NAME

     kinit - obtain and cache Kerberos ticket-granting ticket


SYNOPSIS

     kinit
          [-V] [-l lifetime] [-s start_time] [-r renewable_life]
          [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k
          [-t keytab_file]] [-c cache_name] [-S service_name][-T
          armor_ccache] [-X attribute[=value]] [principal]


DESCRIPTION

     kinit obtains and caches an initial  ticket-granting  ticket
     for principal.


OPTIONS

     -V   display verbose output.

     -l lifetime
          requests a ticket  with  the  lifetime  lifetime.   The
          value  for lifetime must be followed immediately by one
          of the following delimiters:

             s  seconds
             m  minutes
             h  hours
             d  days

          as in "kinit -l 90m".  You cannot mix units; a value of
          `3h30m' will result in an error.

          If the -l option is not specified, the  default  ticket
          lifetime (configured by each site) is used.  Specifying
          a ticket lifetime longer than the maximum ticket  life-
          time (configured by each site) results in a ticket with
          the maximum lifetime.

     -s start_time
          requests  a  postdated  ticket,   valid   starting   at
          start_time.   Postdated  tickets  are  issued  with the
          invalid flag set, and need to be fed back  to  the  kdc
          before use.

     -r renewable_life
          requests renewable tickets, with a  total  lifetime  of
          renewable_life.   The duration is in the same format as
          the -l option, with the same delimiters.

     -f   request forwardable tickets.

     -F   do not request forwardable tickets.

     -p   request proxiable tickets.
     -P   do not request proxiable tickets.

     -a   request tickets with the local address[es].

     -A   request address-less tickets.

     -C   requests canonicalization of the principal name.

     -E   treats the principal name as an enterprise name.

     -v   requests that the ticket granting ticket in  the  cache
          (with  the  invalid  flag set) be passed to the kdc for
          validation.  If the ticket is within its requested time
          range, the cache is replaced with the validated ticket.

     -R   requests renewal of the ticket-granting  ticket.   Note
          that  an  expired ticket cannot be renewed, even if the
          ticket is still within its renewable life.

     -k [-t keytab_file]
          requests a host ticket, obtained  from  a  key  in  the
          local host's keytab file.  The name and location of the
          keytab file may be specified with  the  -t  keytab_file
          option; otherwise the default name and location will be
          used.

     -T armor_ccache
          Specifies the name of a credential cache  that  already
          contains  a  ticket.  This ccache will be used to armor
          the request.   Ideally,  an  attacker  should  have  to
          attack both the armor ticket and the key of the princi-
          pal.

     -c cache_name
          use cache_name as the Kerberos 5  credentials  (ticket)
          cache  name  and  location; if this option is not used,
          the default cache name and location are used.

          The default credentials cache may vary between systems.
          If  the  KRB5CCNAME  environment  variable  is set, its
          value is used to name the default  ticket  cache.   Any
          existing contents of the cache are destroyed by kinit.

     -S service_name
          specify an alternate service name to use  when  getting
          initial tickets.

     -X attribute[=value]
          specify a pre-authentication attribute and value to  be
          passed  to  pre-authentication plugins.  The acceptable
          attribute and value values vary from pre-authentication
          plugin   to  plugin.   This  option  may  be  specified
          multiple times to specify multiple attributes.   If  no
          value is specified, it is assumed to be "yes".

          The following attributes are recognized by the OpenSSL pkinit
          pre-authentication mechanism:
             X509_user_identity=value
                specify where to find user's X509 identity information
             X509_anchors=value
                specify where to find trusted X509 anchor information
             flag_RSA_PROTOCOL[=yes]
                specify use of RSA, rather than the default Diffie-Hellman protocol



ENVIRONMENT

     Kinit uses the following environment variables:

     KRB5CCNAME      Location  of  the  Kerberos  5   credentials
                     (ticket) cache.


FILES

     /tmp/krb5cc_[uid]  default location of  Kerberos  5  creden-
                        tials  cache ([uid] is the decimal UID of
                        the user).

     /etc/krb5.keytab   default location  for  the  local  host's
                        keytab file.


SEE ALSO

     klist(1), kdestroy(1), kerberos(1)
























Man(1) output converted with man2html