kinit
is used to authenticate to the Kerberos server as
principal,
or if none is given, a system generated default (typically your login
name at the default realm), and acquire a ticket granting ticket that
can later be used to obtain tickets for other services.
Supported options:
|
| -c cachename -cache= cachename
|
| |
The credentials cache to put the acquired ticket in, if other than
default.
|
| -f -no-forwardable
|
| |
Get ticket that can be forwarded to another host, or if the negative
flags use, don't get a forwardable flag.
|
| -t keytabname , -keytab= keytabname
|
| |
Don't ask for a password, but instead get the key from the specified
keytab.
|
| -l time , -lifetime= time
|
| |
Specifies the lifetime of the ticket.
The argument can either be in seconds, or a more human readable string
like
'1h'.
|
| -p -, -proxiable
|
| |
Request tickets with the proxiable flag set.
|
| -R -, -renew
|
| |
Try to renew ticket.
The ticket must have the
'renewable'
flag set, and must not be expired.
|
| -renewable
|
| |
The same as
-renewable-life,
with an infinite time.
|
| -r time , -renewable-life= time
|
| |
The max renewable ticket life.
|
| -S principal , -server= principal
|
| |
Get a ticket for a service other than krbtgt/LOCAL.REALM.
|
| -s time , -start-time= time
|
| |
Obtain a ticket that starts to be valid
time
(which can really be a generic time specification, like
'1h')
seconds into the future.
|
| -k -, -use-keytab
|
| |
The same as
-keytab,
but with the default keytab name (normally
FILE:/etc/krb5.keytab).
|
| -v -, -validate
|
| |
Try to validate an invalid ticket.
|
| -e -, -enctypes= enctypes
|
| |
Request tickets with this particular enctype.
|
| -password-file= filename
|
| |
read the password from the first line of
filename.
If the
filename
is
STDIN,
the password will be read from the standard input.
|
| -fcache-version= version-number
|
| |
Create a credentials cache of version
version-number.
|
| -a -, -extra-addresses= enctypes
|
| |
Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket.
This can be useful if all addresses a client can use can't be
automatically figured out.
One such example is if the client is behind a firewall.
Also settable via
libdefaults/extra_addresses
in
krb5.conf(5).
|
| -A -, -no-addresses
|
| |
Request a ticket with no addresses.
|
| -anonymous
|
| |
Request an anonymous ticket (which means that the ticket will be
issued to an anonymous principal, typically
"anonymous@REALM").
|
| -enterprise
|
| |
Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
names are email like principals that are stored in the name part of
the principal, and since there are two @ characters the parser needs
to know that the first is not a realm.
An example of an enterprise name is
"lha@e.kth.se@KTH.SE",
and this option is usually used with canonicalize so that the
principal returned from the KDC will typically be the real principal
name.
|
| -afslog
|
| |
Gets AFS tickets, converts them to version 4 format, and stores them
in the kernel.
Only useful if you have AFS.
|
|
The
forwardable,
proxiable,
ticket_life,
and
renewable_life
options can be set to a default value from the
appdefaults
section in krb5.conf, see
krb5_appdefault(3).
If a
command
is given,
kinit
will set up new credentials caches, and AFS PAG, and then run the given
command.
When it finishes the credentials will be removed.
