KIMPERSONATE(8) BSD System Manager's Manual KIMPERSONATE(8)NAME
kimpersonate -- impersonate a user when there exist a srvtab, keyfile or KeyFile
SYNOPSIS
kimpersonate [-s string | --server=string] [-c string | --client=string] [-k string | --keytab=string] [-5 | --krb5]
[-e integer | --expire-time=integer] [-a string | --client-address=string] [-t string | --enc-type=string]
[-f string | --ticket-flags=string] [--verbose] [--version] [--help]
DESCRIPTION
The kimpersonate program creates a "fake" ticket using the service-key of the service. The service key can be read from a Kerberos 5 keytab,
AFS KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab. Supported options:
-s string, --server=string
name of server principal
-c string, --client=string
name of client principal
-k string, --keytab=string
name of keytab file
-5, --krb5
create a Kerberos 5 ticket
-e integer, --expire-time=integer
lifetime of ticket in seconds
-a string, --client-address=string
address of client
-t string, --enc-type=string
encryption type
-f string, --ticket-flags=string
ticket flags for krb5 ticket
--verbose
Verbose output
--version
Print version
--help
FILES
Uses /etc/krb5.keytab, /etc/srvtab and /usr/afs/etc/KeyFile when available and the -k option is used with an appropriate prefix.
EXAMPLES
kimpersonate can be used in samba root preexec option or for debugging. kimpersonate -s host/hummel.e.kth.se@E.KTH.SE -c lha@E.KTH.SE -5
will create a Kerberos 5 ticket for lha@E.KTH.SE for the host hummel.e.kth.se if there exists a keytab entry for it in /etc/krb5.keytab.
SEE ALSO kinit(1), klist(1)AUTHORS
Love Hornquist Astrand <lha@kth.se>
Heimdal September 18, 2006 Heimdal
Check Out this Related Man Page
KINIT(1) BSD General Commands Manual KINIT(1)NAME
kinit -- acquire initial tickets
SYNOPSIS
kinit [--afslog] [-c cachename | --cache=cachename] [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l time | --lifetime=time]
[-p | --proxiable] [-R | --renew] [--renewable] [-r time | --renewable-life=time] [-S principal | --server=principal] [-s time |
--start-time=time] [-k | --use-keytab] [-v | --validate] [-e enctypes | --enctypes=enctypes] [-a addresses |
--extra-addresses=addresses] [--password-file=filename] [--fcache-version=version-number] [-A | --no-addresses] [--anonymous]
[--enterprise] [--version] [--help] [principal [command]]
DESCRIPTION
kinit is used to authenticate to the Kerberos server as principal, or if none is given, a system generated default (typically your login name
at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
Supported options:
-c cachename --cache=cachename
The credentials cache to put the acquired ticket in, if other than default.
-f --no-forwardable
Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag.
-t keytabname, --keytab=keytabname
Don't ask for a password, but instead get the key from the specified keytab.
-l time, --lifetime=time
Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like '1h'.
-p, --proxiable
Request tickets with the proxiable flag set.
-R, --renew
Try to renew ticket. The ticket must have the 'renewable' flag set, and must not be expired.
--renewable
The same as --renewable-life, with an infinite time.
-r time, --renewable-life=time
The max renewable ticket life.
-S principal, --server=principal
Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s time, --start-time=time
Obtain a ticket that starts to be valid time (which can really be a generic time specification, like '1h') seconds into the future.
-k, --use-keytab
The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).
-v, --validate
Try to validate an invalid ticket.
-e, --enctypes=enctypes
Request tickets with this particular enctype.
--password-file=filename
read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
--fcache-version=version-number
Create a credentials cache of version version-number.
-a, --extra-addresses=enctypes
Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all
addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also set-
table via libdefaults/extra_addresses in krb5.conf(5).
-A, --no-addresses
Request a ticket with no addresses.
--anonymous
Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically ``anonymous@REALM'').
--enterprise
Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name
part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an
enterprise name is ``lha@e.kth.se@KTH.SE'', and this option is usually used with canonicalize so that the principal returned from the
KDC will typically be the real principal name.
--afslog
Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The forwardable, proxiable, ticket_life, and renewable_life options can be set to a default value from the appdefaults section in krb5.conf,
see krb5_appdefault(3).
If a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the creden-
tials will be removed.
ENVIRONMENT
KRB5CCNAME
Specifies the default credentials cache.
KRB5_CONFIG
The file name of krb5.conf, the default being /etc/krb5.conf.
KRBTKFILE
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
SEE ALSO kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)HEIMDAL April 25, 2006 HEIMDAL