|KINIT(1)||General Commands Manual||KINIT(1)|
kinit — acquire
kinit is used to authenticate to the
Kerberos server as principal, or if none is given, a
system generated default (typically your login name at the default realm),
and acquire a ticket granting ticket that can later be used to obtain
tickets for other services.
- The credentials cache to put the acquired ticket in, if other than default.
- Obtain a ticket than can be forwarded to another host.
- Do not obtain a forwardable ticket.
- Don't ask for a password, but instead get the key from the specified keytab.
- Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h’.
- Request tickets with the proxiable flag set.
- Try to renew ticket. The ticket must have the ‘renewable’ flag set, and must not be expired.
- The same as
--renewable-life, with an infinite time.
- The max renewable ticket life.
- Get a ticket for a service other than krbtgt/LOCAL.REALM.
- Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h’) seconds into the future.
- The same as
--keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).
- Try to validate an invalid ticket.
- Request tickets with this particular enctype.
- read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
- Create a credentials cache of version version-number.
- Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket. This can be useful if all addresses a
client can use can't be automatically figured out. One such example is if
the client is behind a firewall. Also settable via
- Request a ticket with no addresses.
- Request an anonymous ticket. With the default (false) setting of the
historical_anon_pkinit configuration parameter, if
the principal is specified as @REALM, then anonymous PKINIT will be used
to acquire an unauthenticated anonymous ticket and both the client name
and (with fully RFC-comformant KDCs) realm in the returned ticket will be
anonymized. Otherwise, authentication proceeds as normal and the anonymous
ticket will have only the client name anonymized. With
historical_anon_pkinit set to
true, the principal is interpreted as a realm even without an at-sign prefix, and it is not possible to obtain authenticated anonymized tickets.
- Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is “email@example.com@KTH.SE”, and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name.
- Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
proxiable, ticket_life, and
renewable_life options can be set to a default value
appdefaults section in krb5.conf, see
If a command is given,
kinit will set up new credentials caches, and AFS
PAG, and then run the given command. When it finishes the credentials will
|April 25, 2006||HEIMDAL|