xref: /freebsd/crypto/krb5/src/windows/leash/htmlhelp/html/KINIT.htm (revision f1c4c3daccbaf3820f0e2224de53df12fc952fcc)
1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
2<html><head>
3<meta name="GENERATOR" content="Microsoft� HTML Help Workshop 4.1">
4<link rel="stylesheet" type="text/css" href="Leash.css">
5
6<title>KINIT</title></head>
7
8<body>
9<h1>KINIT Command</h1>
10<table>
11<tbody><tr><th id="th2"> The following information reproduces the information from UNIX man page for the KINIT command.</th>
12</tr>
13</tbody></table>
14
15
16
17
18<h2>SYNOPSIS</h2><table>
19<tbody><tr>
20<th id="th2">kinit</th>
21<td>
22<span class="command">  [<b>-V</b>] </span>
23<span class="command">[<b>-l</b> <i>lifetime</i>]</span>
24<span class="command">  [<b>-s</b> <i>start</i><b>_</b><i>time</i>] </span>
25<span class="command"> [<b>-r</b>&nbsp;<i>renewable</i><b>_</b><i>life</i>] </span>
26<span class="command"> [<b>-p</b> | <b>-P</b>]</span>
27<span class="command">  [<b>-f</b> | <b>-F</b>]</span>
28<span class="command">  [<b>-a</b>]</span>
29<span class="command">  [<b>-A</b>] </span>
30<span class="command"> [<b>-C</b>] </span>
31<span class="command"> [<b>-E</b>] </span>
32<span class="command"> [<b>-v</b>]</span>
33<span class="command">  [<b>-R</b>] </span>
34<span class="command">[<b>-k</b> [<b>-t</b> <i>keytab</i><b>_</b><i>file</i>]] </span>
35<span class="command">  [<b>-c</b> <i>cache</i><b>_</b><i>name</i>] </span>
36<span class="command"> [<b>-n</b>]</span>
37<span class="command">  [<b>-S</b> <i>service</i><b>_</b><i>name</i>]</span>
38<span class="command"> [<b>-T</b> <i>armor</i><b>_</b><i>ccache</i>] </span>
39<span class="command"> [<b>-X</b>  <i>attribute</i>[=<i>value</i>]] </span>
40<span class="command"> [<i>principal</i>] </span>
41</td>
42</tr>
43</tbody></table>
44<h2>DESCRIPTION</h2>
45<p>
46       <i>kinit</i> obtains and caches an initial ticket-granting ticket for  <i>principal</i>.
47</p>
48
49
50<h2>OPTIONS</h2>
51<table>
52<tbody><tr>
53<th id="th2"> <span class="command">-V</span></th>
54<td>display verbose output.</td></tr>
55<tr>
56<th id="th2"><span class="command">-l</span></th>
57<td> <i>lifetime</i>
58              requests  a  ticket  with  the lifetime <i>lifetime</i>.  The value for
59              <i>lifetime</i> must be followed immediately by one  of  the  following
60              delimiters:
61<ul id="helpul">
62<li> <b>s</b>  seconds </li>
63<li><b>m</b>  minutes</li>
64 <li><b>h</b>  hours</li>
65<li><b>d</b>  days</li>
66</ul>
67              as  in "kinit -l 90m".  You cannot mix units; a value of `3h30m'
68              will result in an error.
69
70              If the <b>-l</b> option is not specified, the default  ticket  lifetime
71              (configured by each site) is used.  Specifying a ticket lifetime
72              longer than the maximum  ticket  lifetime  (configured  by  each
73              site) results in a ticket with the maximum lifetime.
74</td>
75</tr>
76<tr><th id="th2"> <span class="command">-s <i>start</i><b>_</b><i>time</i></span> </th>
77<td> requests  a  postdated  ticket,  valid  starting  at <span class="command">-<i>start</i><b>_</b><i>time</i>.</span> Postdated tickets are issued with the <i>invalid</i> flag set, and need to be fed back to the kdc before use.</td></tr>
78<tr>
79<th id="th2"> <span class="command"><b>-r</b> <i>renewable</i><b>_</b><i>life</i></span></th>
80<td> requests  renewable  tickets,  with  a  total lifetime of <span class="command">-<i>renewable</i><b>_</b><i>life</i>.</span>  The duration is in the same format as the <b>-l</b> option, with the same delimiters.</td></tr>
81<tr>
82<th id="th2"> <span class="command"><b>-f </b></span></th>
83<td> request forwardable tickets.</td></tr>
84<tr>
85<th id="th2"> <span class="command"><b>-F</b></span></th>
86<td> do not request forwardable tickets. </td></tr>
87<tr>
88<th id="th2"> <span class="command"><b>-p</b></span></th>
89<td> request proxiable tickets. </td></tr>
90<tr>
91<th id="th2"> <span class="command"><b>-P </b></span></th>
92<td> do not request proxiable tickets.</td></tr>
93<tr>
94<th id="th2"> <span class="command"><b>-a</b></span></th>
95<td> request tickets with the local address[es].</td></tr>
96<tr>
97  <th id="th2"> <span class="command"><b>-A</b></span></th>
98<td> request address-less tickets.</td></tr>
99<tr>
100<th id="th2"> <span class="command">   <b>-k</b> [<b>-t</b> <i>keytab</i><b>_</b><i>file</i>] </span></th>
101<td> requests a ticket, obtained from  a  key  in  the  local  host's
102              <i>keytab</i>  file.   The  name and location of the keytab file may be
103              specified with the <span class="command">  <b>-t</b> <i>keytab</i><b>_</b><i>file</i> </span> option; otherwise the  default
104              name  and  location  will  be used.  By default a host ticket is
105              requested but any principal may be specified. On a KDC, the special
106              keytab  location  <b>KDB:</b>  can be used to indicate that kinit
107              should open the KDC database and look up the key directly.  This
108              permits an administrator to obtain tickets as any principal that
109              supports password-based authentication.</td></tr>
110<tr>
111<th id="th2"> <span class="command"> <b>-n</b></span></th>
112<td> Requests anonymous processing. Two types of anonymous principals
113are supported. For fully anonymous Kerberos, configure pkinit on the
114KDC and configure <span class="command"> <i>pkinit</i><b>_</b><i>anchors</i></span> in  the  client's
115              krb5.conf.   Then use the <b>-n</b> option with a principal of the form
116              <i>@REALM</i> (an empty principal name followed by the  at-sign  and  a
117              realm  name).  If permitted by the KDC, an anonymous ticket will
118              be returned.  A second form of anonymous tickets  is  supported;
119              these  realm-exposed tickets hide the identity of the client but
120              not the client's realm.  For this mode, use <b>kinit</b> <b>-n</b> with a normal principal name.  If supported by the KDC, the principal (but
121              not realm) will be replaced by the anonymous principal.   As  of
122              release  1.8, the MIT Kerberos KDC only supports fully anonymous
123              operation.</td></tr>
124<tr>
125  <th id="th2"> <span class="command"><b>-T</b> <i>armor</i><b>_</b><i>ccache</i></span></th>
126<td>  Specifies the name of a credential cache that already contains a
127              ticket.   If  supported  by the KDC, This ccache will be used to
128              armor the request so that an attacker would have  to  know  both
129              the  key  of  the armor ticket and the key of the principal used
130              for authentication in order to attack the request. Armoring also
131              makes  sure  that  the  response from the KDC is not modified in
132              transit.</td></tr>
133<tr>
134  <th id="th2"> <span class="command"> <b>-c</b> <i>cache</i><b>_</b><i>name</i> </span></th>
135<td>  use <span class="command"><i>cache</i><b>_</b><i>name</i></span>
136as the Kerberos 5 credentials (ticket) cache name and location; if this
137option is not used, the default cache name and location are used. The
138default credentials cache may vary between systems. If the <b>KRB5CCNAME</b>  environment  variable  is  set, its value is used to
139              name the default ticket cache.  If a principal name is specified
140              and the type of the default credentials cache supports a collection
141              (such as the DIR type), an existing cache  containing  credentials
142              for  the principal is selected or a new one is created
143              and becomes the new primary cache.  Otherwise, any existing contents
144              of the default cache are destroyed by <i>kinit</i>.</td></tr>
145<tr>
146  <th id="th2"> <span class="command"> <b>-S</b> <i>service</i><b>_</b><i>name</i></span></th>
147<td> specify  an  alternate  service name to use when getting initial
148              tickets.</td></tr>
149</tbody></table>
150
151<h2>ENVIRONMENT</h2>
152<p>
153       <b>Kinit</b> uses the following environment variables:
154</p>
155<table>
156<tbody><tr>
157  <th id="th2">   KRB5CCNAME </th>
158<td>       Location of the default Kerberos 5 credentials (ticket)
159                       cache, in the form<span class="command"> <i>type</i>:<i>residual</i>.</span>  If no type prefix is
160                       present,  the  <b>FILE</b>  type  is assumed.  The type of the
161                       default cache may determine the availability of a cache
162                       collection;  for  instance, a default cache of type <b>DIR</b>
163                       causes caches within the directory to be present in the
164                       collection.</td>
165</tr>
166</tbody></table>
167
168<h2>FILES</h2>
169<table>
170<tbody><tr>
171  <th id="th2">     <span class="command">   /tmp/krb5cc_[uid] </span></th>
172<td>       default  location  of  Kerberos  5 credentials cache ([uid] is the decimal UID of the user). </td></tr>
173<tr>
174  <th id="th2">     <span class="command">    /etc/krb5.keytab  </span></th>
175<td>    default location for the local host's <b>keytab</b> file.</td></tr>
176</tbody></table>
177
178<h2>SEE ALSO</h2>
179<ul id="helpul">
180<li><a href="HTML/KLIST.htm"><b>klist(1)</b></a></li>
181<li> <a href="HTML/KDESTROY.htm"><b>kdestroy(1)</b></a></li>
182<li><a href="HTML/KSWITCH.htm"><b>kswitch(1)</b></a></li>
183
184<li><b>kerberos(1)</b></li>
185</ul>
186
187
188
189
190</body></html>
191