Home Explore Help
Register Sign In
client_service
/
voice-gateway
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: ae246bcdcf
Branches Tags
voice-gateway
/
miniconda3
/
pkgs
/
krb5-1.20.1-h143b758_1
/
share
/
man
/
man1
/
kinit.1

kinit.1 8.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259 
  1. .\" Man page generated from reStructuredText.
    2. 

  2. .
    3. 

  3. .TH "KINIT" "1" " " "1.20.1" "MIT Kerberos"
    4. 

  4. .SH NAME
    5. 

  5. kinit \- obtain and cache Kerberos ticket-granting ticket
    6. 

  6. .
    7. 

  7. .nr rst2man-indent-level 0
    8. 

  8. .
    9. 

  9. .de1 rstReportMargin
    10. 

  10. \\$1 \\n[an-margin]
    11. 

  11. level \\n[rst2man-indent-level]
    12. 

  12. level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
    13. 

  13. -
    14. 

  14. \\n[rst2man-indent0]
    15. 

  15. \\n[rst2man-indent1]
    16. 

  16. \\n[rst2man-indent2]
    17. 

  17. ..
    18. 

  18. .de1 INDENT
    19. 

  19. .\" .rstReportMargin pre:
    20. 

  20. . RS \\$1
    21. 

  21. . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
    22. 

  22. . nr rst2man-indent-level +1
    23. 

  23. .\" .rstReportMargin post:
    24. 

  24. ..
    25. 

  25. .de UNINDENT
    26. 

  26. . RE
    27. 

  27. .\" indent \\n[an-margin]
    28. 

  28. .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
    29. 

  29. .nr rst2man-indent-level -1
    30. 

  30. .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
    31. 

  31. .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
    32. 

  32. ..
    33. 

  33. .SH SYNOPSIS
    34. 

  34. .sp
    35. 

  35. \fBkinit\fP
    36. 

  36. [\fB\-V\fP]
    37. 

  37. [\fB\-l\fP \fIlifetime\fP]
    38. 

  38. [\fB\-s\fP \fIstart_time\fP]
    39. 

  39. [\fB\-r\fP \fIrenewable_life\fP]
    40. 

  40. [\fB\-p\fP | \-\fBP\fP]
    41. 

  41. [\fB\-f\fP | \-\fBF\fP]
    42. 

  42. [\fB\-a\fP]
    43. 

  43. [\fB\-A\fP]
    44. 

  44. [\fB\-C\fP]
    45. 

  45. [\fB\-E\fP]
    46. 

  46. [\fB\-v\fP]
    47. 

  47. [\fB\-R\fP]
    48. 

  48. [\fB\-k\fP [\fB\-i\fP | \-\fBt\fP \fIkeytab_file\fP]]
    49. 

  49. [\fB\-c\fP \fIcache_name\fP]
    50. 

  50. [\fB\-n\fP]
    51. 

  51. [\fB\-S\fP \fIservice_name\fP]
    52. 

  52. [\fB\-I\fP \fIinput_ccache\fP]
    53. 

  53. [\fB\-T\fP \fIarmor_ccache\fP]
    54. 

  54. [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
    55. 

  55. [\fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP]
    56. 

  56. [\fIprincipal\fP]
    57. 

  57. .SH DESCRIPTION
    58. 

  58. .sp
    59. 

  59. kinit obtains and caches an initial ticket\-granting ticket for
    60. 

  60. \fIprincipal\fP\&.  If \fIprincipal\fP is absent, kinit chooses an appropriate
    61. 

  61. principal name based on existing credential cache contents or the
    62. 

  62. local username of the user invoking kinit.  Some options modify the
    63. 

  63. choice of principal name.
    64. 

  64. .SH OPTIONS
    65. 

  65. .INDENT 0.0
    66. 

  66. .TP
    67. 

  67. \fB\-V\fP
    68. 

  68. display verbose output.
    69. 

  69. .TP
    70. 

  70. \fB\-l\fP \fIlifetime\fP
    71. 

  71. (duration string.)  Requests a ticket with the lifetime
    72. 

  72. \fIlifetime\fP\&.
    73. 

  73. .sp
    74. 

  74. For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&.
    75. 

  75. .sp
    76. 

  76. If the \fB\-l\fP option is not specified, the default ticket lifetime
    77. 

  77. (configured by each site) is used.  Specifying a ticket lifetime
    78. 

  78. longer than the maximum ticket lifetime (configured by each site)
    79. 

  79. will not override the configured maximum ticket lifetime.
    80. 

  80. .TP
    81. 

  81. \fB\-s\fP \fIstart_time\fP
    82. 

  82. (duration string.)  Requests a postdated ticket.  Postdated
    83. 

  83. tickets are issued with the \fBinvalid\fP flag set, and need to be
    84. 

  84. resubmitted to the KDC for validation before use.
    85. 

  85. .sp
    86. 

  86. \fIstart_time\fP specifies the duration of the delay before the ticket
    87. 

  87. can become valid.
    88. 

  88. .TP
    89. 

  89. \fB\-r\fP \fIrenewable_life\fP
    90. 

  90. (duration string.)  Requests renewable tickets, with a total
    91. 

  91. lifetime of \fIrenewable_life\fP\&.
    92. 

  92. .TP
    93. 

  93. \fB\-f\fP
    94. 

  94. requests forwardable tickets.
    95. 

  95. .TP
    96. 

  96. \fB\-F\fP
    97. 

  97. requests non\-forwardable tickets.
    98. 

  98. .TP
    99. 

  99. \fB\-p\fP
    100. 

  100. requests proxiable tickets.
    101. 

  101. .TP
    102. 

  102. \fB\-P\fP
    103. 

  103. requests non\-proxiable tickets.
    104. 

  104. .TP
    105. 

  105. \fB\-a\fP
    106. 

  106. requests tickets restricted to the host\(aqs local address[es].
    107. 

  107. .TP
    108. 

  108. \fB\-A\fP
    109. 

  109. requests tickets not restricted by address.
    110. 

  110. .TP
    111. 

  111. \fB\-C\fP
    112. 

  112. requests canonicalization of the principal name, and allows the
    113. 

  113. KDC to reply with a different client principal from the one
    114. 

  114. requested.
    115. 

  115. .TP
    116. 

  116. \fB\-E\fP
    117. 

  117. treats the principal name as an enterprise name.
    118. 

  118. .TP
    119. 

  119. \fB\-v\fP
    120. 

  120. requests that the ticket\-granting ticket in the cache (with the
    121. 

  121. \fBinvalid\fP flag set) be passed to the KDC for validation.  If the
    122. 

  122. ticket is within its requested time range, the cache is replaced
    123. 

  123. with the validated ticket.
    124. 

  124. .TP
    125. 

  125. \fB\-R\fP
    126. 

  126. requests renewal of the ticket\-granting ticket.  Note that an
    127. 

  127. expired ticket cannot be renewed, even if the ticket is still
    128. 

  128. within its renewable life.
    129. 

  129. .sp
    130. 

  130. Note that renewable tickets that have expired as reported by
    131. 

  131. klist(1) may sometimes be renewed using this option,
    132. 

  132. because the KDC applies a grace period to account for client\-KDC
    133. 

  133. clock skew.  See krb5.conf(5) \fBclockskew\fP setting.
    134. 

  134. .TP
    135. 

  135. \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
    136. 

  136. requests a ticket, obtained from a key in the local host\(aqs keytab.
    137. 

  137. The location of the keytab may be specified with the \fB\-t\fP
    138. 

  138. \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use
    139. 

  139. of the default client keytab; otherwise the default keytab will be
    140. 

  140. used.  By default, a host ticket for the local host is requested,
    141. 

  141. but any principal may be specified.  On a KDC, the special keytab
    142. 

  142. location \fBKDB:\fP can be used to indicate that kinit should open
    143. 

  143. the KDC database and look up the key directly.  This permits an
    144. 

  144. administrator to obtain tickets as any principal that supports
    145. 

  145. authentication based on the key.
    146. 

  146. .TP
    147. 

  147. \fB\-n\fP
    148. 

  148. Requests anonymous processing.  Two types of anonymous principals
    149. 

  149. are supported.
    150. 

  150. .sp
    151. 

  151. For fully anonymous Kerberos, configure pkinit on the KDC and
    152. 

  152. configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&.
    153. 

  153. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP
    154. 

  154. (an empty principal name followed by the at\-sign and a realm
    155. 

  155. name).  If permitted by the KDC, an anonymous ticket will be
    156. 

  156. returned.
    157. 

  157. .sp
    158. 

  158. A second form of anonymous tickets is supported; these
    159. 

  159. realm\-exposed tickets hide the identity of the client but not the
    160. 

  160. client\(aqs realm.  For this mode, use \fBkinit \-n\fP with a normal
    161. 

  161. principal name.  If supported by the KDC, the principal (but not
    162. 

  162. realm) will be replaced by the anonymous principal.
    163. 

  163. .sp
    164. 

  164. As of release 1.8, the MIT Kerberos KDC only supports fully
    165. 

  165. anonymous operation.
    166. 

  166. .UNINDENT
    167. 

  167. .sp
    168. 

  168. \fB\-I\fP \fIinput_ccache\fP
    169. 

  169. .INDENT 0.0
    170. 

  170. .INDENT 3.5
    171. 

  171. Specifies the name of a credentials cache that already contains a
    172. 

  172. ticket.  When obtaining that ticket, if information about how that
    173. 

  173. ticket was obtained was also stored to the cache, that information
    174. 

  174. will be used to affect how new credentials are obtained, including
    175. 

  175. preselecting the same methods of authenticating to the KDC.
    176. 

  176. .UNINDENT
    177. 

  177. .UNINDENT
    178. 

  178. .INDENT 0.0
    179. 

  179. .TP
    180. 

  180. \fB\-T\fP \fIarmor_ccache\fP
    181. 

  181. Specifies the name of a credentials cache that already contains a
    182. 

  182. ticket.  If supported by the KDC, this cache will be used to armor
    183. 

  183. the request, preventing offline dictionary attacks and allowing
    184. 

  184. the use of additional preauthentication mechanisms.  Armoring also
    185. 

  185. makes sure that the response from the KDC is not modified in
    186. 

  186. transit.
    187. 

  187. .TP
    188. 

  188. \fB\-c\fP \fIcache_name\fP
    189. 

  189. use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache
    190. 

  190. location.  If this option is not used, the default cache location
    191. 

  191. is used.
    192. 

  192. .sp
    193. 

  193. The default cache location may vary between systems.  If the
    194. 

  194. \fBKRB5CCNAME\fP environment variable is set, its value is used to
    195. 

  195. locate the default cache.  If a principal name is specified and
    196. 

  196. the type of the default cache supports a collection (such as the
    197. 

  197. DIR type), an existing cache containing credentials for the
    198. 

  198. principal is selected or a new one is created and becomes the new
    199. 

  199. primary cache.  Otherwise, any existing contents of the default
    200. 

  200. cache are destroyed by kinit.
    201. 

  201. .TP
    202. 

  202. \fB\-S\fP \fIservice_name\fP
    203. 

  203. specify an alternate service name to use when getting initial
    204. 

  204. tickets.
    205. 

  205. .TP
    206. 

  206. \fB\-X\fP \fIattribute\fP[=\fIvalue\fP]
    207. 

  207. specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be
    208. 

  208. interpreted by pre\-authentication modules.  The acceptable
    209. 

  209. attribute and value values vary from module to module.  This
    210. 

  210. option may be specified multiple times to specify multiple
    211. 

  211. attributes.  If no value is specified, it is assumed to be "yes".
    212. 

  212. .sp
    213. 

  213. The following attributes are recognized by the PKINIT
    214. 

  214. pre\-authentication mechanism:
    215. 

  215. .INDENT 7.0
    216. 

  216. .TP
    217. 

  217. \fBX509_user_identity\fP=\fIvalue\fP
    218. 

  218. specify where to find user\(aqs X509 identity information
    219. 

  219. .TP
    220. 

  220. \fBX509_anchors\fP=\fIvalue\fP
    221. 

  221. specify where to find trusted X509 anchor information
    222. 

  222. .TP
    223. 

  223. \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP]
    224. 

  224. specify use of RSA, rather than the default Diffie\-Hellman
    225. 

  225. protocol
    226. 

  226. .TP
    227. 

  227. \fBdisable_freshness\fP[\fB=yes\fP]
    228. 

  228. disable sending freshness tokens (for testing purposes only)
    229. 

  229. .UNINDENT
    230. 

  230. .TP
    231. 

  231. \fB\-\-request\-pac\fP | \fB\-\-no\-request\-pac\fP
    232. 

  232. mutually exclusive.  If \fB\-\-request\-pac\fP is set, ask the KDC to
    233. 

  233. include a PAC in authdata; if \fB\-\-no\-request\-pac\fP is set, ask the
    234. 

  234. KDC not to include a PAC; if neither are set,  the KDC will follow
    235. 

  235. its default, which is typically is to include a PAC if doing so is
    236. 

  236. supported.
    237. 

  237. .UNINDENT
    238. 

  238. .SH ENVIRONMENT
    239. 

  239. .sp
    240. 

  240. See kerberos(7) for a description of Kerberos environment
    241. 

  241. variables.
    242. 

  242. .SH FILES
    243. 

  243. .INDENT 0.0
    244. 

  244. .TP
    245. 

  245. .B \fBFILE:/tmp/krb5cc_%{uid}\fP
    246. 

  246. default location of Kerberos 5 credentials cache
    247. 

  247. .TP
    248. 

  248. .B \fBFILE:/etc/krb5.keytab\fP
    249. 

  249. default location for the local host\(aqs keytab.
    250. 

  250. .UNINDENT
    251. 

  251. .SH SEE ALSO
    252. 

  252. .sp
    253. 

  253. klist(1), kdestroy(1), kerberos(7)
    254. 

  254. .SH AUTHOR
    255. 

  255. MIT
    256. 

  256. .SH COPYRIGHT
    257. 

  257. 1985-2022, MIT
    258. 

  258. .\" Generated by docutils manpage writer.
    259. 

  259. .
    260.