kinit(1)
NAME
kinit - kinit is used to obtain and cache Kerberos ticketgranting tickets. This tool is similar in functionality to
the kinit tool that are commonly found in other Kerberos
implementations, such as SEAM and MIT Reference implemen
tations.
The use must be registered as a principal with the Key
Distribution Center (KDC) prior to running kinit.
SYNOPSIS
kinit [ commands ] <principal name>
DESCRIPTION
By default, for all Unix platforms a cache file named
/tmp/krb5cc_<uid> will be generated. <uid> is the user
identification number of the user logged into the system.
For all other platforms, a cache file named
<USER_HOME>/krb5cc_<USER_NAME> would be generated.
<USER_HOME> is obtained from the java.lang.System property
user.home. <USER_NAME> is obtained from java.lang.System
property user.name. If <USER_HOME> is null, the cache
file would be stored in the current directory that the
program is running from. <USER_NAME> is the operating
system's login username. This username could be different
than the user's principal name. For example on Solaris, it
could be /home/duke/krb5cc_duke, in which duke is the
<USER_NAME> and /home/duke is the <USER_HOME>.
By default, the keytab name is retrieved from the Kerberos
configuration file. If the keytab name is not specifed in
the Kerberos configuration file, the name is assumed to be
<USER_HOME>/krb5.keytab
If you do not specify the password using the password
option on the command line, kinit will prompt you for the
password.
Note: password is provided only for testing purposes. Do
not place your password in a script or provide your pass
word on the command line. Doing so will compromise your
password.
For more information see the man pages for kinit.
COMMANDS
kinit -fp [ -c <cache_name> ] [ -k ] [ -t <keytab_file
name> ] [ <principal> ] [ <password> ] [ -help ]
-f Issue a forwardable ticket.
-p Issue a proxiable ticket.
- -c <cache_name> The cache name (i.e.,
- FILE:/temp/mykrb5cc).
- -k Use keytab
- -t <keytab_filename> The keytab name (i.e.,
- /home/duke/krb5.keytab).
- <principal>
- The principal name (i.e., duke@java.sun.com).
- <password>
- The principal's Kerberos password. (DO NOT SPECIFY
ON COMMAND LINE OR IN A SCRIPT.) - -help Display instructions.
EXAMPLES
Requesting credentials valid for authentication from the
current client host, for the default services, storing the
credentials cache in the default location
(/home/duke/krb5cc_duke):
kinit duke@JAVA.SUN.COM
Requesting proxiable credentials for a different principal
and storing these credentials in a specified file cache:
kinit -p -c FILE:/home/duke/credentials/krb5cc_cafebeef
cafebeef@JAVA.SUN.COM
Requesting proxiable and forwardable credentials for a
different principal and storing these credentials in a
specified file cache:
kinit -f -p -c
FILE:/home/duke/credentials/krb5cc_cafebeef
cafebeef@JAVA.SUN.COM
Displaying the help menu for kinit:
kinit -help
SECURITY ALERT
- The password flag is for testing purposes only. Do not
specify your password on the command line. Doing so is a
security hole since an attacker could discover your pass
word while running the Unix ps command, for example.