kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
              [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]]
              [-c cache_name] [-n] [-S service_name][-T armor_ccache] [-X
              attribute[=value]] [principal]


       kinit obtains and caches an initial ticket-granting ticket for  princi


       -V     display verbose output.

       -l lifetime
              requests  a  ticket  with  the lifetime lifetime.  The value for
              lifetime must be followed immediately by one  of  the  following

                 s  seconds
                 m  minutes
                 h  hours
                 d  days

              as  in "kinit -l 90m".  You cannot mix units; a value of `3h30m'
              will result in an error.

              If the -l option is not specified, the default  ticket  lifetime
              (configured by each site) is used.  Specifying a ticket lifetime
              longer than the maximum  ticket  lifetime  (configured  by  each
              site) results in a ticket with the maximum lifetime.

       -s start_time
              requests  a  postdated  ticket,  valid  starting  at start_time.
              Postdated tickets are issued with the invalid flag set, and need
              to be fed back to the kdc before use.

       -r renewable_life
              requests  renewable  tickets,  with  a  total lifetime of renew
              able_life.  The duration is in the same format as the -l option,
              with the same delimiters.

       -f     request forwardable tickets.

       -F     do not request forwardable tickets.

       -p     request proxiable tickets.

       -P     do not request proxiable tickets.

       -a     request tickets with the local address[es].

       -A     request address-less tickets.
       -k [-t keytab_file]
              requests a host ticket, obtained from a key in the local  host's
              keytab  file.   The  name and location of the keytab file may be
              specified with the -t keytab_file option; otherwise the  default
              name and location will be used.

       -n     Requests  anonymous  processing.  Two types of anonymous princi‐
              pals are supported.  For  fully  anonymous  Kerberos,  configure
              pkinit  on  the KDC and configure pkinit_anchors in the client's
              krb5.conf.  Then use the -n option with a principal of the  form
              @REALM  (an  empty  principal name followed by the at-sign and a
              realm name).  If permitted by the KDC, an anonymous ticket  will
              be  returned.   A second form of anonymous tickets is supported;
              these realm-exposed tickets hide the identity of the client  but
              not the client's realm.  For this mode, use kinit -n with a nor‐
              mal principal name.  If supported by the KDC, the principal (but
              not  realm)  will be replaced by the anonymous principal.  As of
              release 1.8, the MIT Kerberos KDC only supports fully  anonymous

       -T armor_ccache
              Specifies the name of a credential cache that already contains a
              ticket.  If supported by the KDC, This ccache will  be  used  to
              armor  the  request  so that an attacker would have to know both
              the key of the armor ticket and the key of  the  principal  used
              for authentication in order to attack the request. Armoring also
              makes sure that the response from the KDC  is  not  modified  in

       -c cache_name
              use cache_name as the Kerberos 5 credentials (ticket) cache name
              and location; if this option is not used, the default cache name
              and location are used.

              The  default credentials cache may vary between systems.  If the
              KRB5CCNAME environment variable is set, its  value  is  used  to
              name  the  default  ticket  cache.  Any existing contents of the
              cache are destroyed by kinit.

       -S service_name
              specify an alternate service name to use  when  getting  initial

       -X attribute[=value]
              specify a pre-authentication attribute and value to be passed to
              pre-authentication plugins.  The acceptable attribute and  value
              values  vary  from  pre-authentication  plugin  to plugin.  This
              option may be  specified  multiple  times  to  specify  multiple
              attributes.   If  no  value  is  specified,  it is assumed to be

              The following attributes are recognized by the OpenSSL pkinit


       /tmp/krb5cc_[uid]  default location of  Kerberos  5  credentials  cache
                          ([uid] is the decimal UID of the user).

       /etc/krb5.keytab   default location for the local host's keytab file.


       klist(1), kdestroy(1), kerberos(1)


Man(1) output converted with man2html