1 files changed, 135 insertions, 0 deletions

diff --git a/doc/user/user_commands/klist.rst b/doc/user/user_commands/klist.rst
new file mode 100644
index 0000000000..d303f34d83
--- /dev/null
+++ b/doc/user/user_commands/klist.rst
@@ -0,0 +1,135 @@
+.. _klist(1):
+
+klist
+=====
+
+SYNOPSIS
+--------
+
+**klist**
+[**-e**]
+[[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]]
+[**-C**]
+[**-k** [**-t**] [**-K**]]
+[**-V**]
+[*cache_name*\|\ *keytab_name*]
+
+
+DESCRIPTION
+-----------
+
+klist lists the Kerberos principal and Kerberos tickets held in a
+credentials cache, or the keys held in a keytab file.
+
+
+OPTIONS
+-------
+
+**-e**
+    Displays the encryption types of the session key and the ticket
+    for each credential in the credential cache, or each key in the
+    keytab file.
+
+**-l**
+    If a cache collection is available, displays a table summarizing
+    the caches present in the collection.
+
+**-A**
+    If a cache collection is available, displays the contents of all
+    of the caches in the collection.
+
+**-c**
+    List tickets held in a credentials cache. This is the default if
+    neither **-c** nor **-k** is specified.
+
+**-f**
+    Shows the flags present in the credentials, using the following
+    abbreviations:
+
+     ::
+
+        F    Forwardable
+        f    forwarded
+        P    Proxiable
+        p    proxy
+        D    postDateable
+        d    postdated
+        R    Renewable
+        I    Initial
+        i    invalid
+        H    Hardware authenticated
+        A    preAuthenticated
+        T    Transit policy checked
+        O    Okay as delegate
+        a    anonymous
+
+**-s**
+    Causes klist to run silently (produce no output), but to still set
+    the exit status according to whether it finds the credentials
+    cache.  The exit status is '0' if klist finds a credentials cache,
+    and '1' if it does not or if the tickets are expired.
+
+**-a**
+    Display list of addresses in credentials.
+
+**-n**
+    Show numeric addresses instead of reverse-resolving addresses.
+
+**-C**
+    List configuration data that has been stored in the credentials
+    cache when klist encounters it.  By default, configuration data
+    is not listed.
+
+**-k**
+    List keys held in a keytab file.
+
+**-i**
+    In combination with **-k**, defaults to using the default client
+    keytab instead of the default acceptor keytab, if no name is
+    given.
+
+**-t**
+    Display the time entry timestamps for each keytab entry in the
+    keytab file.
+
+**-K**
+    Display the value of the encryption key in each keytab entry in
+    the keytab file.
+
+**-V**
+    Display the Kerberos version number and exit.
+
+If *cache_name* or *keytab_name* is not specified, klist will display
+the credentials in the default credentials cache or keytab file as
+appropriate.  If the **KRB5CCNAME** environment variable is set, its
+value is used to locate the default ticket cache.
+
+
+ENVIRONMENT
+-----------
+
+klist uses the following environment variable:
+
+**KRB5CCNAME**
+    Location of the default Kerberos 5 credentials (ticket) cache, in
+    the form *type*:*residual*.  If no *type* prefix is present, the
+    **FILE** type is assumed.  The type of the default cache may
+    determine the availability of a cache collection; for instance, a
+    default cache of type **DIR** causes caches within the directory
+    to be present in the collection.
+
+
+FILES
+-----
+
+|ccache|
+    Default location of Kerberos 5 credentials cache
+
+|keytab|
+    Default location for the local host's keytab file.
+
+
+SEE ALSO
+--------
+
+:ref:`kinit(1)`, :ref:`kdestroy(1)`