diff options
Diffstat (limited to 'doc/user/user_commands/kinit.rst')
-rw-r--r-- | doc/user/user_commands/kinit.rst | 220 |
1 files changed, 220 insertions, 0 deletions
diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst new file mode 100644 index 0000000000..c2b3b7fed0 --- /dev/null +++ b/doc/user/user_commands/kinit.rst @@ -0,0 +1,220 @@ +.. _kinit(1): + +kinit +===== + +SYNOPSIS +-------- + +**kinit** +[**-V**] +[**-l** *lifetime*] +[**-s** *start_time*] +[**-r** *renewable_life*] +[**-p** | -**P**] +[**-f** | -**F**] +[**-a**] +[**-A**] +[**-C**] +[**-E**] +[**-v**] +[**-R**] +[**-k** [-**t** *keytab_file*]] +[**-c** *cache_name*] +[**-n**] +[**-S** *service_name*] +[**-I** *input_ccache*] +[**-T** *armor_ccache*] +[**-X** *attribute*\ [=\ *value*]] +[*principal*] + + +DESCRIPTION +----------- + +kinit obtains and caches an initial ticket-granting ticket for +*principal*. + + +OPTIONS +------- + +**-V** + display verbose output. + +**-l** *lifetime* + (:ref:`duration` string.) Requests a ticket with the lifetime + *lifetime*. + + For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. + + If the **-l** option is not specified, the default ticket lifetime + (configured by each site) is used. Specifying a ticket lifetime + longer than the maximum ticket lifetime (configured by each site) + will not override the configured maximum ticket lifetime. + +**-s** *start_time* + (:ref:`duration` string.) Requests a postdated ticket. Postdated + tickets are issued with the **invalid** flag set, and need to be + resubmitted to the KDC for validation before use. + + *start_time* specifies the duration of the delay before the ticket + can become valid. + +**-r** *renewable_life* + (:ref:`duration` string.) Requests renewable tickets, with a total + lifetime of *renewable_life*. + +**-f** + requests forwardable tickets. + +**-F** + requests non-forwardable tickets. + +**-p** + requests proxiable tickets. + +**-P** + requests non-proxiable tickets. + +**-a** + requests tickets restricted to the host's local address[es]. + +**-A** + requests tickets not restricted by address. + +**-C** + requests canonicalization of the principal name, and allows the + KDC to reply with a different client principal from the one + requested. + +**-E** + treats the principal name as an enterprise name (implies the + **-C** option). + +**-v** + requests that the ticket-granting ticket in the cache (with the + **invalid** flag set) be passed to the KDC for validation. If the + ticket is within its requested time range, the cache is replaced + with the validated ticket. + +**-R** + requests renewal of the ticket-granting ticket. Note that an + expired ticket cannot be renewed, even if the ticket is still + within its renewable life. + +**-k** [**-i** | **-t** *keytab_file*] + requests a ticket, obtained from a key in the local host's keytab. + The location of the keytab may be specified with the **-t** + *keytab_file* option, or with the **-i** option to specify the use + of the default client keytab; otherwise the default keytab will be + used. By default, a host ticket for the local host is requested, + but any principal may be specified. On a KDC, the special keytab + location ``KDB:`` can be used to indicate that kinit should open + the KDC database and look up the key directly. This permits an + administrator to obtain tickets as any principal that supports + authentication based on the key. + +**-n** + Requests anonymous processing. Two types of anonymous principals + are supported. + + For fully anonymous Kerberos, configure pkinit on the KDC and + configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. + Then use the **-n** option with a principal of the form ``@REALM`` + (an empty principal name followed by the at-sign and a realm + name). If permitted by the KDC, an anonymous ticket will be + returned. + + A second form of anonymous tickets is supported; these + realm-exposed tickets hide the identity of the client but not the + client's realm. For this mode, use ``kinit -n`` with a normal + principal name. If supported by the KDC, the principal (but not + realm) will be replaced by the anonymous principal. + + As of release 1.8, the MIT Kerberos KDC only supports fully + anonymous operation. + +**-I** *input_ccache* + + Specifies the name of a credentials cache that already contains a + ticket. When obtaining that ticket, if information about how that + ticket was obtained was also stored to the cache, that information + will be used to affect how new credentials are obtained, including + preselecting the same methods of authenticating to the KDC. + +**-T** *armor_ccache* + Specifies the name of a credentials cache that already contains a + ticket. If supported by the KDC, this cache will be used to armor + the request, preventing offline dictionary attacks and allowing + the use of additional preauthentication mechanisms. Armoring also + makes sure that the response from the KDC is not modified in + transit. + +**-c** *cache_name* + use *cache_name* as the Kerberos 5 credentials (ticket) cache + location. If this option is not used, the default cache location + is used. + + The default cache location may vary between systems. If the + **KRB5CCNAME** environment variable is set, its value is used to + locate the default cache. If a principal name is specified and + the type of the default cache supports a collection (such as the + DIR type), an existing cache containing credentials for the + principal is selected or a new one is created and becomes the new + primary cache. Otherwise, any existing contents of the default + cache are destroyed by kinit. + +**-S** *service_name* + specify an alternate service name to use when getting initial + tickets. + +**-X** *attribute*\ [=\ *value*] + specify a pre-authentication *attribute* and *value* to be + interpreted by pre-authentication modules. The acceptable + attribute and value values vary from module to module. This + option may be specified multiple times to specify multiple + attributes. If no value is specified, it is assumed to be "yes". + + The following attributes are recognized by the PKINIT + pre-authentication mechanism: + + **X509_user_identity**\ =\ *value* + specify where to find user's X509 identity information + + **X509_anchors**\ =\ *value* + specify where to find trusted X509 anchor information + + **flag_RSA_PROTOCOL**\ [**=yes**] + specify use of RSA, rather than the default Diffie-Hellman + protocol + + +ENVIRONMENT +----------- + +kinit uses the following environment variables: + +**KRB5CCNAME** + Location of the default Kerberos 5 credentials cache, in the form + *type*:*residual*. If no *type* prefix is present, the **FILE** + type is assumed. The type of the default cache may determine the + availability of a cache collection; for instance, a default cache + of type **DIR** causes caches within the directory to be present + in the collection. + + +FILES +----- + +|ccache| + default location of Kerberos 5 credentials cache + +|keytab| + default location for the local host's keytab. + + +SEE ALSO +-------- + +:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1) |