NAME rkinit - establish kerberos tickets safely on a remote host SYNOPSIS rkinit [ host ] [ -p principal ] [ -l username ] [ -k kerberos_realm ] [ -f ticket_file ] [ -h remote_host ] [ -t ticket_lifetime ] [ -notimeout ] A host name must be specified either as the first command line argument or following a -h flag. If redundant command line arguments are given, the last one to appear takes pre- cedence. DESCRIPTION rkinit is a program that allows a user to establish kerberos tickets on a remote host registered for rlogin service. This can be done without the user's kerberos password ever leaving the client machine. In order to establish tickets remotely without the use of something like rkinit, one would have to log in to the remote host and run kinit(1). rkinit followed by rlogin can be thought of as a safe substitute for rlogin followed kinit. rkinit uses the same access checking mechanism as rlogin. That means that rkinit can be used to create any tickets for user A on remote host B if and only if A's tickets would entitle a login to B. This means that one can create remote tickets for himself or for another user if he is in that user's .klogin file. rkinit understands the following command line options: -p principal If principal, in the format name[.inst][@realm] is specified, the tickets created on the remote host will be the tickets indicated by the principal field. If this option is not given, the following defaults are used: If the user running rkinit does not have tickets on the client machine, rkinit will prompt for a password and behave effectively as if the user had invoked kinit on the specified remote host; i.e., the tickets esta- blished will be owned on the remote host by the user who invoked rkinit and will be for the local realm of the remote host. If the user running rkinit already has tickets, rkinit will prompt for a password and create tickets whose principal matches that of the tickets that the user already has. -l username If username is specified, the ticket file on the remote host will be owned by the user username. If it is not specified, the tickets will be owned by the remote user whose login name matches that of the user invoking rkinit. -r realm realm is used to tell rkinit what realm the remote host is in. This option should not usually have to be used since rkinit uses krb_realmofhost(3) to determine the remote host's kerberos realm. Note that this is dis- tinct from realm as specified in principal, which refers to the realm of the remote tickets. -f ticket_file This option is used to specify the name of the ticket file that should be used on the remote host. Note that if you specify a location for the ticket file that is other than the default, you will have to set the environment variable KRBTKFILE to that filename once you get to the remote host in order for you to use the tick- ets. If a ticket file is not specified, the tickets will be placed in the default location as specified by tkt_file(3). On a UNIX host, this is /tmp/tkt, where is the user id of the person who owns the remote ticket file. -h remote_host remote host is the host on which remote tickets are being obtained. This option can be used in place of specifying the host as the first command line argument. -t ticket_lifetime ticket lifetime is the lifetime in minutes of the remote tickets. If it is not specified, the default ticket life time (as defined in krb.h) is used. -notimeout prevents the client from timing out. This is mainly useful only for debugging since the rkinit server also times out. EXAMPLES In the following examples, tabetha and soup are machines in the ATHENA.MIT.EDU kerberos realm and local is a user who can log in to soup and has qjb.root@ATHENA.MIT.EDU in his .klogin file. % rkinit tabetha Kerberos initialization (tabetha) Password for qjb@ATHENA.MIT.EDU: % % rkinit soup -p qjb.root -l local Kerberos initialization (soup): tickets will be owned by local Password for qjb.root@ATHENA.MIT.EDU: % SEE ALSO rkinitd(8), kerberos(1), kerberos(3), kinit(1) AUTHOR Emanuel Jay Berkenbilt (MIT-Project Athena)