KINIT(1) User Commands KINIT(1)


NAME


kinit - obtain and cache Kerberos ticket-granting ticket

SYNOPSIS


/usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
[-k [-t keytab_file]] [-l lifetime]
[-r renewable_life] [-s start_time] [-S service_name]
[principal]


DESCRIPTION


The kinit command is used to obtain and cache an initial ticket-granting
ticket (credential) for principal. This ticket is used for authentication
by the Kerberos system. Only users with Kerberos principals can use the
Kerberos system. For information about Kerberos principals, see
kerberos(5).


When you use kinit without options, the utility prompts for your
principal and Kerberos password, and tries to authenticate your login
with the local Kerberos server. The principal can be specified on the
command line if desired.


If Kerberos authenticates the login attempt, kinit retrieves your initial
ticket-granting ticket and puts it in the ticket cache. By default your
ticket is stored in the file /tmp/krb5cc_uid, where uid specifies your
user identification number. Tickets expire after a specified lifetime,
after which kinit must be run again. Any existing contents of the cache
are destroyed by kinit.


Values specified in the command line override the values specified in the
Kerberos configuration file for lifetime and renewable_life.


The kdestroy(1) command can be used to destroy any active tickets before
you end your login session.

OPTIONS


The following options are supported:

-a
Requests tickets with the local addresses.


-A
Requests address-less tickets.


-c cache_name
Uses cache_name as the credentials (ticket) cache
name and location. If this option is not used,
the default cache name and location are used.


-f
Requests forwardable tickets.


-F
Not forwardable. Does not request forwardable
tickets.

Tickets that have been acquired on one host
cannot normally be used on another host. A client
can request that the ticket be marked
forwardable. Once the TKT_FLG_FORWARDABLE flag is
set on a ticket, the user can use this ticket to
request a new ticket, but with a different IP
address. Thus, users can use their current
credentials to get credentials valid on another
machine. This option allows a user to explicitly
obtain a non-forwardable ticket.


-k [-t keytab_file]
Requests a host ticket, obtained from a key in
the local host's keytab file. The name and
location of the keytab file can be specified with
the -t keytab_file option. Otherwise, the default
name and location is used.


-l lifetime
Requests a ticket with the lifetime lifetime. If
the -l option is not specified, the default
ticket lifetime (configured by each site) is
used. Specifying a ticket lifetime longer than
the maximum ticket lifetime (configured by each
site) results in a ticket with the maximum
lifetime. See the Time Formats section for the
valid time duration formats that you can specify
for lifetime. See kdc.conf(4) and kadmin(1M) (for
getprinc command to verify the lifetime values
for the server principal).

The lifetime of the tickets returned is the
minimum of the following:

o Value specified in the command line.

o Value specified in the KDC
configuration file.

o Value specified in the Kerberos data
base for the server principal. In the
case of kinit, it is krbtgt/realm
name.

o Value specified in the Kerberos
database for the user principal.


-p
Requests proxiable tickets.


-P
Not proxiable. Does not request proxiable
tickets.

A proxiable ticket is a ticket that allows you to
get a ticket for a service with IP addresses
other than the ones in the Ticket Granting
Ticket. This option allows a user to explicitly
obtain a non-proxiable ticket.


-r renewable_life
Requests renewable tickets, with a total lifetime
of renewable_life. See the Time Formats section
for the valid time duration formats that you can
specify for renewable_life. See kdc.conf(4) and
kadmin(1M) (for getprinc command to verify the
lifetime values for the server principal).

The renewable lifetime of the tickets returned is
the minimum of the following:

o Value specified in the command line.

o Value specified in the KDC
configuration file.

o Value specified in the Kerberos data
base for the server principal. In the
case of kinit, it is krbtgt/realm
name.

o Value specified in the Kerberos
database for the user principal.


-R
Requests renewal of the ticket-granting ticket.
Notice that an expired ticket cannot be renewed,
even if the ticket is still within its renewable
life.


-s start_time
Requests a postdated ticket, valid starting at
start_time. Postdated tickets are issued with the
invalid flag set, and need to be fed back to the
KDC before use. See the Time Formats section for
either the valid absolute time or time duration
formats that you can specify for start_time.
kinit attempts to match an absolute time first
before trying to match a time duration.


-S service_name
Specifies an alternate service name to use when
getting initial tickets.


-v
Requests that the ticket granting ticket in the
cache (with the invalid flag set) be passed to
the KDC for validation. If the ticket is within
its requested time range, the cache is replaced
with the validated ticket.


-V
Verbose output. Displays further information to
the user, such as confirmation of authentication
and version.


-X attribute[=value]
Specifies a pre-authentication attribute and
value to be passed to pre-authentication plugins.
The acceptable attribute and value values vary
from pre-authentication plugin to plugin. This
option can be specified multiple times to specify
multiple attributes. If no value is specified, it
is assumed to be yes.

The following attributes are recognized by the
OpenSSL pkinit pre-authentication mechanism:

X509_user_identity=URI
Specifies where to
find user's X509
identity information.

Valid URI types are
FILE, DIR, PKCS11,
PKCS12, and ENV. See
the PKINIT URI Types
section for details.


X509_anchors=URI
Specifies where to
find trusted X509
anchor information.

Valid URI types are
FILE and DIR. See
thePKINIT URI Types
section for details.


flag_RSA_PROTOCOL[=yes]
Specifies the use of
RSA, rather than the
default Diffie-Hellman
protocol.


PKINIT URI Types


FILE:file-name[,key-file-name]

This option has context-specific behavior.

X509_user_identity
file-name specifies the name of a PEM-format
file containing the user's certificate. If key-
file-name is not specified, the user's private
key is expected to be in file-name as well.
Otherwise, key-file-name is the name of the
file containing the private key.


X509_anchors
file-name is assumed to be the name of an
OpenSSL-style ca-bundle file. The ca-bundle
file should be base-64 encoded.


DIR:directory-name

This option has context-specific behavior.

X509_user_identity
directory-name specifies a directory with files
named *.crt and *.key, where the first part of
the file name is the same for matching pairs of
certificate and private key files. When a file
with a name ending with .crt is found, a
matching file ending with .key is assumed to
contain the private key. If no such file is
found, then the certificate in the .crt is not
used.


X509_anchors
directory-name is assumed to be an OpenSSL-
style hashed CA directory where each CA cert is
stored in a file named hash-of-ca-cert.#. This
infrastructure is encouraged, but all files in
the directory are examined and if they contain
certificates (in PEM format), and are used.


PKCS12:pkcs12-file-name

pkcs12-file-name is the name of a PKCS #12 format file, containing
the user's certificate and private key.


PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-
id][:certlabel=cert-label]

All keyword and values are optional. PKCS11 modules (for example,
opensc-pkcs11.so) must be installed as a crypto provider under
libpkcs11(3LIB). slotid= and/or token= can be specified to force the
use of a particular smard card reader or token if there is more than
one available. certid= and/or certlabel= can be specified to force
the selection of a particular certificate on the device. See the
pkinit_cert_match configuration option for more ways to select a
particular certificate to use for pkinit.


ENV:environment-variable-name

environment-variable-name specifies the name of an environment
variable which has been set to a value conforming to one of the
previous values. For example, ENV:X509_PROXY, where environment
variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.


Time Formats


The following absolute time formats can be used for the -s start_time
option. The examples are based on the date and time of July 2, 1999,
1:35:30 p.m.


+-------------------------------------------------+
| Absolute Time Format Example |
|yymmddhhmm[ss] 990702133530 |
|hhmm[ss] 133530 |
|yy.mm.dd.hh.mm.ss 99:07:02:13:35:30 |
|hh:mm[:ss] 13:35:30 |
|ldate:ltime 07-07-99:13:35:30 |
|dd-month-yyyy:hh:mm[:ss] 02-july-1999:13:35:30 |
+-------------------------------------------------+


Variable Description
dd day
hh hour (24-hour clock)
mm minutes
ss seconds
yy year within century (0-68 is 2000 to
2068; 69-99 is 1969 to 1999)
yyyy year including century
month locale's full or abbreviated month name
ldate locale's appropriate date representation
ltime locale's appropriate time representation


The following time duration formats can be used for the -l lifetime, -r
renewable_life, and -s start_time options. The examples are based on the
time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.


+-----------------------------------+
|Time Duration Format Example |
|#d 14d |
|#h 7h |
|#m 5m |
|#s 30s |
|#d#h#m#s 14d7h5m30s |
|#h#m[#s] 7h5m30s |
|days-hh:mm:ss 14-07:05:30 |
|hours:mm[:ss] 7:05:30 |
+-----------------------------------+


Delimiter Description
d number of days
h number of hours
m number of minutes
s number of seconds


Variable Description
# number
days number of days
hours number of hours
hh hour (24-hour clock)
mm minutes
ss seconds


ENVIRONMENT VARIABLES


kinit uses the following environment variable:

KRB5CCNAME
Location of the credentials (ticket) cache. See
krb5envvar(5) for syntax and details.


FILES


/tmp/krb5cc_uid
Default credentials cache (uid is the decimal
UID of the user).


/etc/krb5/krb5.keytab
Default location for the local host's keytab
file.


/etc/krb5/krb5.conf
Default location for the local host's
configuration file. See krb5.conf(4).


ATTRIBUTES


See attributes(5) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+


The command arguments are Evolving. The command output is Unstable.

SEE ALSO


kdestroy(1), klist(1), kadmin(1M), ktkt_warnd(1M), libpkcs11(3LIB),
kdc.conf(4), krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5),
pam_krb5(5)

NOTES


On success, kinit notifies ktkt_warnd(1M) to alert the user when the
initial credentials (ticket-granting ticket) are about to expire.


November 12, 2008 KINIT(1)