4
<!-- Manpage converted by man2html 3.0.1 -->
8
kinit - obtain and cache Kerberos ticket-granting ticket
12
<H2>SYNOPSIS</H2><PRE>
14
[<B>-V</B>] [<B>-l</B> <I>lifetime</I>] [<B>-s</B> <I>start</I>_<I>time</I>] [<B>-r</B> <I>renewable</I>_<I>life</I>]
15
[<B>-p</B> | <B>-P</B>] [<B>-f</B> | <B>-F</B>] [<B>-a</B>] [<B>-A</B>] [<B>-v</B>] [<B>-R</B>] [<B>-k</B> [<B>-t</B>
16
<I>keytab</I>_<I>file</I>]] [<B>-c</B> <I>cache</I>_<I>name</I>] [<B>-S</B> <I>service</I>_<I>name</I>][<B>-T</B>
17
<I>armor</I>_<I>ccache</I>] [<B>-X</B> <I>attribute</I>[=<I>value</I>]] [<I>principal</I>]
21
<H2>DESCRIPTION</H2><PRE>
22
<I>kinit</I> obtains and caches an initial ticket-granting ticket
28
-<B>V</B> display verbose output.
30
<B>-l</B> <I>lifetime</I>
31
requests a ticket with the lifetime <I>lifetime</I>. The
32
value for <I>lifetime</I> must be followed immediately by one
33
of the following delimiters:
40
as in "kinit -l 90m". You cannot mix units; a value of
41
`3h30m' will result in an error.
43
If the -<B>l</B> option is not specified, the default ticket
44
lifetime (configured by each site) is used. Specifying
45
a ticket lifetime longer than the maximum ticket life-
46
time (configured by each site) results in a ticket with
49
<B>-s</B> <I>start</I>_<I>time</I>
50
requests a postdated ticket, valid starting at
51
<I>start</I>_<I>time</I>. Postdated tickets are issued with the
52
<I>invalid</I> flag set, and need to be fed back to the kdc
55
<B>-r</B> <I>renewable</I>_<I>life</I>
56
requests renewable tickets, with a total lifetime of
57
<I>renewable</I>_<I>life</I>. The duration is in the same format as
58
the -<B>l</B> option, with the same delimiters.
60
-<B>f</B> request forwardable tickets.
62
-<B>F</B> do not request forwardable tickets.
64
-<B>p</B> request proxiable tickets.
65
-<B>P</B> do not request proxiable tickets.
67
-<B>a</B> request tickets with the local address[es].
69
-<B>A</B> request address-less tickets.
71
-<B>v</B> requests that the ticket granting ticket in the cache
72
(with the <I>invalid</I> flag set) be passed to the kdc for
73
validation. If the ticket is within its requested time
74
range, the cache is replaced with the validated ticket.
76
-<B>R</B> requests renewal of the ticket-granting ticket. Note
77
that an expired ticket cannot be renewed, even if the
78
ticket is still within its renewable life.
80
<B>-k</B> [<B>-t</B> <I>keytab</I>_<I>file</I>]
81
requests a host ticket, obtained from a key in the
82
local host's <I>keytab</I> file. The name and location of the
83
keytab file may be specified with the -<B>t</B> <I>keytab</I>_<I>file</I>
84
option; otherwise the default name and location will be
87
<B>-T</B> <I>armor</I>_<I>ccache</I>
88
Specifies the name of a credential cache that already
89
contains a ticket. This ccache will be used to armor
90
the request. Ideally, an attacker should have to
91
attack both the armor ticket and the key of the princi-
94
<B>-c</B> <I>cache</I>_<I>name</I>
95
use <I>cache</I>_<I>name</I> as the Kerberos 5 credentials (ticket)
96
cache name and location; if this option is not used,
97
the default cache name and location are used.
99
The default credentials cache may vary between systems.
100
If the <B>KRB5CCNAME</B> environment variable is set, its
101
value is used to name the default ticket cache. Any
102
existing contents of the cache are destroyed by <I>kinit</I>.
104
<B>-S</B> <I>service</I>_<I>name</I>
105
specify an alternate service name to use when getting
108
<B>-X</B> <I>attribute</I>[=<I>value</I>]
109
specify a pre-authentication attribute and value to be
110
passed to pre-authentication plugins. The acceptable
111
<I>attribute</I> and <I>value</I> values vary from pre-authentication
112
plugin to plugin. This option may be specified multi-
113
ple times to specify multiple attributes. If no <I>value</I>
114
is specified, it is assumed to be "yes".
116
The following attributes are recognized by the OpenSSL pkinit
117
pre-authentication mechanism:
118
<B>X509_user_identity</B>=<I>value</I>
119
specify where to find user's X509 identity information
120
<B>X509_anchors</B>=<I>value</I>
121
specify where to find trusted X509 anchor information
122
<B>flag_RSA_PROTOCOL</B>[=yes]
123
specify use of RSA, rather than the default Diffie-Hellman protocol
128
<H2>ENVIRONMENT</H2><PRE>
129
<B>Kinit</B> uses the following environment variables:
131
KRB5CCNAME Location of the Kerberos 5 credentials
137
/tmp/krb5cc_[uid] default location of Kerberos 5 creden-
138
tials cache ([uid] is the decimal UID of
141
/etc/krb5.keytab default location for the local host's
146
<H2>SEE ALSO</H2><PRE>
147
<B>klist(1)</B>, <B>kdestroy(1)</B>, <B>kerberos(1)</B>
178
Man(1) output converted with
179
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>