User Commands kinit(1)
NAME
kinit - obtain and cache Kerberos ticket-granting ticket
SYNOPSIS
/usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
[-k [-t keytab_file]] [-l lifetime]
[-r renewable_life] [-s start_time] [-S service_name]
[principal]DESCRIPTION
The kinit command is used to obtain and cache an initial
ticket-granting ticket (credential) for principal. This
ticket is used for authentication by the Kerberos system. Only users with Kerberos principals can use the Kerberossystem. For information about Kerberos principals, see ker-
beros(5).When you use kinit without options, the utility prompts for
your principal and Kerberos password, and tries to authenti-
cate your login with the local Kerberos server. The princi-
pal can be specified on the command line if desired.If Kerberos authenticates the login attempt, kinit retrieves
your initial ticket-granting ticket and puts it in the
ticket cache. By default your ticket is stored in the file/tmp/krb5cc_uid, where uid specifies your user identifica-
tion number. Tickets expire after a specified lifetime,after which kinit must be run again. Any existing contents
of the cache are destroyed by kinit.
Values specified in the command line override the values specified in the Kerberos configuration file for lifetimeand renewable_life.
The kdestroy(1) command can be used to destroy any active tickets before you end your login session. OPTIONS The following options are supported:-a Requests tickets with the local
addresses.-A Requests address-less tickets.
SunOS 5.11 Last change: 12 Nov 2008 1
User Commands kinit(1)
-c cache_name Uses cache_name as the credentials
(ticket) cache name and location. If this option is not used, the default cache name and location are used.-f Requests forwardable tickets.
-F Not forwardable. Does not request
forwardable tickets. Tickets that have been acquired on one host cannot normally be used on another host. A client can requestthat the ticket be marked forward-
able. Once the TKT_FLG_FORWARDABLE
flag is set on a ticket, the user can use this ticket to request a new ticket, but with a different IP address. Thus, users can use theircurrent credentials to get creden-
tials valid on another machine. This option allows a user to explicitlyobtain a non-forwardable ticket.
-k [-t keytab_file] Requests a host ticket, obtained
from a key in the local host's key-
tab file. The name and location of the keytab file can be specifiedwith the -t keytab_file option. Oth-
erwise, the default name and loca-
tion is used.-l lifetime Requests a ticket with the lifetime
lifetime. If the -l option is not
specified, the default ticket life-
time (configured by each site) is used. Specifying a ticket lifetimelonger than the maximum ticket life-
time (configured by each site) results in a ticket with the maximumlifetime. See the Time Formats sec-
tion for the valid time duration formats that you can specify for lifetime. See kdc.conf(4) and kadmin(1M) (for getprinc command to verify the lifetime values for the server principal).SunOS 5.11 Last change: 12 Nov 2008 2
User Commands kinit(1)
The lifetime of the tickets returned is the minimum of the following:o Value specified in the com-
mand line. o Value specified in the KDC configuration file.o Value specified in the Ker-
beros data base for the server principal. In thecase of kinit, it is
krbtgt/realm name.o Value specified in the Ker-
beros database for the user principal.-p Requests proxiable tickets.
-P Not proxiable. Does not request
proxiable tickets. A proxiable ticket is a ticket that allows you to get a ticket for a service with IP addresses other than the ones in the Ticket Granting Ticket. This option allows a user toexplicitly obtain a non-proxiable
ticket.-r renewable_life Requests renewable tickets, with a
total lifetime of renewable_life.
See the Time Formats section for the valid time duration formats that youcan specify for renewable_life. See
kdc.conf(4) and kadmin(1M) (for get-
princ command to verify the lifetime values for the server principal).The renewable lifetime of the tick-
ets returned is the minimum of the following:o Value specified in the com-
mand line. o Value specified in the KDCSunOS 5.11 Last change: 12 Nov 2008 3
User Commands kinit(1)
configuration file.o Value specified in the Ker-
beros data base for the server principal. In thecase of kinit, it is
krbtgt/realm name.o Value specified in the Ker-
beros database for the user principal.-R Requests renewal of the ticket-
granting ticket. Notice that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.-s start_time Requests a postdated ticket, valid
starting at start_time. Postdated
tickets are issued with the invalid flag set, and need to be fed back to the KDC before use. See the Time Formats section for either the validabsolute time or time duration for-
mats that you can specify forstart_time. kinit attempts to match
an absolute time first before trying to match a time duration.-S service_name Specifies an alternate service name
to use when getting initial tickets.-v Requests that the ticket granting
ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.-V Verbose output. Displays further
information to the user, such as confirmation of authentication and version.SunOS 5.11 Last change: 12 Nov 2008 4
User Commands kinit(1)
-X attribute[=value] Specifies a pre-authentication
attribute and value to be passed topre-authentication plugins. The
acceptable attribute and valuevalues vary from pre-authentication
plugin to plugin. This option can be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be yes.The following attributes are recog-
nized by the OpenSSL pkinit pre-
authentication mechanism:X509_user_identity=URI Specifies
where to find user's X509 identityinforma-
tion. Valid URI types are FILE, DIR, PKCS11, PKCS12, and ENV. See the PKINIT URI Types section for details.X509_anchors=URI Specifies
where to find trusted X509 anchorinforma-
tion. Valid URI types are FILE and DIR. See thePKINITSunOS 5.11 Last change: 12 Nov 2008 5
User Commands kinit(1)
URI Types section for details.flag_RSA_PROTOCOL[=yes] Specifies
the use of RSA, rather than the defaultDiffie-
Hellman protoco. PKINIT URI TypesFILE:file-name[,key-file-name]
This option has context-specific behavior.
X509_user_identity file-name specifies the name of a
PEM-format file containing the
user's certificate. If key-file-
name is not specified, the user's private key is expected to be infile-name as well. Otherwise,
key-file-name is the name of the
file containing the private key.X509_anchors file-name is assumed to be the
name of an OpenSSL-style ca-bundle
file. The ca-bundle file should be
base-64 encoded.
DIR:directory-name
This option has context-specific behavior.
X509_user_identity directory-name specifies a direc-
tory with files named *.crt and *.key, where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with .crt is found, a matching file ending with .key isSunOS 5.11 Last change: 12 Nov 2008 6
User Commands kinit(1)
assumed to contain the private key. If no such file is found, then the certificate in the .crt is not used.X509_anchors directory-name is assumed to be an
OpenSSL-style hashed CA directory
where each CA cert is stored in afile named hash-of-ca-cert.#. This
infrastructure is encouraged, but all files in the directory areexamined and if they contain cer-
tificates (in PEM format), and are used.PKCS12:pkcs12-file-name
pkcs12-file-name is the name of a PKCS #12 format file,
containing the user's certificate and private key.PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-
id][:certlabel=cert-label]
All keyword and values are optional. PKCS11 modules (forexample, opensc-pkcs11.so) must be installed as a crypto
provider underlibpkcs11(3LIB). slotid= and/or token= can be specified to force the use of a particular smard card reader or token if there is more than one available. certid= and/or certlabel= can be specified to force the selection of a particular certificate on the device. Seethe pkinit_cert_match configuration option for more ways
to select a particular certificate to use for pkinit.
ENV:environment-variable-name
environment-variable-name specifies the name of an
environment variable which has been set to a value con-
forming to one of the previous values. For example,ENV:X509_PROXY, where environment variable X509_PROXY
has been set to FILE:/tmp/my_proxy.pem.
Time FormatsThe following absolute time formats can be used for the -s
start_time option. The examples are based on the date and
time of July 2, 1999, 1:35:30 p.m.SunOS 5.11 Last change: 12 Nov 2008 7
User Commands kinit(1)
____________________________________________________________
| Absolute Time Format Example | | yymmddhhmm[ss] 990702133530 | | hhmm[ss] 133530 | | yy.mm.dd.hh.mm.ss 99:07:02:13:35:30 | | hh:mm[:ss] 13:35:30 || ldate:ltime 07-07-99:13:35:30 |
| dd-month-yyyy:hh:mm[:ss] 02-july-1999:13:35:30 |
|___________________________________________________________|
Variable Description dd dayhh hour (24-hour clock)
mm minutes ss secondsyy year within century (0-68 is 2000 to
2068; 69-99 is 1969 to 1999)
yyyy year including century month locale's full or abbreviated month name ldate locale's appropriate date representation ltime locale's appropriate time representationThe following time duration formats can be used for the -l
lifetime, -r renewable_life, and -s start_time options. The
examples are based on the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.SunOS 5.11 Last change: 12 Nov 2008 8
User Commands kinit(1)
____________________________________________________________
| Time Duration Format Example || #d 14d |
| #h 7h |
| #m 5m |
| #s 30s |
| #d#h#m#s 14d7h5m30s |
| #h#m[#s] 7h5m30s |
| days-hh:mm:ss 14-07:05:30 |
| hours:mm[:ss] 7:05:30 ||___________________________________________________________|
Delimiter Description d number of days h number of hours m number of minutes s number of seconds Variable Description# number
days number of days hours number of hourshh hour (24-hour clock)
mm minutes ss seconds ENVIRONMENT VARIABLESkinit uses the following environment variable:
KRB5CCNAME Location of the credentials (ticket) cache.
See krb5envvar(5) for syntax and details. FILES/tmp/krb5cc_uid Default credentials cache (uid is
the decimal UID of the user). /etc/krb5/krb5.keytab Default location for the local host's keytab file. /etc/krb5/krb5.conf Default location for the local host's configuration file. See krb5.conf(4).SunOS 5.11 Last change: 12 Nov 2008 9
User Commands kinit(1)
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | service/security/kerberos-5 |
|_____________________________|_____________________________|
| Interface Stability | See below. ||_____________________________|_____________________________|
The command arguments are Committed. The command output is Uncommitted.SEE ALSO
kdestroy(1), klist(1), kadmin(1M), ktkt_warnd(1M),
libpkcs11(3LIB), kdc.conf(4), krb5.conf(4), attributes(5),kerberos(5), krb5envvar(5), pam_krb5(5)
NOTESOn success, kinit notifies ktkt_warnd(1M) to alert the user
when the initial credentials (ticket-granting ticket) are
about to expire.SunOS 5.11 Last change: 12 Nov 2008 10