225 lines
4.5 KiB
Groff
225 lines
4.5 KiB
Groff
.\" $Id: kinit.1,v 1.11 2001/06/08 21:35:32 joda Exp $
|
|
.\"
|
|
.Dd May 29, 1998
|
|
.Dt KINIT 1
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm kinit ,
|
|
.Nm kauth
|
|
.Nd acquire initial tickets
|
|
.Sh SYNOPSIS
|
|
.Nm kinit
|
|
.Op Fl 4 | Fl -524init
|
|
.Op Fl -afslog
|
|
.Oo Fl c Ar cachename \*(Ba Xo
|
|
.Fl -cache= Ns Ar cachename
|
|
.Xc
|
|
.Oc
|
|
.Op Fl f | Fl -forwardable
|
|
.Oo Fl t Ar keytabname \*(Ba Xo
|
|
.Fl -keytab= Ns Ar keytabname
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl l Ar time \*(Ba Xo
|
|
.Fl -lifetime= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Op Fl p | Fl -proxiable
|
|
.Op Fl R | Fl -renew
|
|
.Op Fl -renewable
|
|
.Oo Fl r Ar time \*(Ba Xo
|
|
.Fl -renewable-life= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl S Ar principal \*(Ba Xo
|
|
.Fl -server= Ns Ar principal
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl s Ar time \*(Ba Xo
|
|
.Fl -start-time= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Op Fl k | Fl -use-keytab
|
|
.Op Fl v | Fl -validate
|
|
.Oo Fl e Ar enctype \*(Ba Xo
|
|
.Fl -enctypes= Ns Ar enctype
|
|
.Xc
|
|
.Oc
|
|
.Op Fl -fcache-version= Ns Ar integer
|
|
.Op Fl -no-addresses
|
|
.Op Fl -anonymous
|
|
.Op Fl -version
|
|
.Op Fl -help
|
|
.Op Ar principal Op Ar command
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is used to authenticate to the kerberos server as
|
|
.Ar principal ,
|
|
or if none is given, a system generated default (typically your login
|
|
name at the default realm), and acquire a ticket granting ticket that
|
|
can later be used to obtain tickets for other services.
|
|
.Pp
|
|
If you have compiled kinit with Kerberos 4 support and you have a
|
|
Kerberos 4 server,
|
|
.Nm
|
|
will detect this and get you Kerberos 4 tickets.
|
|
.Pp
|
|
Supported options:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl c Ar cachename
|
|
.Fl -cache= Ns Ar cachename
|
|
.Xc
|
|
The credentials cache to put the acquired ticket in, if other than
|
|
default.
|
|
.It Xo
|
|
.Fl f Ns ,
|
|
.Fl -forwardable
|
|
.Xc
|
|
Get ticket that can be forwarded to another host.
|
|
.It Xo
|
|
.Fl t Ar keytabname Ns ,
|
|
.Fl -keytab= Ns Ar keytabname
|
|
.Xc
|
|
Don't ask for a password, but instead get the key from the specified
|
|
keytab.
|
|
.It Xo
|
|
.Fl l Ar time Ns ,
|
|
.Fl -lifetime= Ns Ar time
|
|
.Xc
|
|
Specifies the lifetime of the ticket. The argument can either be in
|
|
seconds, or a more human readable string like
|
|
.Sq 1h .
|
|
.It Xo
|
|
.Fl p Ns ,
|
|
.Fl -proxiable
|
|
.Xc
|
|
Request tickets with the proxiable flag set.
|
|
.It Xo
|
|
.Fl R Ns ,
|
|
.Fl -renew
|
|
.Xc
|
|
Try to renew ticket. The ticket must have the
|
|
.Sq renewable
|
|
flag set, and must not be expired.
|
|
.It Fl -renewable
|
|
The same as
|
|
.Fl -renewable-life ,
|
|
with an infinite time.
|
|
.It Xo
|
|
.Fl r Ar time Ns ,
|
|
.Fl -renewable-life= Ns Ar time
|
|
.Xc
|
|
The max renewable ticket life.
|
|
.It Xo
|
|
.Fl S Ar principal Ns ,
|
|
.Fl -server= Ns Ar principal
|
|
.Xc
|
|
Get a ticket for a service other than krbtgt/LOCAL.REALM.
|
|
.It Xo
|
|
.Fl s Ar time Ns ,
|
|
.Fl -start-time= Ns Ar time
|
|
.Xc
|
|
Obtain a ticket that starts to be valid
|
|
.Ar time
|
|
(which can really be a generic time specification, like
|
|
.Sq 1h )
|
|
seconds into the future.
|
|
.It Xo
|
|
.Fl k Ns ,
|
|
.Fl -use-keytab
|
|
.Xc
|
|
The same as
|
|
.Fl -keytab ,
|
|
but with the default keytab name (normally
|
|
.Ar FILE:/etc/krb5.keytab ) .
|
|
.It Xo
|
|
.Fl v Ns ,
|
|
.Fl -validate
|
|
.Xc
|
|
Try to validate an invalid ticket.
|
|
.It Xo
|
|
.Fl e ,
|
|
.Fl -enctypes= Ns Ar enctypes
|
|
.Xc
|
|
Request tickets with this particular enctype.
|
|
.It Xo
|
|
.Fl -fcache-version= Ns Ar version
|
|
.Xc
|
|
Create a credentials cache of version
|
|
.Nm version .
|
|
.It Xo
|
|
.Fl -no-addresses
|
|
.Xc
|
|
Request a ticket with no addresses.
|
|
.It Xo
|
|
.Fl -anonymous
|
|
.Xc
|
|
Request an anonymous ticket (which means that the ticket will be
|
|
issued to an anonymous principal, typically
|
|
.Dq anonymous@REALM).
|
|
.El
|
|
.Pp
|
|
The following options are only available if
|
|
.Nm
|
|
has been compiled with support for Kerberos 4. The
|
|
.Nm kauth
|
|
program is identical to
|
|
.Nm kinit ,
|
|
but has these options enabled by
|
|
default.
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl 4 Ns ,
|
|
.Fl -524init
|
|
.Xc
|
|
Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible
|
|
ticket. It will store this ticket in the default Kerberos 4 ticket
|
|
file.
|
|
.It Fl -afslog
|
|
Gets AFS tickets, converts them to version 4 format, and stores them
|
|
in the kernel. Only useful if you have AFS.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ar forwardable ,
|
|
.Ar proxiable ,
|
|
.Ar ticket_life ,
|
|
and
|
|
.Ar renewable_life
|
|
options can be set to a default value from the
|
|
.Dv appdefaults
|
|
section in krb5.conf, see
|
|
.Xr krb5_appdefault 3 .
|
|
.Pp
|
|
If a
|
|
.Ar command
|
|
is given,
|
|
.Nm kinit
|
|
will setup new credentials caches, and AFS PAG, and then run the given
|
|
command. When it finishes the credentials will be removed.
|
|
.Sh ENVIRONMENT
|
|
.Bl -tag -width Ds
|
|
.It Ev KRB5CCNAME
|
|
Specifies the default cache file.
|
|
.It Ev KRB5_CONFIG
|
|
The directory where the
|
|
.Pa krb5.conf
|
|
can be found, default is
|
|
.Pa /etc .
|
|
.It Ev KRBTKFILE
|
|
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
|
|
.El
|
|
.\".Sh FILES
|
|
.\".Sh EXAMPLES
|
|
.\".Sh DIAGNOSTICS
|
|
.Sh SEE ALSO
|
|
.Xr kdestroy 1 ,
|
|
.Xr klist 1 ,
|
|
.Xr krb5.conf 5 ,
|
|
.Xr krb5_appdefault 3
|
|
.\".Sh STANDARDS
|
|
.\".Sh HISTORY
|
|
.\".Sh AUTHORS
|
|
.\".Sh BUGS
|