kinit(1)
NAME
kinit - obtain and cache Kerberos ticket-granting ticket
SYNOPSIS
/usr/bin/kinit [-AfpRv] [-c cache_name] [ -k [-
t keytab_file]] [-l lifetime] [-r renewable_life] [-
s start_time] [-S service_name] [principal]
DESCRIPTION
The kinit command is used to obtain and cache an initial
ticket-granting ticket (credential) for principal. This
ticket is used for authentication by the Kerberos system.
Notice that only users with Kerberos principals can use the
Kerberos system. For information about Kerberos principals,
see SEAM(5).
When you use kinit without options, the utility prompts for
your principal and Kerberos password, and tries to authenti-
cate your login with the local Kerberos server. The princi-
pal can be specified on the command line if desired.
If Kerberos authenticates the login attempt, kinit retrieves
your initial ticket-granting ticket and puts it in the
ticket cache. By default your ticket will be stored in the
file /tmp/krb5cc_uid, where uid specifies your user identif-
ication number. Tickets expire after a specified lifetime,
after which kinit must be run again. Any existing contents
of the cache are destroyed by kinit.
Values specified in the command line override the values
specified in the Kerberos configuration file for lifetime
and renewable_life.
The kdestroy(1) command may be used to destroy any active
tickets before you end your login session.
OPTIONS
The following options are supported:
-A Requests address-less tickets.
-c cache_name
Uses cache_name as the credentials (ticket) cache name
and location. If this option is not used, the default
cache name and location are used.
-f Requests forwardable tickets.
-k [-t keytab_file]
Requests a host ticket, obtained from a key in the
local host's keytab file. The name and location of the
keytab file may be specified with the -t keytab_file
option; otherwise the default name and location will
be used.
-l lifetime
Requests a ticket with the lifetime lifetime. If the
-l option is not specified, the default ticket life-
time (configured by each site) is used. Specifying a
ticket lifetime longer than the maximum ticket life-
time (configured by each site) results in a ticket
with the maximum lifetime. See the Time Formats sec-
tion for the valid time duration formats that you can
specify for lifetime. See kdc.conf(4) and kadmin(1M)
(for getprinc command to verify the lifetime values
for the server principal).
The lifetime of the tickets returned will be the
minimum of the following:
o Value specified in the command line.
o Value specified in the KDC configuration file.
o Value specified in the Kerberos data base for
the server principal. In the case of kinit, it
is krbtgt/realm name.
o Value specified in the Kerberos database for the
user principal.
-p Requests proxiable tickets.
-r renewable_life
Requests renewable tickets, with a total lifetime of
renewable_life. See the Time Formats section for the
valid time duration formats that you can specify for
renewable_life. See kdc.conf(4) and kadmin(1M) (for
getprinc command to verify the lifetime values for the
server principal).
The renewable lifetime of the tickets returned will be
the minimum of the following:
o Value specified in the command line.
o Value specified in the KDC configuration file.
o Value specified in the Kerberos data base for
the server principal. In the case of kinit, it
is krbtgt/realm name.
o Value specified in the Kerberos database for the
user principal.
-R Requests renewal of the ticket-granting ticket. Notice
that an expired ticket cannot be renewed, even if the
ticket is still within its renewable life.
-s start_time
Requests a postdated ticket, valid starting at
start_time. Postdated tickets are issued with the
invalid flag set, and need to be fed back to the KDC
before use. See the Time Formats section for either
the valid absolute time or time duration formats that
you can specify for start_time. kinit attempts to
match an absolute time first before trying to match a
time duration.
-S service_name
Specifies an alternate service name to use when get-
ting initial tickets.
-v Requests that the ticket granting ticket in the cache
(with the invalid flag set) be passed to the KDC for
validation. If the ticket is within its requested time
range, the cache is replaced with the validated
ticket.
Time Formats
The following absolute time formats can be used for the -s
start_time option. The examples are based on the date and
time of July 2, 1999, 1:35:30 p.m.
____________________________________________________________
| Absolute Time Format | Example |
| yymmddhhmm[ss] | 990702133530 |
| hhmm[ss] | 133530 |
| yy.mm.dd.hh.mm.ss | 99:07:02:13:35:30 |
| hh:mm[:ss] | 13:35:30 |
| ldate:ltime | 07-07-99:13:35:30 |
| dd-month-yyyy:hh:mm[:ss] | 02-july-1999:13:35:30 |
|_____________________________|_____________________________|
Variable Description
dd day
hh hour (24-hour clock)
mm minutes
ss seconds
yy year within century (0-68
is 2000 to 2068; 69-99 is
1969 to 1999)
yyyy year including century
month locale's full or abbrevi-
ated month name
ldate locale's appropriate date
representation
ltime locale's appropriate time
representation
The following time duration formats can be used for the -l
lifetime, -r renewable_life, and -s start_time options. The
examples are based on the time duration of 14 days, 7 hours,
5 minutes, and 30 seconds.
____________________________________________________________
| Time Duration Format | Example |
| #d | 14d |
| #h | 7h |
| #m | 5m |
| #s | 30s |
| #d#h#m#s | 14d7h5m30s |
| #h#m[#s] | 7h5m30s |
| days-hh:mm:ss | 14-07:05:30 |
| hours:mm[:ss] | 7:05:30 |
|_____________________________|_____________________________|
Delimiter Description
d number of days
h number of hours
m number of minutes
s number of seconds
Variable Description
# number
days number of days
hours number of hours
hh hour (24-hour clock)
mm minutes
ss seconds
ENVIRONMENT VARIABLES
kinit uses the following environment variable:
KRB5CCNAME
Location of the credentials (ticket) cache.
FILES
/tmp/krb5cc_uid
Default credentials cache (uid is the decimal UID of
the user).
/etc/krb5/krb5.keytab
Default location for the local host's keytab file.
/etc/krb5/krb5.conf
Default location for the local host's configuration
file. See krb5.conf(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWkrbu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
kdestroy(1), klist(1), kadmin(1M), kdc.conf(4),
krb5.conf(4), attributes(5), SEAM(5)
AUTHORS
Steve Miller, MIT Project Athena/Digital Equipment Corpora-
tion; Clifford Neuman, MIT Project Athena
Man(1) output converted with
man2html