime (configured by each 73 site) results in a ticket with the maximum lifetime. 74</td> 75</tr> 76<tr><th id="th2"> <span class="command">-s <i>start</i><b>_</b><i>time</i></span> </th> 77<td> requests a postdated ticket, valid starting at <span class="command">-<i>start</i><b>_</b><i>time</i>.</span> Postdated tickets are issued with the <i>invalid</i> flag set, and need to be fed back to the kdc before use.</td></tr> 78<tr> 79<th id="th2"> <span class="command"><b>-r</b> <i>renewable</i><b>_</b><i>life</i></span></th> 80<td> requests renewable tickets, with a total lifetime of <span class="command">-<i>renewable</i><b>_</b><i>life</i>.</span> The duration is in the same format as the <b>-l</b> option, with the same delimiters.</td></tr> 81<tr> 82<th id="th2"> <span class="command"><b>-f </b></span></th> 83<td> request forwardable tickets.</td></tr> 84<tr> 85<th id="th2"> <span class="command"><b>-F</b></span></th> 86<td> do not request forwardable tickets. </td></tr> 87<tr> 88<th id="th2"> <span class="command"><b>-p</b></span></th> 89<td> request proxiable tickets. </td></tr> 90<tr> 91<th id="th2"> <span class="command"><b>-P </b></span></th> 92<td> do not request proxiable tickets.</td></tr> 93<tr> 94<th id="th2"> <span class="command"><b>-a</b></span></th> 95<td> request tickets with the local address[es].</td></tr> 96<tr> 97 <th id="th2"> <span class="command"><b>-A</b></span></th> 98<td> request address-less tickets.</td></tr> 99<tr> 100<th id="th2"> <span class="command"> <b>-k</b> [<b>-t</b> <i>keytab</i><b>_</b><i>file</i>] </span></th> 101<td> requests a ticket, obtained from a key in the local host's 102 <i>keytab</i> file. The name and location of the keytab file may be 103 specified with the <span class="command"> <b>-t</b> <i>keytab</i><b>_</b><i>file</i> </span> option; otherwise the default 104 name and location will be used. By default a host ticket is 105 requested but any principal may be specified. On a KDC, the special 106 keytab location <b>KDB:</b> can be used to indicate that kinit 107 should open the KDC database and look up the key directly. This 108 permits an administrator to obtain tickets as any principal that 109 supports password-based authentication.</td></tr> 110<tr> 111<th id="th2"> <span class="command"> <b>-n</b></span></th> 112<td> Requests anonymous processing. Two types of anonymous principals 113are supported. For fully anonymous Kerberos, configure pkinit on the 114KDC and configure <span class="command"> <i>pkinit</i><b>_</b><i>anchors</i></span> in the client's 115 krb5.conf. Then use the <b>-n</b> option with a principal of the form 116 <i>@REALM</i> (an empty principal name followed by the at-sign and a 117 realm name). If permitted by the KDC, an anonymous ticket will 118 be returned. A second form of anonymous tickets is supported; 119 these realm-exposed tickets hide the identity of the client but 120 not the client's realm. For this mode, use <b>kinit</b> <b>-n</b> with a normal principal name. If supported by the KDC, the principal (but 121 not realm) will be replaced by the anonymous principal. As of 122 release 1.8, the MIT Kerberos KDC only supports fully anonymous 123 operation.</td></tr> 124<tr> 125 <th id="th2"> <span class="command"><b>-T</b> <i>armor</i><b>_</b><i>ccache</i></span></th> 126<td> Specifies the name of a credential cache that already contains a 127 ticket. If supported by the KDC, This ccache will be used to 128 armor the request so that an attacker would have to know both 129 the key of the armor ticket and the key of the principal used 130 for authentication in order to attack the request. Armoring also 131 makes sure that the response from the KDC is not modified in 132 transit.</td></tr> 133<tr> 134 <th id="th2"> <span class="command"> <b>-c</b> <i>cache</i><b>_</b><i>name</i> </span></th> 135<td> use <span class="command"><i>cache</i><b>_</b><i>name</i></span> 136as the Kerberos 5 credentials (ticket) cache name and location; if this 137option is not used, the default cache name and location are used. The 138default credentials cache may vary between systems. If the <b>KRB5CCNAME</b> environment variable is set, its value is used to 139 name the default ticket cache. If a principal name is specified 140 and the type of the default credentials cache supports a collection 141 (such as the DIR type), an existing cache containing credentials 142 for the principal is selected or a new one is created 143 and becomes the new primary cache. Otherwise, any existing contents 144 of the default cache are destroyed by <i>kinit</i>.</td></tr> 145<tr> 146 <th id="th2"> <span class="command"> <b>-S</b> <i>service</i><b>_</b><i>name</i></span></th> 147<td> specify an alternate service name to use when getting initial 148 tickets.</td></tr> 149</tbody></table> 150 151<h2>ENVIRONMENT</h2> 152<p> 153 <b>Kinit</b> uses the following environment variables: 154</p> 155<table> 156<tbody><tr> 157 <th id="th2"> KRB5CCNAME </th> 158<td> Location of the default Kerberos 5 credentials (ticket) 159 cache, in the form<span class="command"> <i>type</i>:<i>residual</i>.</span> If no type prefix is 160 present, the <b>FILE</b> type is assumed. The type of the 161 default cache may determine the availability of a cache 162 collection; for instance, a default cache of type <b>DIR</b> 163 causes caches within the directory to be present in the 164 collection.</td> 165</tr> 166</tbody></table> 167 168<h2>FILES</h2> 169<table> 170<tbody><tr> 171 <th id="th2"> <span class="command"> /tmp/krb5cc_[uid] </span></th> 172<td> default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). </td></tr> 173<tr> 174 <th id="th2"> <span class="command"> /etc/krb5.keytab </span></th> 175<td> default location for the local host's <b>keytab</b> file.</td></tr> 176</tbody></table> 177 178<h2>SEE ALSO</h2> 179<ul id="helpul"> 180<li><a href="HTML/KLIST.htm"><b>klist(1)</b></a></li> 181<li> <a href="HTML/KDESTROY.htm"><b>kdestroy(1)</b></a></li> 182<li><a href="HTML/KSWITCH.htm"><b>kswitch(1)</b></a></li> 183 184<li><b>kerberos(1)</b></li> 185</ul> 186 187 188 189 190</body></html> 191