kvno - print key version numbers of Kerberos principals
kvno [-c ccache] [-e etype] [-q] [-u | -S sname] [-P] [[{-F cert_file |
{-I | -U} for_user} [-P]] | --u2u ccache] service1 service2 ...
KVNO(1) MIT Kerberos KVNO(1)
NAME
kvno - print key version numbers of Kerberos principals
SYNOPSIS
kvno [-c ccache] [-e etype] [-q] [-u | -S sname] [-P] [[{-F cert_file |
{-I | -U} for_user} [-P]] | --u2u ccache] service1 service2 ...
DESCRIPTION
kvno acquires a service ticket for the specified Kerberos principals
and prints out the key version numbers of each.
OPTIONS
-c ccache
Specifies the name of a credentials cache to use (if not the
default)
-e etype
Specifies the enctype which will be requested for the session
key of all the services named on the command line. This is use-
ful in certain backward compatibility situations.
-k keytab
Decrypt the acquired tickets using keytab to confirm their
validity.
-q Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
-u Use the unknown name type in requested service principal names.
This option Cannot be used with -S.
-P Specifies that the service1 service2 ... arguments are to be
treated as services for which credentials should be acquired
using constrained delegation. This option is only valid when
used in conjunction with protocol transition.
-S sname
Specifies that the service1 service2 ... arguments are inter-
preted as hostnames, and the service principals are to be con-
structed from those hostnames and the service name sname. The
service hostnames will be canonicalized according to the usual
rules for constructing service principals.
-I for_user
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of for_user. If constrained delega-
tion is not requested, the service name must match the creden-
tials cache client principal.
-U for_user
Same as -I, but treats for_user as an enterprise name.
-F cert_file
Specifies that protocol transition is to be used, identifying
the client principal with the X.509 certificate in cert_file.
The certificate file must be in PEM format.
--u2u ccache
Requests a user-to-user ticket. ccache must contain a local
krbtgt ticket for the server principal. The reported version
number will typically be 0, as the resulting ticket is not
encrypted in the server's long-term key.
ENVIRONMENT
See kerberos(7) for a description of Kerberos environment variables.
FILES
FILE:/tmp/volatile-user/%{uid}/krb5cc_%{uid}
Default location of the credentials cache
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+------------------------+
|Availability | security/kerberos-5 |
+---------------+------------------------+
|Stability | Pass-through committed |
+---------------+------------------------+
SEE ALSO
kinit(1), kdestroy(1), kerberos(7)
AUTHOR
MIT
COPYRIGHT
1985-2021, MIT
NOTES
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from http://web.mit.edu/ker-
beros/dist/krb5/1.18/krb5-1.18.4.tar.gz.
Further information about this software can be found on the open source
community website at http://web.mit.edu/kerberos/.
1.18.4 KVNO(1)