243 lines
5.0 KiB
Groff
243 lines
5.0 KiB
Groff
.\" $Id: kinit.1,v 1.21 2002/09/13 14:50:27 joda Exp $
|
|
.\"
|
|
.Dd May 29, 1998
|
|
.Dt KINIT 1
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm kinit
|
|
.Nm kauth
|
|
.Nd acquire initial tickets
|
|
.Sh SYNOPSIS
|
|
.Nm kinit
|
|
.Op Fl 4 | Fl -524init
|
|
.Op Fl 9 | Fl -524convert
|
|
.Op Fl -afslog
|
|
.Oo Fl c Ar cachename \*(Ba Xo
|
|
.Fl -cache= Ns Ar cachename
|
|
.Xc
|
|
.Oc
|
|
.Op Fl f | Fl -forwardable
|
|
.Oo Fl t Ar keytabname \*(Ba Xo
|
|
.Fl -keytab= Ns Ar keytabname
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl l Ar time \*(Ba Xo
|
|
.Fl -lifetime= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Op Fl p | Fl -proxiable
|
|
.Op Fl R | Fl -renew
|
|
.Op Fl -renewable
|
|
.Oo Fl r Ar time \*(Ba Xo
|
|
.Fl -renewable-life= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl S Ar principal \*(Ba Xo
|
|
.Fl -server= Ns Ar principal
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl s Ar time \*(Ba Xo
|
|
.Fl -start-time= Ns Ar time
|
|
.Xc
|
|
.Oc
|
|
.Op Fl k | Fl -use-keytab
|
|
.Op Fl v | Fl -validate
|
|
.Oo Fl e Ar enctypes \*(Ba Xo
|
|
.Fl -enctypes= Ns Ar enctypes
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl a Ar addresses \*(Ba Xo
|
|
.Fl -extra-addresses= Ns Ar addresses
|
|
.Xc
|
|
.Oc
|
|
.Op Fl -fcache-version= Ns Ar integer
|
|
.Op Fl -no-addresses
|
|
.Op Fl -anonymous
|
|
.Op Fl -version
|
|
.Op Fl -help
|
|
.Op Ar principal Op Ar command
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is used to authenticate to the kerberos server as
|
|
.Ar principal ,
|
|
or if none is given, a system generated default (typically your login
|
|
name at the default realm), and acquire a ticket granting ticket that
|
|
can later be used to obtain tickets for other services.
|
|
.Pp
|
|
If you have compiled
|
|
.Nm kinit
|
|
with Kerberos 4 support and you have a
|
|
Kerberos 4 server,
|
|
.Nm
|
|
will detect this and get you Kerberos 4 tickets.
|
|
.Pp
|
|
Supported options:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl c Ar cachename
|
|
.Fl -cache= Ns Ar cachename
|
|
.Xc
|
|
The credentials cache to put the acquired ticket in, if other than
|
|
default.
|
|
.It Xo
|
|
.Fl f ,
|
|
.Fl -forwardable
|
|
.Xc
|
|
Get ticket that can be forwarded to another host.
|
|
.It Xo
|
|
.Fl t Ar keytabname ,
|
|
.Fl -keytab= Ns Ar keytabname
|
|
.Xc
|
|
Don't ask for a password, but instead get the key from the specified
|
|
keytab.
|
|
.It Xo
|
|
.Fl l Ar time ,
|
|
.Fl -lifetime= Ns Ar time
|
|
.Xc
|
|
Specifies the lifetime of the ticket. The argument can either be in
|
|
seconds, or a more human readable string like
|
|
.Sq 1h .
|
|
.It Xo
|
|
.Fl p ,
|
|
.Fl -proxiable
|
|
.Xc
|
|
Request tickets with the proxiable flag set.
|
|
.It Xo
|
|
.Fl R ,
|
|
.Fl -renew
|
|
.Xc
|
|
Try to renew ticket. The ticket must have the
|
|
.Sq renewable
|
|
flag set, and must not be expired.
|
|
.It Fl -renewable
|
|
The same as
|
|
.Fl -renewable-life ,
|
|
with an infinite time.
|
|
.It Xo
|
|
.Fl r Ar time ,
|
|
.Fl -renewable-life= Ns Ar time
|
|
.Xc
|
|
The max renewable ticket life.
|
|
.It Xo
|
|
.Fl S Ar principal ,
|
|
.Fl -server= Ns Ar principal
|
|
.Xc
|
|
Get a ticket for a service other than krbtgt/LOCAL.REALM.
|
|
.It Xo
|
|
.Fl s Ar time ,
|
|
.Fl -start-time= Ns Ar time
|
|
.Xc
|
|
Obtain a ticket that starts to be valid
|
|
.Ar time
|
|
(which can really be a generic time specification, like
|
|
.Sq 1h )
|
|
seconds into the future.
|
|
.It Xo
|
|
.Fl k ,
|
|
.Fl -use-keytab
|
|
.Xc
|
|
The same as
|
|
.Fl -keytab ,
|
|
but with the default keytab name (normally
|
|
.Ar FILE:/etc/krb5.keytab ) .
|
|
.It Xo
|
|
.Fl v ,
|
|
.Fl -validate
|
|
.Xc
|
|
Try to validate an invalid ticket.
|
|
.It Xo
|
|
.Fl e ,
|
|
.Fl -enctypes= Ns Ar enctypes
|
|
.Xc
|
|
Request tickets with this particular enctype.
|
|
.It Xo
|
|
.Fl -fcache-version= Ns Ar version
|
|
.Xc
|
|
Create a credentials cache of version
|
|
.Nm version .
|
|
.It Xo
|
|
.Fl a ,
|
|
.Fl -extra-addresses= Ns Ar enctypes
|
|
.Xc
|
|
Adds a set of addresses that will, in addition to the systems local
|
|
addresses, be put in the ticket. This can be useful if all addresses a
|
|
client can use can't be automatically figured out. One such example is
|
|
if the client is behind a firewall. Also settable via
|
|
.Li libdefaults/extra_addresses
|
|
in
|
|
.Xr krb5.conf 5 .
|
|
.It Xo
|
|
.Fl -no-addresses
|
|
.Xc
|
|
Request a ticket with no addresses.
|
|
.It Xo
|
|
.Fl -anonymous
|
|
.Xc
|
|
Request an anonymous ticket (which means that the ticket will be
|
|
issued to an anonymous principal, typically
|
|
.Dq anonymous@REALM ) .
|
|
.El
|
|
.Pp
|
|
The following options are only available if
|
|
.Nm
|
|
has been compiled with support for Kerberos 4.
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl 4 ,
|
|
.Fl -524init
|
|
.Xc
|
|
Try to convert the obtained Kerberos 5 krbtgt to a version 4
|
|
compatible ticket. It will store this ticket in the default Kerberos 4
|
|
ticket file.
|
|
.It Xo
|
|
.Fl 9 ,
|
|
.Fl -524convert
|
|
.Xc
|
|
only convert ticket to version 4
|
|
.It Fl -afslog
|
|
Gets AFS tickets, converts them to version 4 format, and stores them
|
|
in the kernel. Only useful if you have AFS.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ar forwardable ,
|
|
.Ar proxiable ,
|
|
.Ar ticket_life ,
|
|
and
|
|
.Ar renewable_life
|
|
options can be set to a default value from the
|
|
.Dv appdefaults
|
|
section in krb5.conf, see
|
|
.Xr krb5_appdefault 3 .
|
|
.Pp
|
|
If a
|
|
.Ar command
|
|
is given,
|
|
.Nm kinit
|
|
will setup new credentials caches, and AFS PAG, and then run the given
|
|
command. When it finishes the credentials will be removed.
|
|
.Sh ENVIRONMENT
|
|
.Bl -tag -width Ds
|
|
.It Ev KRB5CCNAME
|
|
Specifies the default credentials cache.
|
|
.It Ev KRB5_CONFIG
|
|
The file name of
|
|
.Pa krb5.conf
|
|
, the default being
|
|
.Pa /etc/krb5.conf .
|
|
.It Ev KRBTKFILE
|
|
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
|
|
.El
|
|
.\".Sh FILES
|
|
.\".Sh EXAMPLES
|
|
.\".Sh DIAGNOSTICS
|
|
.Sh SEE ALSO
|
|
.Xr kdestroy 1 ,
|
|
.Xr klist 1 ,
|
|
.Xr krb5_appdefault 3 ,
|
|
.Xr krb5.conf 5
|
|
.\".Sh STANDARDS
|
|
.\".Sh HISTORY
|
|
.\".Sh AUTHORS
|
|
.\".Sh BUGS
|