JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 1: User Commands     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Introduction

User Commands

acctcom(1)

adb(1)

addbib(1)

admin(1)

alias(1)

allocate(1)

amt(1)

appcert(1)

apptrace(1)

apropos(1)

ar(1)

arch(1)

as(1)

asa(1)

at(1)

atq(1)

atrm(1)

audioconvert(1)

audioctl(1)

audioplay(1)

audiorecord(1)

audiotest(1)

auths(1)

auto_ef(1)

awk(1)

banner(1)

basename(1)

basename(1B)

batch(1)

bc(1)

bdiff(1)

bfs(1)

bg(1)

biff(1B)

break(1)

builtin(1)

cal(1)

calendar(1)

case(1)

cat(1)

cd(1)

cdc(1)

cdrw(1)

chdir(1)

checkeq(1)

checknr(1)

chgrp(1)

chkey(1)

chmod(1)

chown(1)

chown(1B)

ckdate(1)

ckgid(1)

ckint(1)

ckitem(1)

ckkeywd(1)

ckpath(1)

ckrange(1)

ckstr(1)

cksum(1)

cktime(1)

ckuid(1)

ckyorn(1)

clear(1)

cmp(1)

col(1)

comb(1)

comm(1)

command(1)

compress(1)

continue(1)

cp(1)

cpio(1)

cpp(1)

cputrack(1)

crle(1)

crontab(1)

csh(1)

csplit(1)

ct(1C)

ctags(1)

ctrun(1)

ctstat(1)

ctwatch(1)

cu(1C)

cut(1)

date(1)

dc(1)

deallocate(1)

decrypt(1)

delta(1)

deroff(1)

df(1B)

dhcpinfo(1)

diff(1)

diff3(1)

diffmk(1)

digest(1)

digestp(1)

dircmp(1)

dirname(1)

dirs(1)

dis(1)

disown(1)

dispgid(1)

dispuid(1)

dos2unix(1)

dpost(1)

du(1)

du(1B)

dump(1)

dumpcs(1)

dumpkeys(1)

echo(1)

echo(1B)

ed(1)

edit(1)

egrep(1)

eject(1)

elfdump(1)

elfedit(1)

elffile(1)

elfsign(1)

elfwrap(1)

encrypt(1)

enhance(1)

env(1)

eqn(1)

errange(1)

errdate(1)

errgid(1)

errint(1)

erritem(1)

error(1)

errpath(1)

errstr(1)

errtime(1)

erruid(1)

erryorn(1)

eval(1)

ex(1)

exec(1)

exit(1)

expand(1)

export(1)

exportfs(1B)

expr(1)

expr(1B)

exstr(1)

factor(1)

false(1)

fastboot(1B)

fasthalt(1B)

fc(1)

fg(1)

fgrep(1)

file(1)

file(1B)

filebench(1)

filep(1)

filesync(1)

filofaxp(1)

find(1)

finger(1)

fmt(1)

fmtmsg(1)

fold(1)

for(1)

foreach(1)

franklinp(1)

from(1B)

ftp(1)

function(1)

gcore(1)

gencat(1)

geniconvtbl(1)

genmsg(1)

get(1)

getconf(1)

getfacl(1)

getlabel(1)

getopt(1)

getoptcvt(1)

getopts(1)

gettext(1)

gettxt(1)

getzonepath(1)

glob(1)

goto(1)

gprof(1)

grep(1)

groups(1)

groups(1B)

grpck(1B)

hash(1)

hashcheck(1)

hashmake(1)

hashstat(1)

head(1)

helpdate(1)

helpgid(1)

helpint(1)

helpitem(1)

helppath(1)

helprange(1)

helpstr(1)

helptime(1)

helpuid(1)

helpyorn(1)

hist(1)

history(1)

hostid(1)

hostname(1)

i386(1)

i486(1)

iconv(1)

idnconv(1)

if(1)

indxbib(1)

install(1B)

ipcrm(1)

ipcs(1)

isainfo(1)

isalist(1)

jobs(1)

join(1)

jsh(1)

kbd(1)

kdestroy(1)

keylogin(1)

keylogout(1)

kill(1)

kinit(1)

klist(1)

kmdb(1)

kmfcfg(1)

kpasswd(1)

krb5-config(1)

ksh(1)

ksh88(1)

ksh93(1)

ktutil(1)

lari(1)

last(1)

lastcomm(1)

ld(1)

ldapadd(1)

ldapdelete(1)

ldaplist(1)

ldapmodify(1)

ldapmodrdn(1)

ldapsearch(1)

ldd(1)

ld.so.1(1)

let(1)

lex(1)

lgrpinfo(1)

limit(1)

line(1)

list_devices(1)

listusers(1)

llc2_autoconfig(1)

llc2_config(1)

llc2_stats(1)

ln(1)

ln(1B)

loadkeys(1)

locale(1)

localedef(1)

logger(1)

logger(1B)

login(1)

logname(1)

logout(1)

look(1)

lookbib(1)

lorder(1)

ls(1)

ls(1B)

m4(1)

mac(1)

mach(1)

machid(1)

madv.so.1(1)

mail(1)

Mail(1B)

mail(1B)

mailcompat(1)

mailp(1)

mailq(1)

mailstats(1)

mailx(1)

make(1S)

makekey(1)

man(1)

mconnect(1)

mcs(1)

mdb(1)

mesg(1)

mkdir(1)

mkmsgs(1)

mkstr(1B)

mktemp(1)

moe(1)

more(1)

mp(1)

mpss.so.1(1)

msgcc(1)

msgcpp(1)

msgcvt(1)

msgfmt(1)

msggen(1)

msgget(1)

mt(1)

mv(1)

nawk(1)

nc(1)

ncab2clf(1)

ncakmod(1)

neqn(1)

netcat(1)

newform(1)

newgrp(1)

newsp(1)

newtask(1)

nice(1)

nl(1)

nm(1)

nohup(1)

notify(1)

nroff(1)

od(1)

on(1)

onintr(1)

optisa(1)

pack(1)

page(1)

pagesize(1)

pam_tty_tickets.so(1)

pargs(1)

passwd(1)

paste(1)

patch(1)

pathchk(1)

pax(1)

pcat(1)

pcred(1)

perl(1)

pfbash(1)

pfcsh(1)

pfexec(1)

pfiles(1)

pfksh(1)

pflags(1)

pfsh(1)

pftcsh(1)

pfzsh(1)

pg(1)

pgrep(1)

pkcs11_inspect(1)

pkginfo(1)

pkgmk(1)

pkgparam(1)

pkgproto(1)

pkgtrans(1)

pkill(1)

pklogin_finder(1)

pktool(1)

plabel(1)

pldd(1)

plgrp(1)

plimit(1)

pmadvise(1)

pmap(1)

popd(1)

ppgsz(1)

ppriv(1)

pr(1)

praliases(1)

prctl(1)

preap(1)

print(1)

printenv(1B)

printf(1)

priocntl(1)

proc(1)

prof(1)

profiles(1)

projects(1)

prs(1)

prt(1)

prun(1)

ps(1)

ps(1B)

psig(1)

pstack(1)

pstop(1)

ptime(1)

ptree(1)

pushd(1)

pvs(1)

pwait(1)

pwd(1)

pwdx(1)

ranlib(1)

rcapstat(1)

rcp(1)

read(1)

readonly(1)

red(1)

refer(1)

regcmp(1)

rehash(1)

remote_shell(1)

remsh(1)

renice(1)

repeat(1)

reset(1B)

return(1)

rksh(1)

rksh88(1)

rlogin(1)

rm(1)

rmail(1)

rmdel(1)

rmdir(1)

rmformat(1)

rmmount(1)

rmumount(1)

roffbib(1)

roles(1)

rpcgen(1)

rpm2cpio(1)

rsh(1)

runat(1)

rup(1)

rup(1C)

ruptime(1)

rusage(1B)

rusers(1)

rwho(1)

sact(1)

sar(1)

sccs(1)

sccs-admin(1)

sccs-cdc(1)

sccs-comb(1)

sccs-delta(1)

sccsdiff(1)

sccs-get(1)

sccs-help(1)

sccshelp(1)

sccs-prs(1)

sccs-prt(1)

sccs-rmdel(1)

sccs-sact(1)

sccs-sccsdiff(1)

sccs-unget(1)

sccs-val(1)

scp(1)

script(1)

sdiff(1)

sed(1)

sed(1B)

select(1)

set(1)

setenv(1)

setfacl(1)

setlabel(1)

setpgrp(1)

settime(1)

sftp(1)

sh(1)

shcomp(1)

shell_builtins(1)

shift(1)

shutdown(1B)

size(1)

sleep(1)

soelim(1)

sort(1)

sortbib(1)

sotruss(1)

source(1)

sparc(1)

spell(1)

spellin(1)

split(1)

srchtxt(1)

ssh(1)

ssh-add(1)

ssh-agent(1)

ssh-http-proxy-connect(1)

ssh-keygen(1)

ssh-keyscan(1)

ssh-socks5-proxy-connect(1)

stop(1)

strchg(1)

strconf(1)

strings(1)

strip(1)

stty(1)

stty(1B)

sum(1)

sum(1B)

sun(1)

suspend(1)

svcprop(1)

svcs(1)

switch(1)

symorder(1)

sys-suspend(1)

sysV-make(1)

t300(1)

t300s(1)

t4014(1)

t450(1)

tabs(1)

tail(1)

talk(1)

tar(1)

tbl(1)

tcopy(1)

tee(1)

tek(1)

telnet(1)

test(1)

test(1B)

tftp(1)

time(1)

timemanp(1)

times(1)

timesysp(1)

timex(1)

tip(1)

touch(1)

touch(1B)

tplot(1)

tput(1)

tr(1)

tr(1B)

trap(1)

troff(1)

true(1)

truss(1)

tset(1B)

tsort(1)

tty(1)

type(1)

typeset(1)

ul(1)

ulimit(1)

umask(1)

unalias(1)

uname(1)

uncompress(1)

unexpand(1)

unget(1)

unhash(1)

unifdef(1)

uniq(1)

units(1)

unix2dos(1)

unlimit(1)

unpack(1)

unset(1)

unsetenv(1)

until(1)

updatehome(1)

uptime(1)

userattr(1)

users(1B)

uucp(1C)

uudecode(1C)

uuencode(1C)

uuglist(1C)

uulog(1C)

uuname(1C)

uupick(1C)

uustat(1C)

uuto(1C)

uux(1C)

vacation(1)

val(1)

valdate(1)

valgid(1)

valint(1)

valpath(1)

valrange(1)

valstr(1)

valtime(1)

valuid(1)

valyorn(1)

vc(1)

vedit(1)

ver(1)

vgrind(1)

vi(1)

view(1)

vipw(1B)

volcheck(1)

volrmmount(1)

w(1)

wait(1)

wc(1)

what(1)

whatis(1)

whence(1)

whereis(1B)

which(1)

while(1)

who(1)

whoami(1B)

whocalls(1)

whois(1)

write(1)

xargs(1)

xgettext(1)

xstr(1)

yacc(1)

yes(1)

ypcat(1)

ypmatch(1)

yppasswd(1)

ypwhich(1)

zcat(1)

zlogin(1)

zonename(1)

zonestat(1)

kinit

- obtain and cache Kerberos ticket-granting ticket

Synopsis

/usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name] 
     [-C] [-E] [-k [-t keytab_file]] [-l lifetime]
     [-r renewable_life] [-s start_time] [-n] [-S service_name]
     [-X attribute[=value]] [-T armor_ccache] [principal]

Description

The kinit command is used to obtain and cache an initial ticket-granting ticket (credential) for principal. This ticket is used for authentication by the Kerberos system. Only users with Kerberos principals can use the Kerberos system. For information about Kerberos principals, see kerberos(5).

When you use kinit without options, the utility prompts for your principal and Kerberos password, and tries to authenticate your login with the local Kerberos server. The principal can be specified on the command line if desired.

If Kerberos authenticates the login attempt, kinit retrieves your initial ticket-granting ticket and puts it in the ticket cache. By default your ticket is stored in the file /tmp/krb5cc_uid, where uid specifies your user identification number. Tickets expire after a specified lifetime, after which kinit must be run again. Any existing contents of the cache are destroyed by kinit.

Values specified in the command line override the values specified in the Kerberos configuration file for lifetime and renewable_life.

The kdestroy(1) command can be used to destroy any active tickets before you end your login session.

Options

The following options are supported:

-a

Requests tickets with the local addresses.

-A

Requests address-less tickets.

-c cache_name

Uses cache_name as the credentials (ticket) cache name and location. If this option is not used, the default cache name and location are used.

-C

Requests canonicalization of the principal name.

-E

Treats the principal name as an enterprise name.

-f

Requests forwardable tickets.

-F

Not forwardable. Does not request forwardable tickets.

Tickets that have been acquired on one host cannot normally be used on another host. A client can request that the ticket be marked forwardable. Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use this ticket to request a new ticket, but with a different IP address. Thus, users can use their current credentials to get credentials valid on another machine. This option allows a user to explicitly obtain a non-forwardable ticket.

-k [-t keytab_file]

Requests a host ticket, obtained from a key in the local host's keytab file. The name and location of the keytab file can be specified with the -t keytab_file option. Otherwise, the default name and location is used.

-l lifetime

Requests a ticket with the lifetime lifetime. If the -l option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) results in a ticket with the maximum lifetime. See the Time Formats section for the valid time duration formats that you can specify for lifetime. See kdc.conf(4) and kadmin(1M) (for getprinc command to verify the lifetime values for the server principal).

The lifetime of the tickets returned is the minimum of the following:

  • Value specified in the command line.

  • Value specified in the KDC configuration file.

  • Value specified in the Kerberos data base for the server principal. In the case of kinit, it is krbtgt/realm name.

  • Value specified in the Kerberos database for the user principal.

-n

Requests anonymous processing.

Two types of anonymous principals are supported. For fully anonymous Kerberos, configure pkinit on the KDC and configure pkinit_anchors in the client's krb5.conf. Then use the -n option with a principal of the form @REALM (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket is returned.

A second form of anonymous tickets is also supported. These realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use kinit -n with a normal principal name. If supported by the KDC, the principal (but not realm) is replaced by the anonymous principal. As of release 1.8, MIT Kerberos KDC only supports fully anonymous operation.

-p

Requests proxiable tickets.

-P

Not proxiable. Does not request proxiable tickets.

A proxiable ticket is a ticket that allows you to get a ticket for a service with IP addresses other than the ones in the Ticket Granting Ticket. This option allows a user to explicitly obtain a non-proxiable ticket.

-r renewable_life

Requests renewable tickets, with a total lifetime of renewable_life. See the Time Formats section for the valid time duration formats that you can specify for renewable_life. See kdc.conf(4) and kadmin(1M) (for getprinc command to verify the lifetime values for the server principal).

The renewable lifetime of the tickets returned is the minimum of the following:

  • Value specified in the command line.

  • Value specified in the KDC configuration file.

  • Value specified in the Kerberos data base for the server principal. In the case of kinit, it is krbtgt/realm name.

  • Value specified in the Kerberos database for the user principal.

-R

Requests renewal of the ticket-granting ticket. Notice that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.

-s start_time

Requests a postdated ticket, valid starting at start_time. Postdated tickets are issued with the invalid flag set, and need to be fed back to the KDC before use. See the Time Formats section for either the valid absolute time or time duration formats that you can specify for start_time. kinit attempts to match an absolute time first before trying to match a time duration.

-S service_name

Specifies an alternate service name to use when getting initial tickets.

-T armor_ccache

If supported by the KDC, specifies the name of a credential cache (ccache) that already contains a ticket. This ccache is used to armor the request so that an attacker would have to know both the key of the armor ticket and the key of the principal used for authentication in order to attack the request.

Armoring also makes sure that the response from the KDC is not modified in transit.

-v

Requests that the ticket granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.

-V

Verbose output. Displays further information to the user, such as confirmation of authentication and version.

-X attribute[=value]

Specifies a pre-authentication attribute and value to be passed to pre-authentication plugins. The acceptable attribute and value values vary from pre-authentication plugin to plugin. This option can be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be yes.

The following attributes are recognized by the OpenSSL pkinit pre-authentication mechanism:

X509_user_identity=URI

Specifies where to find user's X509 identity information.

Valid URI types are FILE, DIR, PKCS11, PKCS12, and ENV. See the PKINIT URI Types section for details.

X509_anchors=URI

Specifies where to find trusted X509 anchor information.

Valid URI types are FILE and DIR. See thePKINIT URI Types section for details.

flag_RSA_PROTOCOL[=yes]

Specifies the use of RSA, rather than the default Diffie-Hellman protoco.

PKINIT URI Types

FILE:file-name[,key-file-name]

This option has context-specific behavior.

X509_user_identity

file-name specifies the name of a PEM-format file containing the user's certificate. If key-file-name is not specified, the user's private key is expected to be in file-name as well. Otherwise, key-file-name is the name of the file containing the private key.

X509_anchors

file-name is assumed to be the name of an OpenSSL-style ca-bundle file. The ca-bundle file should be base-64 encoded.

DIR:directory-name

This option has context-specific behavior.

X509_user_identity

directory-name specifies a directory with files named *.crt and *.key, where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with .crt is found, a matching file ending with .key is assumed to contain the private key. If no such file is found, then the certificate in the .crt is not used.

X509_anchors

directory-name is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named hash-of-ca-cert.#. This infrastructure is encouraged, but all files in the directory are examined and if they contain certificates (in PEM format), and are used.

PKCS12:pkcs12-file-name

pkcs12-file-name is the name of a PKCS #12 format file, containing the user's certificate and private key.

PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]

All keyword and values are optional. PKCS11 modules (for example, opensc-pkcs11.so) must be installed as a crypto provider underlibpkcs11(3LIB). slotid= and/or token= can be specified to force the use of a particular smard card reader or token if there is more than one available. certid= and/or certlabel= can be specified to force the selection of a particular certificate on the device. See the pkinit_cert_match configuration option for more ways to select a particular certificate to use for pkinit.

ENV:environment-variable-name

environment-variable-name specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ENV:X509_PROXY, where environment variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

Time Formats

The following absolute time formats can be used for the -s start_time option. The examples are based on the date and time of July 2, 1999, 1:35:30 p.m.

Absolute Time Format
Example
yymmddhhmm[ss]
990702133530
hhmm[ss]
133530
yy.mm.dd.hh.mm.ss
99:07:02:13:35:30
hh:mm[:ss]
13:35:30
ldate:ltime
07-07-99:13:35:30
dd-month-yyyy:hh:mm[:ss]
02-july-1999:13:35:30
Variable   
Variable
Description
dd
day
hh
hour (24-hour clock)
mm
minutes
ss
seconds
yy
year within century (0-68 is 2000 to 2068; 69-99 is 1969 to 1999)
yyyy
year including century
month
locale's full or abbreviated month name
ldate
locale's appropriate date representation
ltime
locale's appropriate time representation

The following time duration formats can be used for the -l lifetime, -r renewable_life, and -s start_time options. The examples are based on the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.

Time Duration Format
Example
#d
14d
#h
7h
#m
5m
#s
30s
#d#h#m#s
14d7h5m30s
#h#m[#s]
7h5m30s
days-hh:mm:ss
14-07:05:30
hours:mm[:ss]
7:05:30
Delimiter
Description
d
number of days
h
number of hours
m
number of minutes
s
number of seconds
Variable
Description
#
number
days
number of days
hours
number of hours
hh
hour (24-hour clock)
mm
minutes
ss
seconds

Environment Variables

kinit uses the following environment variable:

KRB5CCNAME

Location of the credentials (ticket) cache. See krb5envvar(5) for syntax and details.

Files

/tmp/krb5cc_uid

Default credentials cache (uid is the decimal UID of the user).

/etc/krb5/krb5.keytab

Default location for the local host's keytab file.

/etc/krb5/krb5.conf

Default location for the local host's configuration file. See krb5.conf(4).

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
service/security/kerberos-5
Interface Stability
See below.

The command arguments are Committed. The command output is Uncommitted.

See Also

kdestroy(1), klist(1), kadmin(1M), ktkt_warnd(1M), libpkcs11(3LIB), kdc.conf(4), krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5), pam_krb5(5)

Notes

On success, kinit notifies ktkt_warnd(1M) to alert the user when the initial credentials (ticket-granting ticket) are about to expire.