207 lines
4.6 KiB
Groff
207 lines
4.6 KiB
Groff
.\"
|
|
.\" $Header: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v 1.1 1991/12/03 23:21:25 eichin Exp $
|
|
.\" $Source: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v $
|
|
.\" $Author: eichin $
|
|
.\"
|
|
.\"
|
|
.TH RKINIT 1 "November 12, 1989"
|
|
.UC 4
|
|
.SH NAME
|
|
rkinit \- establish kerberos tickets safely on a remote host
|
|
.SH SYNOPSIS
|
|
.B rkinit [ host ]
|
|
[ -p
|
|
.B principal
|
|
] [ -l
|
|
.B username
|
|
] [ -k
|
|
.B kerberos_realm
|
|
] [ -f
|
|
.B ticket_file
|
|
] [ -h
|
|
.B remote_host
|
|
] [ -t
|
|
.B ticket_lifetime
|
|
] [
|
|
.B \-notimeout
|
|
]
|
|
|
|
A host name must be specified either as the first command line
|
|
argument or following a \-h flag. If redundant command line
|
|
arguments are given, the last one to appear takes precedence.
|
|
|
|
.SH DESCRIPTION
|
|
.I rkinit
|
|
is a program that allows a user to establish kerberos tickets on
|
|
a remote host registered for
|
|
rlogin service. This can be done without the user's kerberos
|
|
password ever leaving the client machine.
|
|
|
|
In order to establish tickets remotely
|
|
without the use of something like
|
|
.I rkinit,
|
|
one would have to log in to the
|
|
remote host and run
|
|
.IR kinit (1).
|
|
.I rkinit
|
|
followed by
|
|
.I rlogin
|
|
can be thought of as a safe substitute for
|
|
.I rlogin
|
|
followed
|
|
.I kinit.
|
|
|
|
.I rkinit
|
|
uses the same access checking mechanism as
|
|
.I rlogin.
|
|
That means that
|
|
.I rkinit
|
|
can be used to create any tickets for user
|
|
.I A
|
|
on remote host
|
|
.I B
|
|
if and only if
|
|
.IR A 's
|
|
tickets would entitle a login to
|
|
.I B.
|
|
This means that one can create remote tickets for himself or for
|
|
another user if he is in that user's .klogin file.
|
|
|
|
.I rkinit
|
|
understands the following command line options:
|
|
|
|
.TP 4
|
|
.B \-p \fIprincipal\fR
|
|
If
|
|
.I principal,
|
|
in the format
|
|
.I name[.inst][@realm]
|
|
is specified, the tickets created on the remote host will be the
|
|
tickets indicated by the
|
|
.I principal
|
|
field. If this option is not given, the following defaults are
|
|
used: If the user running
|
|
.I rkinit
|
|
does not have tickets on the client machine,
|
|
.I rkinit
|
|
will prompt for a password and behave effectively as if the user
|
|
had invoked
|
|
.I kinit
|
|
on the specified
|
|
remote host; i.e.,
|
|
the tickets established will be owned on the remote host
|
|
by the user who invoked
|
|
.I rkinit
|
|
and will be for the local realm of the
|
|
remote host.
|
|
If the user running
|
|
.I rkinit
|
|
already has tickets,
|
|
.I rkinit
|
|
will prompt for a password and create tickets whose principal
|
|
matches that of the
|
|
tickets that the user already has.
|
|
|
|
|
|
.TP
|
|
.B \-l \fIusername\fR
|
|
If
|
|
.I username
|
|
is specified, the ticket file on the remote host will be owned by the
|
|
user
|
|
.I username.
|
|
If it is not specified, the tickets will be owned by
|
|
the remote user whose login name matches that of the user invoking
|
|
.I rkinit.
|
|
|
|
.TP
|
|
.B \-r \fIrealm\fR
|
|
.I realm
|
|
is used to tell
|
|
.I rkinit
|
|
what realm the remote host is in. This
|
|
option should not usually have to be used since
|
|
.I rkinit
|
|
uses
|
|
.IR krb_realmofhost (3)
|
|
to determine the remote host's kerberos realm. Note that this
|
|
is distinct from realm as specified in
|
|
.I principal,
|
|
which refers to the realm of the remote tickets.
|
|
|
|
.TP
|
|
.B \-f \fIticket_file\fR
|
|
This option is used to specify the name of the ticket file that
|
|
should be used on the remote host. Note that if you
|
|
specify a location for the ticket file that is other
|
|
than the default, you will have to set the environment variable
|
|
KRBTKFILE to that filename once you get to the remote host in
|
|
order for you to use the tickets.
|
|
If a ticket file is not specified, the tickets will
|
|
be placed in the
|
|
default location as specified by
|
|
.IR tkt_file (3).
|
|
On a UNIX host, this is /tmp/tkt<uid>, where
|
|
<uid> is the user id of the person who owns the remote ticket file.
|
|
|
|
.TP
|
|
.B \-h \fIremote_host\fR
|
|
.I remote host
|
|
is the host on which remote tickets are being obtained. This
|
|
option can be used in place of specifying the host as the first
|
|
command line argument.
|
|
|
|
.TP
|
|
.B \-t \fIticket_lifetime\fR
|
|
.I ticket lifetime
|
|
is the lifetime in minutes of the remote tickets. If it is not
|
|
specified, the default ticket life time (as defined in krb.h) is
|
|
used.
|
|
|
|
.TP
|
|
.B \-notimeout
|
|
prevents the client from timing out. This is mainly useful only
|
|
for debugging since the rkinit server also times out.
|
|
|
|
.SH EXAMPLES
|
|
|
|
In the following examples,
|
|
.B tabetha
|
|
and
|
|
.B soup
|
|
are machines in the
|
|
.B ATHENA.MIT.EDU
|
|
kerberos realm and
|
|
.B local
|
|
is a user who can log in
|
|
to
|
|
.B soup
|
|
and has
|
|
.B qjb.root@ATHENA.MIT.EDU
|
|
in his .klogin file.
|
|
|
|
|
|
% rkinit tabetha
|
|
.br
|
|
Kerberos initialization (tabetha)
|
|
.br
|
|
Password for qjb@ATHENA.MIT.EDU:
|
|
.br
|
|
%
|
|
.br
|
|
|
|
.br
|
|
% rkinit soup -p qjb.root -l local
|
|
.br
|
|
Kerberos initialization (soup): tickets will be owned by local
|
|
.br
|
|
Password for qjb.root@ATHENA.MIT.EDU:
|
|
.br
|
|
%
|
|
|
|
.SH SEE ALSO
|
|
rkinitd(8), kerberos(1), kerberos(3), kinit(1)
|
|
|
|
.SH AUTHOR
|
|
Emanuel Jay Berkenbilt (MIT-Project Athena)
|