| blob | f3bbfd6e9d7a7d29a8280c4bab18c5bf5c34f670 |
1 .\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska Högskolan
2 .\" (Royal Institute of Technology, Stockholm, Sweden).
3 .\" All rights reserved.
4 .\"
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
7 .\" are met:
8 .\"
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\"
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\"
16 .\" 3. Neither the name of the Institute nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
19 .\"
20 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .\" SUCH DAMAGE.
31 .\"
32 .\" $Id$
33 .\"
34 .Dd April 25, 2006
35 .Dt KINIT 1
36 .Os HEIMDAL
37 .Sh NAME
38 .Nm kinit
39 .Nd acquire initial tickets
40 .Sh SYNOPSIS
41 .Nm kinit
42 .Op Fl 4 | Fl -524init
43 .Op Fl 9 | Fl -524convert
44 .Op Fl -afslog
45 .Oo Fl c Ar cachename \*(Ba Xo
46 .Fl -cache= Ns Ar cachename
47 .Xc
48 .Oc
49 .Op Fl f | Fl -forwardable
50 .Oo Fl t Ar keytabname \*(Ba Xo
51 .Fl -keytab= Ns Ar keytabname
52 .Xc
53 .Oc
54 .Oo Fl l Ar time \*(Ba Xo
55 .Fl -lifetime= Ns Ar time
56 .Xc
57 .Oc
58 .Op Fl p | Fl -proxiable
59 .Op Fl R | Fl -renew
60 .Op Fl -renewable
61 .Oo Fl r Ar time \*(Ba Xo
62 .Fl -renewable-life= Ns Ar time
63 .Xc
64 .Oc
65 .Oo Fl S Ar principal \*(Ba Xo
66 .Fl -server= Ns Ar principal
67 .Xc
68 .Oc
69 .Oo Fl s Ar time \*(Ba Xo
70 .Fl -start-time= Ns Ar time
71 .Xc
72 .Oc
73 .Op Fl k | Fl -use-keytab
74 .Op Fl v | Fl -validate
75 .Oo Fl e Ar enctypes \*(Ba Xo
76 .Fl -enctypes= Ns Ar enctypes
77 .Xc
78 .Oc
79 .Oo Fl a Ar addresses \*(Ba Xo
80 .Fl -extra-addresses= Ns Ar addresses
81 .Xc
82 .Oc
83 .Op Fl -password-file= Ns Ar filename
84 .Op Fl -fcache-version= Ns Ar version-number
85 .Op Fl A | Fl -no-addresses
86 .Op Fl -anonymous
87 .Op Fl -version
88 .Op Fl -help
89 .Op Ar principal Op Ar command
90 .Sh DESCRIPTION
91 .Nm
92 is used to authenticate to the Kerberos server as
93 .Ar principal ,
94 or if none is given, a system generated default (typically your login
95 name at the default realm), and acquire a ticket granting ticket that
96 can later be used to obtain tickets for other services.
97 .Pp
98 If you have compiled
99 .Nm kinit
100 with Kerberos 4 support and you have a
101 Kerberos 4 server,
102 .Nm
103 will detect this and get you Kerberos 4 tickets.
104 .Pp
105 Supported options:
106 .Bl -tag -width Ds
107 .It Xo
108 .Fl c Ar cachename
109 .Fl -cache= Ns Ar cachename
110 .Xc
111 The credentials cache to put the acquired ticket in, if other than
112 default.
113 .It Xo
114 .Fl f ,
115 .Fl -forwardable
116 .Xc
117 Get ticket that can be forwarded to another host.
118 .It Xo
119 .Fl t Ar keytabname ,
120 .Fl -keytab= Ns Ar keytabname
121 .Xc
122 Don't ask for a password, but instead get the key from the specified
123 keytab.
124 .It Xo
125 .Fl l Ar time ,
126 .Fl -lifetime= Ns Ar time
127 .Xc
128 Specifies the lifetime of the ticket.
129 The argument can either be in seconds, or a more human readable string
130 like
131 .Sq 1h .
132 .It Xo
133 .Fl p ,
134 .Fl -proxiable
135 .Xc
136 Request tickets with the proxiable flag set.
137 .It Xo
138 .Fl R ,
139 .Fl -renew
140 .Xc
141 Try to renew ticket.
142 The ticket must have the
143 .Sq renewable
144 flag set, and must not be expired.
145 .It Fl -renewable
146 The same as
147 .Fl -renewable-life ,
148 with an infinite time.
149 .It Xo
150 .Fl r Ar time ,
151 .Fl -renewable-life= Ns Ar time
152 .Xc
153 The max renewable ticket life.
154 .It Xo
155 .Fl S Ar principal ,
156 .Fl -server= Ns Ar principal
157 .Xc
158 Get a ticket for a service other than krbtgt/LOCAL.REALM.
159 .It Xo
160 .Fl s Ar time ,
161 .Fl -start-time= Ns Ar time
162 .Xc
163 Obtain a ticket that starts to be valid
164 .Ar time
165 (which can really be a generic time specification, like
166 .Sq 1h )
167 seconds into the future.
168 .It Xo
169 .Fl k ,
170 .Fl -use-keytab
171 .Xc
172 The same as
173 .Fl -keytab ,
174 but with the default keytab name (normally
175 .Ar FILE:/etc/krb5.keytab ) .
176 .It Xo
177 .Fl v ,
178 .Fl -validate
179 .Xc
180 Try to validate an invalid ticket.
181 .It Xo
182 .Fl e ,
183 .Fl -enctypes= Ns Ar enctypes
184 .Xc
185 Request tickets with this particular enctype.
186 .It Xo
187 .Fl -password-file= Ns Ar filename
188 .Xc
189 read the password from the first line of
190 .Ar filename .
191 If the
192 .Ar filename
193 is
194 .Ar STDIN ,
195 the password will be read from the standard input.
196 .It Xo
197 .Fl -fcache-version= Ns Ar version-number
198 .Xc
199 Create a credentials cache of version
200 .Ar version-number .
201 .It Xo
202 .Fl a ,
203 .Fl -extra-addresses= Ns Ar enctypes
204 .Xc
205 Adds a set of addresses that will, in addition to the systems local
206 addresses, be put in the ticket.
207 This can be useful if all addresses a client can use can't be
208 automatically figured out.
209 One such example is if the client is behind a firewall.
210 Also settable via
211 .Li libdefaults/extra_addresses
212 in
213 .Xr krb5.conf 5 .
214 .It Xo
215 .Fl A ,
216 .Fl -no-addresses
217 .Xc
218 Request a ticket with no addresses.
219 .It Xo
220 .Fl -anonymous
221 .Xc
222 Request an anonymous ticket (which means that the ticket will be
223 issued to an anonymous principal, typically
224 .Dq anonymous@REALM ) .
225 .El
226 .Pp
227 The following options are only available if
228 .Nm
229 has been compiled with support for Kerberos 4.
230 .Bl -tag -width Ds
231 .It Xo
232 .Fl 4 ,
233 .Fl -524init
234 .Xc
235 Try to convert the obtained Kerberos 5 krbtgt to a version 4
236 compatible ticket.
237 It will store this ticket in the default Kerberos 4 ticket file.
238 .It Xo
239 .Fl 9 ,
240 .Fl -524convert
241 .Xc
242 only convert ticket to version 4
243 .It Fl -afslog
244 Gets AFS tickets, converts them to version 4 format, and stores them
245 in the kernel.
246 Only useful if you have AFS.
247 .El
248 .Pp
249 The
250 .Ar forwardable ,
251 .Ar proxiable ,
252 .Ar ticket_life ,
253 and
254 .Ar renewable_life
255 options can be set to a default value from the
256 .Dv appdefaults
257 section in krb5.conf, see
258 .Xr krb5_appdefault 3 .
259 .Pp
260 If a
261 .Ar command
262 is given,
263 .Nm
264 will set up new credentials caches, and AFS PAG, and then run the given
265 command.
266 When it finishes the credentials will be removed.
267 .Sh ENVIRONMENT
268 .Bl -tag -width Ds
269 .It Ev KRB5CCNAME
270 Specifies the default credentials cache.
271 .It Ev KRB5_CONFIG
272 The file name of
273 .Pa krb5.conf ,
274 the default being
275 .Pa /etc/krb5.conf .
276 .It Ev KRBTKFILE
277 Specifies the Kerberos 4 ticket file to store version 4 tickets in.
278 .El
279 .\".Sh FILES
280 .\".Sh EXAMPLES
281 .\".Sh DIAGNOSTICS
282 .Sh SEE ALSO
283 .Xr kdestroy 1 ,
284 .Xr klist 1 ,
285 .Xr krb5_appdefault 3 ,
286 .Xr krb5.conf 5
287 .\".Sh STANDARDS
288 .\".Sh HISTORY
289 .\".Sh AUTHORS
290 .\".Sh BUGS