The kinit command is used to obtain and cache an initial ticket-granting
ticket (credential) for principal. This ticket is used for
authentication by the Kerberos system. Only users with Kerberos principals can
use the Kerberos system. For information about Kerberos principals, see
kerberos(7).
When you use kinit without options, the utility prompts for
your principal and Kerberos password, and tries to authenticate your
login with the local Kerberos server. The principal can be specified
on the command line if desired.
If Kerberos authenticates the login attempt, kinit
retrieves your initial ticket-granting ticket and puts it in the ticket
cache. By default your ticket is stored in the file
/tmp/krb5cc_uid, where uid specifies your user
identification number. Tickets expire after a specified lifetime, after
which kinit must be run again. Any existing contents of the cache are
destroyed by kinit.
Values specified in the command line override the values specified
in the Kerberos configuration file for lifetime and
renewable_life.
The kdestroy(1) command can be used to destroy any active
tickets before you end your login session.
The following options are supported:
-a
Requests tickets with the local addresses.
-A
Requests address-less tickets.
-c cache_name
Uses cache_name as the credentials (ticket) cache
name and location. If this option is not used, the default cache name and
location are used.
-f
Requests forwardable tickets.
-F
Not forwardable. Does not request forwardable tickets.
Tickets that have been acquired on one host cannot normally be
used on another host. A client can request that the ticket be marked
forwardable. Once the TKT_FLG_FORWARDABLE flag is set on a ticket,
the user can use this ticket to request a new ticket, but with a different
IP address. Thus, users can use their current credentials to get
credentials valid on another machine. This option allows a user to
explicitly obtain a non-forwardable ticket.
-k [-t keytab_file]
Requests a host ticket, obtained from a key in the local
host's keytab file. The name and location of the keytab file can be
specified with the -t keytab_file option. Otherwise, the default
name and location is used.
-l lifetime
Requests a ticket with the lifetime
lifetime. If
the
-l option is not specified, the default ticket lifetime (configured
by each site) is used. Specifying a ticket lifetime longer than the maximum
ticket lifetime (configured by each site) results in a ticket with the maximum
lifetime. See the
Time Formats section for the valid time
duration formats that you can specify for
lifetime. See
kdc.conf(5) and
kadmin(8) (for
getprinc command to verify
the lifetime values for the server principal).
The lifetime of the tickets returned is the minimum of the
following:
- o
- Value specified in the command line.
- o
- Value specified in the KDC configuration file.
- o
- Value specified in the Kerberos data base for the server principal. In the
case of kinit, it is krbtgt/realm name.
- o
- Value specified in the Kerberos database for the user principal.
-p
Requests proxiable tickets.
-P
Not proxiable. Does not request proxiable tickets.
A proxiable ticket is a ticket that allows you to get a ticket for
a service with IP addresses other than the ones in the Ticket
Granting Ticket. This option allows a user to explicitly obtain a
non-proxiable ticket.
-r renewable_life
Requests renewable tickets, with a total lifetime of
renewable_life. See the
Time Formats section for the
valid time duration formats that you can specify for
renewable_life.
See
kdc.conf(5) and
kadmin(8) (for
getprinc command to
verify the lifetime values for the server principal).
The renewable lifetime of the tickets returned is the minimum of
the following:
- o
- Value specified in the command line.
- o
- Value specified in the KDC configuration file.
- o
- Value specified in the Kerberos data base for the server principal. In the
case of kinit, it is krbtgt/realm name.
- o
- Value specified in the Kerberos database for the user principal.
-R
Requests renewal of the ticket-granting ticket. Notice
that an expired ticket cannot be renewed, even if the ticket is still within
its renewable life.
-s start_time
Requests a postdated ticket, valid starting at
start_time. Postdated tickets are issued with the invalid flag
set, and need to be fed back to the KDC before use. See the Time
Formats section for either the valid absolute time or time duration
formats that you can specify for start_time. kinit attempts to
match an absolute time first before trying to match a time duration.
-S service_name
Specifies an alternate service name to use when getting
initial tickets.
-v
Requests that the ticket granting ticket in the cache
(with the invalid flag set) be passed to the KDC for validation.
If the ticket is within its requested time range, the cache is replaced with
the validated ticket.
-V
Verbose output. Displays further information to the user,
such as confirmation of authentication and version.
-X attribute[=value]
Specifies a pre-authentication attribute and value to be
passed to pre-authentication plugins. The acceptable
attribute and
value values vary from pre-authentication plugin to plugin. This option
can be specified multiple times to specify multiple attributes. If no value is
specified, it is assumed to be
yes.
The following attributes are recognized by the OpenSSL
pkinit pre-authentication mechanism:
X509_user_identity=URI
Specifies where to find user's X509 identity information.
Valid URI types are FILE, DIR, PKCS11,
PKCS12, and ENV. See the PKINIT URI Types section for
details.
X509_anchors=URI
Specifies where to find trusted X509 anchor information.
Valid URI types are FILE and DIR. See the PKINIT
URI Types section for details.
flag_RSA_PROTOCOL[=yes]
Specifies the use of RSA, rather than the default
Diffie-Hellman protocol.
FILE:file-name[,key-file-name]
This option has context-specific behavior.
X509_user_identity
file-name specifies the name of a PEM-format file
containing the user's certificate. If key-file-name is not specified,
the user's private key is expected to be in file-name as well.
Otherwise, key-file-name is the name of the file containing the private
key.
X509_anchors
file-name is assumed to be the name of an
OpenSSL-style ca-bundle file. The ca-bundle file should be base-64
encoded.
DIR:directory-name
This option has context-specific behavior.
X509_user_identity
directory-name specifies a directory with files
named *.crt and *.key, where the first part of the file name is
the same for matching pairs of certificate and private key files. When a file
with a name ending with .crt is found, a matching file ending with
.key is assumed to contain the private key. If no such file is found,
then the certificate in the .crt is not used.
X509_anchors
directory-name is assumed to be an OpenSSL-style
hashed CA directory where each CA cert is stored in a file named
hash-of-ca-cert.#. This infrastructure is encouraged, but all
files in the directory are examined and if they contain certificates (in PEM
format), and are used.
PKCS12:pkcs12-file-name
pkcs12-file-name is the name of a PKCS #12
format file, containing the user's certificate and private key.
PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]
All keyword and values are optional. PKCS11 modules (for
example,
opensc-pkcs11.so) must be installed as a crypto provider under
libpkcs11(3LIB).
slotid= and/or
token= can be specified
to force the use of a particular smard card reader or token if there is more
than one available.
certid= and/or
certlabel= can be specified
to force the selection of a particular certificate on the device. See the
pkinit_cert_match configuration option for more ways to select a
particular certificate to use for
pkinit.
ENV:environment-variable-name
environment-variable-name specifies the name of an
environment variable which has been set to a value conforming to one of the
previous values. For example, ENV:X509_PROXY, where environment
variable X509_PROXY has been set to
FILE:/tmp/my_proxy.pem.
The following absolute time formats can be used for the -s
start_time option. The examples are based on the date and time of July
2, 1999, 1:35:30 p.m.
Absolute Time Format |
Example |
yymmddhhmm[ss] |
990702133530 |
hhmm[ss] |
133530 |
yy.mm.dd.hh.mm.ss |
99:07:02:13:35:30 |
hh:mm[:ss] |
13:35:30 |
ldate:ltime |
07-07-99:13:35:30 |
dd-month-yyyy:hh:mm[:ss] |
02-july-1999:13:35:30 |
Variable |
Description |
dd |
day |
hh |
hour (24-hour clock) |
mm |
minutes |
ss |
seconds |
yy |
year within century (0-68 is 2000 to 2068; 69-99 is 1969 to 1999) |
yyyy |
year including century |
month |
locale's full or abbreviated month name |
ldate |
locale's appropriate date representation |
ltime |
locale's appropriate time representation |
The following time duration formats can be used for the -l
lifetime, -r renewable_life, and -s
start_time options. The examples are based on the time duration of 14
days, 7 hours, 5 minutes, and 30 seconds.
Time Duration Format |
Example |
#d |
14d |
#h |
7h |
#m |
5m |
#s |
30s |
#d#h#m#s |
14d7h5m30s |
#h#m[#s] |
7h5m30s |
days-hh:mm:ss |
14-07:05:30 |
hours:mm[:ss] |
7:05:30 |
Delimiter |
Description |
d |
number of days |
h |
number of hours |
m |
number of minutes |
s |
number of seconds |
Variable |
Description |
# |
number |
days |
number of days |
hours |
number of hours |
hh |
hour (24-hour clock) |
mm |
minutes |
ss |
seconds |