1 files changed, 275 insertions, 0 deletions
diff --git a/src/man/kinit.man b/src/man/kinit.man
new file mode 100644
index 0000000000..4d88691bcc
--- /dev/null
+++ b/src/man/kinit.man
@@ -0,0 +1,275 @@
+.TH "KINIT" "1" " " "0.0.1" "MIT Kerberos"
+.SH NAME
+kinit \- obtain and cache Kerberos ticket-granting ticket
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructeredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkinit\fP
+[\fB\-V\fP]
+[\fB\-l\fP \fIlifetime\fP]
+[\fB\-s\fP \fIstart_time\fP]
+[\fB\-r\fP \fIrenewable_life\fP]
+[\fB\-p\fP | \-\fBP\fP]
+[\fB\-f\fP | \-\fBF\fP]
+[\fB\-a\fP]
+[\fB\-A\fP]
+[\fB\-C\fP]
+[\fB\-E\fP]
+[\fB\-v\fP]
+[\fB\-R\fP]
+[\fB\-k\fP [\-\fBt\fP \fIkeytab_file\fP]]
+[\fB\-c\fP \fIcache_name\fP]
+[\fB\-n\fP]
+[\fB\-S\fP \fIservice_name\fP]
+[\fB\-T\fP \fIarmor_ccache\fP]
+[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
+[\fIprincipal\fP]
+.SH DESCRIPTION
+.sp
+kinit obtains and caches an initial ticket\-granting ticket for
+\fIprincipal\fP.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-V\fP
+.sp
+display verbose output.
+.TP
+.B \fB\-l\fP \fIlifetime\fP
+.sp
+requests a ticket with the lifetime \fIlifetime\fP.  The integer value
+for \fIlifetime\fP must be followed immediately by one of the
+following delimiters:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+s  seconds
+m  minutes
+h  hours
+d  days
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+as in \fBkinit \-l 90m\fP.  You cannot mix units; a value of
+\fB3h30m\fP will result in an error.
+.sp
+If the \fB\-l\fP option is not specified, the default ticket lifetime
+(configured by each site) is used.  Specifying a ticket lifetime
+longer than the maximum ticket lifetime (configured by each site)
+results in a ticket with the maximum lifetime.
+.TP
+.B \fB\-s\fP \fIstart_time\fP
+.sp
+requests a postdated ticket, valid starting at \fIstart_time\fP.
+Postdated tickets are issued with the \fBinvalid\fP flag set, and
+need to be resubmitted to the KDC for validation before use.
+.TP
+.B \fB\-r\fP \fIrenewable_life\fP
+.sp
+requests renewable tickets, with a total lifetime of
+\fIrenewable_life\fP.  The duration is in the same format as the
+\fB\-l\fP option, with the same delimiters.
+.TP
+.B \fB\-f\fP
+.sp
+requests forwardable tickets.
+.TP
+.B \fB\-F\fP
+.sp
+requests non\-forwardable tickets.
+.TP
+.B \fB\-p\fP
+.sp
+requests proxiable tickets.
+.TP
+.B \fB\-P\fP
+.sp
+requests non\-proxiable tickets.
+.TP
+.B \fB\-a\fP
+.sp
+requests tickets restricted to the host\(aqs local address[es].
+.TP
+.B \fB\-A\fP
+.sp
+requests tickets not restricted by address.
+.TP
+.B \fB\-C\fP
+.sp
+requests canonicalization of the principal name, and allows the
+KDC to reply with a different client principal from the one
+requested.
+.TP
+.B \fB\-E\fP
+.sp
+treats the principal name as an enterprise name (implies the
+\fB\-C\fP option).
+.TP
+.B \fB\-v\fP
+.sp
+requests that the ticket\-granting ticket in the cache (with the
+\fBinvalid\fP flag set) be passed to the KDC for validation.  If the
+ticket is within its requested time range, the cache is replaced
+with the validated ticket.
+.TP
+.B \fB\-R\fP
+.sp
+requests renewal of the ticket\-granting ticket.  Note that an
+expired ticket cannot be renewed, even if the ticket is still
+within its renewable life.
+.TP
+.B \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
+.sp
+requests a ticket, obtained from a key in the local host\(aqs keytab.
+The location of the keytab may be specified with the \fB\-t\fP
+\fIkeytab_file\fP option; otherwise the default keytab will be used.
+By default, a host ticket for the local host is requested, but any
+principal may be specified.  On a KDC, the special keytab location
+\fBKDB:\fP can be used to indicate that kinit should open the KDC
+database and look up the key directly.  This permits an
+administrator to obtain tickets as any principal that supports
+authentication based on the key.
+.TP
+.B \fB\-n\fP
+.sp
+Requests anonymous processing.  Two types of anonymous principals
+are supported.
+.sp
+For fully anonymous Kerberos, configure pkinit on the KDC and
+configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP.
+Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
+(an empty principal name followed by the at\-sign and a realm
+name).  If permitted by the KDC, an anonymous ticket will be
+returned.
+.sp
+A second form of anonymous tickets is supported; these
+realm\-exposed tickets hide the identity of the client but not the
+client\(aqs realm.  For this mode, use \fBkinit \-n\fP with a normal
+principal name.  If supported by the KDC, the principal (but not
+realm) will be replaced by the anonymous principal.
+.sp
+As of release 1.8, the MIT Kerberos KDC only supports fully
+anonymous operation.
+.TP
+.B \fB\-T\fP \fIarmor_ccache\fP
+.sp
+Specifies the name of a credentials cache that already contains a
+ticket.  If supported by the KDC, this cache will be used to armor
+the request, preventing offline dictionary attacks and allowing
+the use of additional preauthentication mechanisms.  Armoring also
+makes sure that the response from the KDC is not modified in
+transit.
+.TP
+.B \fB\-c\fP \fIcache_name\fP
+.sp
+use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
+location.  If this option is not used, the default cache location
+is used.
+.sp
+The default cache location may vary between systems.  If the
+\fBKRB5CCNAME\fP environment variable is set, its value is used to
+locate the default cache.  If a principal name is specified and
+the type of the default cache supports a collection (such as the
+DIR type), an existing cache containing credentials for the
+principal is selected or a new one is created and becomes the new
+primary cache.  Otherwise, any existing contents of the default
+cache are destroyed by kinit.
+.TP
+.B \fB\-S\fP \fIservice_name\fP
+.sp
+specify an alternate service name to use when getting initial
+tickets.
+.TP
+.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
+.sp
+specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
+interpreted by pre\-authentication modules.  The acceptable
+attribute and value values vary from module to module.  This
+option may be specified multiple times to specify multiple
+attributes.  If no value is specified, it is assumed to be "yes".
+.sp
+The following attributes are recognized by the PKINIT
+pre\-authentication mechanism:
+.INDENT 7.0
+.TP
+.B \fBX509_user_identity\fP=\fIvalue\fP
+.sp
+specify where to find user\(aqs X509 identity information
+.TP
+.B \fBX509_anchors\fP=\fIvalue\fP
+.sp
+specify where to find trusted X509 anchor information
+.TP
+.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
+.sp
+specify use of RSA, rather than the default Diffie\-Hellman
+protocol
+.UNINDENT
+.UNINDENT
+.SH ENVIRONMENT
+.sp
+kinit uses the following environment variables:
+.INDENT 0.0
+.TP
+.B \fBKRB5CCNAME\fP
+.sp
+Location of the default Kerberos 5 credentials cache, in the form
+\fItype\fP:\fIresidual\fP.  If no \fItype\fP prefix is present, the \fBFILE\fP
+type is assumed.  The type of the default cache may determine the
+availability of a cache collection; for instance, a default cache
+of type \fBDIR\fP causes caches within the directory to be present
+in the collection.
+.UNINDENT
+.SH FILES
+.INDENT 0.0
+.TP
+.B \fB/tmp/krb5cc_[uid]\fP
+.sp
+default location of Kerberos 5 credentials cache ([\fIuid\fP] is the
+decimal UID of the user).
+.TP
+.B \fB/etc/krb5.keytab\fP
+.sp
+default location for the local host\(aqs keytab.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2011, MIT
+.\" Generated by docutils manpage writer.
+.