👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

OpenSolaris 2009.06 - man page for kinit (opensolaris section 1)

kinit(1)				  User Commands 				 kinit(1)

NAME
       kinit - obtain and cache Kerberos ticket-granting ticket

SYNOPSIS
       /usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
	    [-k [-t keytab_file]] [-l lifetime]
	    [-r renewable_life] [-s start_time] [-S service_name]
	    [principal]

DESCRIPTION
       The  kinit  command is used to obtain and cache an initial ticket-granting ticket (creden-
       tial) for principal. This ticket is used for authentication by the Kerberos  system.  Only
       users with Kerberos principals can use the Kerberos system. For information about Kerberos
       principals, see kerberos(5).

       When you use kinit without options, the utility prompts for your  principal  and  Kerberos
       password, and tries to authenticate your login with the local Kerberos server. The princi-
       pal can be specified on the command line if desired.

       If Kerberos authenticates the login attempt, kinit retrieves your initial  ticket-granting
       ticket  and  puts  it  in  the  ticket cache. By default your ticket is stored in the file
       /tmp/krb5cc_uid, where uid specifies your user identification number. Tickets expire after
       a  specified  lifetime,	after which kinit must be run again. Any existing contents of the
       cache are destroyed by kinit.

       Values specified in the command line override the values specified in the Kerberos config-
       uration file for lifetime and renewable_life.

       The  kdestroy(1)  command  can  be  used to destroy any active tickets before you end your
       login session.

OPTIONS
       The following options are supported:

       -a		       Requests tickets with the local addresses.

       -A		       Requests address-less tickets.

       -c cache_name	       Uses cache_name as the credentials (ticket) cache name  and  loca-
			       tion. If this option is not used, the default cache name and loca-
			       tion are used.

       -f		       Requests forwardable tickets.

       -F		       Not forwardable. Does not request forwardable tickets.

			       Tickets that have been acquired on one  host  cannot  normally  be
			       used  on  another  host.  A  client can request that the ticket be
			       marked forwardable. Once the TKT_FLG_FORWARDABLE flag is set on	a
			       ticket,	the user can use this ticket to request a new ticket, but
			       with a different IP address. Thus, users  can  use  their  current
			       credentials  to	get  credentials  valid  on another machine. This
			       option allows  a  user  to  explicitly  obtain  a  non-forwardable
			       ticket.

       -k [-t keytab_file]     Requests  a  host  ticket, obtained from a key in the local host's
			       keytab file. The name and location of the keytab file can be spec-
			       ified  with the -t keytab_file option. Otherwise, the default name
			       and location is used.

       -l lifetime	       Requests a ticket with the lifetime lifetime. If the -l option  is
			       not  specified,	the  default  ticket lifetime (configured by each
			       site) is used. Specifying a ticket lifetime longer than the  maxi-
			       mum  ticket lifetime (configured by each site) results in a ticket
			       with the maximum lifetime. See the Time Formats	section  for  the
			       valid time duration formats that you can specify for lifetime. See
			       kdc.conf(4) and kadmin(1M) (for getprinc  command  to  verify  the
			       lifetime values for the server principal).

			       The lifetime of the tickets returned is the minimum of the follow-
			       ing:

				   o	  Value specified in the command line.

				   o	  Value specified in the KDC configuration file.

				   o	  Value specified in  the  Kerberos  data  base  for  the
					  server   principal.	In  the  case  of  kinit,  it  is
					  krbtgt/realm name.

				   o	  Value specified in the Kerberos database for	the  user
					  principal.

       -p		       Requests proxiable tickets.

       -P		       Not proxiable. Does not request proxiable tickets.

			       A proxiable ticket is a ticket that allows you to get a ticket for
			       a service with IP addresses other than  the  ones  in  the  Ticket
			       Granting  Ticket. This option allows a user to explicitly obtain a
			       non-proxiable ticket.

       -r renewable_life       Requests renewable  tickets,  with  a  total  lifetime  of  renew-
			       able_life.  See	the Time Formats section for the valid time dura-
			       tion  formats  that  you  can  specify  for  renewable_life.   See
			       kdc.conf(4)  and  kadmin(1M)  (for  getprinc command to verify the
			       lifetime values for the server principal).

			       The renewable lifetime of the tickets returned is the  minimum  of
			       the following:

				   o	  Value specified in the command line.

				   o	  Value specified in the KDC configuration file.

				   o	  Value  specified  in	the  Kerberos  data  base for the
					  server  principal.  In  the  case  of  kinit,   it   is
					  krbtgt/realm name.

				   o	  Value  specified  in the Kerberos database for the user
					  principal.

       -R		       Requests renewal of the ticket-granting	ticket.  Notice  that  an
			       expired	ticket	cannot	be  renewed,  even if the ticket is still
			       within its renewable life.

       -s start_time	       Requests a postdated ticket, valid starting at  start_time.  Post-
			       dated tickets are issued with the invalid flag set, and need to be
			       fed back to the KDC before use. See the Time Formats  section  for
			       either  the  valid absolute time or time duration formats that you
			       can specify for start_time. kinit attempts to  match  an  absolute
			       time first before trying to match a time duration.

       -S service_name	       Specifies  an  alternate  service name to use when getting initial
			       tickets.

       -v		       Requests that the ticket granting ticket in the	cache  (with  the
			       invalid	flag  set)  be	passed	to the KDC for validation. If the
			       ticket is within its requested time range, the cache  is  replaced
			       with the validated ticket.

       -V		       Verbose	output. Displays further information to the user, such as
			       confirmation of authentication and version.

       -X attribute[=value]    Specifies a pre-authentication attribute and value to be passed to
			       pre-authentication  plugins.  The  acceptable  attribute and value
			       values vary from pre-authentication plugin to plugin. This  option
			       can be specified multiple times to specify multiple attributes. If
			       no value is specified, it is assumed to be yes.

			       The following attributes are recognized by the OpenSSL pkinit pre-
			       authentication mechanism:

			       X509_user_identity=URI	  Specifies  where  to	find  user's X509
							  identity information.

							  Valid URI types are FILE, DIR,  PKCS11,
							  PKCS12,  and	ENV.  See  the PKINIT URI
							  Types section for details.

			       X509_anchors=URI 	  Specifies where to  find  trusted  X509
							  anchor information.

							  Valid  URI  types are FILE and DIR. See
							  thePKINIT   URI   Types   section   for
							  details.

			       flag_RSA_PROTOCOL[=yes]	  Specifies  the  use of RSA, rather than
							  the default Diffie-Hellman protoco.

   PKINIT URI Types
       FILE:file-name[,key-file-name]

	   This option has context-specific behavior.

	   X509_user_identity	 file-name specifies the name of a PEM-format file containing the
				 user's  certificate.  If  key-file-name  is  not  specified, the
				 user's private key is expected to be in file-name as well.  Oth-
				 erwise,  key-file-name  is  the name of the file  containing the
				 private key.

	   X509_anchors 	 file-name is assumed to be the name of an OpenSSL-style  ca-bun-
				 dle file. The ca-bundle file should be base-64 encoded.

       DIR:directory-name

	   This option has context-specific behavior.

	   X509_user_identity	 directory-name  specifies a directory with files named *.crt and
				 *.key, where the first part of the file name  is  the	same  for
				 matching pairs of certificate and private key files. When a file
				 with a name ending with .crt is found, a  matching  file  ending
				 with .key is assumed to contain the private key. If no such file
				 is found, then the certificate in the .crt is not used.

	   X509_anchors 	 directory-name is assumed  to	be  an	OpenSSL-style  hashed  CA
				 directory  where each CA cert is stored in a file named hash-of-
				 ca-cert.#. This infrastructure is encouraged, but all	files  in
				 the  directory are examined and if they contain certificates (in
				 PEM format), and are used.

       PKCS12:pkcs12-file-name

	   pkcs12-file-name is the name of a PKCS #12 format file, containing the user's certifi-
	   cate and private key.

       PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]

	   All	keyword  and  values are optional. PKCS11 modules (for example, opensc-pkcs11.so)
	   must be installed as a crypto provider underlibpkcs11(3LIB). slotid= and/or token= can
	   be  specified  to force the use of a particular smard card reader or token if there is
	   more than one available. certid= and/or certlabel=  can  be	specified  to  force  the
	   selection of a particular certificate on the device. See the pkinit_cert_match config-
	   uration option for more ways to select a particular certificate to use for pkinit.

       ENV:environment-variable-name

	   environment-variable-name specifies the name of an environment variable which has been
	   set	to a value conforming to one of the previous values. For example, ENV:X509_PROXY,
	   where environment variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

   Time Formats
       The following absolute time formats can be used for the -s start_time option. The examples
       are based on the date and time of July 2, 1999, 1:35:30 p.m.

       +-----------------------------------------------------------+
       |   Absolute Time Format 		Example 	   |
       |yymmddhhmm[ss]		      990702133530		   |
       |hhmm[ss]		      133530			   |
       |yy.mm.dd.hh.mm.ss	      99:07:02:13:35:30 	   |
       |hh:mm[:ss]		      13:35:30			   |
       |ldate:ltime		      07-07-99:13:35:30 	   |
       |dd-month-yyyy:hh:mm[:ss]      02-july-1999:13:35:30	   |
       +-----------------------------------------------------------+

		Variable			   Description
       dd			     day
       hh			     hour (24-hour clock)

       mm			     minutes
       ss			     seconds
       yy			     year  within  century  (0-68  is 2000 to
				     2068; 69-99 is 1969 to 1999)
       yyyy			     year including century
       month			     locale's full or abbreviated month name
       ldate			     locale's appropriate date representation
       ltime			     locale's appropriate time representation

       The following time duration formats can be used for the -l  lifetime,  -r  renewable_life,
       and  -s	start_time  options.  The  examples  are based on the time duration of 14 days, 7
       hours, 5 minutes, and 30 seconds.

       +-----------------------------------------------------------+
       |   Time Duration Format 		Example 	   |
       |#d			      14d			   |
       |#h			      7h			   |
       |#m			      5m			   |
       |#s			      30s			   |
       |#d#h#m#s		      14d7h5m30s		   |
       |#h#m[#s]		      7h5m30s			   |
       |days-hh:mm:ss		      14-07:05:30		   |
       |hours:mm[:ss]		      7:05:30			   |
       +-----------------------------------------------------------+

		Delimiter		     Description
       d			     number of days
       h			     number of hours
       m			     number of minutes
       s			     number of seconds

		Variable		     Description
       #			     number
       days			     number of days
       hours			     number of hours
       hh			     hour (24-hour clock)
       mm			     minutes
       ss			     seconds

ENVIRONMENT VARIABLES
       kinit uses the following environment variable:

       KRB5CCNAME    Location of the credentials (ticket) cache. See krb5envvar(5) for syntax and
		     details.

FILES
       /tmp/krb5cc_uid		Default credentials cache (uid is the decimal UID of the user).

       /etc/krb5/krb5.keytab	Default location for the local host's keytab file.

       /etc/krb5/krb5.conf	Default  location  for	the  local host's configuration file. See
				krb5.conf(4).

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWkrbu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |See below.		   |
       +-----------------------------+-----------------------------+

       The command arguments are Evolving. The command output is Unstable.

SEE ALSO
       kdestroy(1),   klist(1),   kadmin(1M),	ktkt_warnd(1M),   libpkcs11(3LIB),   kdc.conf(4),
       krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5), pam_krb5(5)

NOTES
       On  success,  kinit notifies ktkt_warnd(1M) to alert the user when the initial credentials
       (ticket-granting ticket) are about to expire.

SunOS 5.11				   12 Nov 2008					 kinit(1)


All times are GMT -4. The time now is 05:10 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password