xref: /netbsd-src/crypto/external/bsd/heimdal/dist/kuser/kinit.1 (revision afab4e300d3a9fb07dd8c80daf53d0feb3345706) 
1.\"	$NetBSD: kinit.1,v 1.6 2023/06/19 21:41:42 christos Exp $
2.\"
3.\" Copyright (c) 1998 - 2003, 2006 Kungliga Tekniska Högskolan
4.\" (Royal Institute of Technology, Stockholm, Sweden).
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions
9.\" are met:
10.\"
11.\" 1. Redistributions of source code must retain the above copyright
12.\"    notice, this list of conditions and the following disclaimer.
13.\"
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" 3. Neither the name of the Institute nor the names of its contributors
19.\"    may be used to endorse or promote products derived from this software
20.\"    without specific prior written permission.
21.\"
22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32.\" SUCH DAMAGE.
33.\"
34.\" Id
35.\"
36.Dd April 25, 2006
37.Dt KINIT 1
38.Os
39.Sh NAME
40.Nm kinit
41.Nd acquire initial tickets
42.Sh SYNOPSIS
43.Nm kinit
44.Op Fl Fl afslog
45.Oo Fl c Ar cachename \*(Ba Xo
46.Fl Fl cache= Ns Ar cachename
47.Xc
48.Oc
49.Op Fl f | Fl Fl forwardable
50.Op Fl F | Fl Fl no-forwardable
51.Oo Fl t Ar keytabname \*(Ba Xo
52.Fl Fl keytab= Ns Ar keytabname
53.Xc
54.Oc
55.Oo Fl l Ar time \*(Ba Xo
56.Fl Fl lifetime= Ns Ar time
57.Xc
58.Oc
59.Op Fl p | Fl Fl proxiable
60.Op Fl R | Fl Fl renew
61.Op Fl Fl renewable
62.Oo Fl r Ar time \*(Ba Xo
63.Fl Fl renewable-life= Ns Ar time
64.Xc
65.Oc
66.Oo Fl S Ar principal \*(Ba Xo
67.Fl Fl server= Ns Ar principal
68.Xc
69.Oc
70.Oo Fl s Ar time \*(Ba Xo
71.Fl Fl start-time= Ns Ar time
72.Xc
73.Oc
74.Op Fl k | Fl Fl use-keytab
75.Op Fl v | Fl Fl validate
76.Oo Fl e Ar enctypes \*(Ba Xo
77.Fl Fl enctypes= Ns Ar enctypes
78.Xc
79.Oc
80.Oo Fl a Ar addresses \*(Ba Xo
81.Fl Fl extra-addresses= Ns Ar addresses
82.Xc
83.Oc
84.Op Fl Fl password-file= Ns Ar filename
85.Op Fl Fl fcache-version= Ns Ar version-number
86.Op Fl A | Fl Fl no-addresses
87.Op Fl n | Fl Fl anonymous
88.Op Fl Fl enterprise
89.Op Fl Fl version
90.Op Fl Fl help
91.Op Ar principal Op Ar command
92.Sh DESCRIPTION
93.Nm
94is used to authenticate to the Kerberos server as
95.Ar principal ,
96or if none is given, a system generated default (typically your login
97name at the default realm), and acquire a ticket granting ticket that
98can later be used to obtain tickets for other services.
99.Pp
100Supported options:
101.Bl -tag -width Ds
102.It Fl c Ar cachename Fl Fl cache= Ns Ar cachename
103The credentials cache to put the acquired ticket in, if other than
104default.
105.It Fl f Fl Fl forwardable
106Obtain a ticket than can be forwarded to another host.
107.It Fl F Fl Fl no-forwardable
108Do not obtain a forwardable ticket.
109.It Fl t Ar keytabname , Fl Fl keytab= Ns Ar keytabname
110Don't ask for a password, but instead get the key from the specified
111keytab.
112.It Fl l Ar time , Fl Fl lifetime= Ns Ar time
113Specifies the lifetime of the ticket.
114The argument can either be in seconds, or a more human readable string
115like
116.Sq 1h .
117.It Fl p , Fl Fl proxiable
118Request tickets with the proxiable flag set.
119.It Fl R , Fl Fl renew
120Try to renew ticket.
121The ticket must have the
122.Sq renewable
123flag set, and must not be expired.
124.It Fl Fl renewable
125The same as
126.Fl Fl renewable-life ,
127with an infinite time.
128.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time
129The max renewable ticket life.
130.It Fl S Ar principal , Fl Fl server= Ns Ar principal
131Get a ticket for a service other than krbtgt/LOCAL.REALM.
132.It Fl s Ar time , Fl Fl start-time= Ns Ar time
133Obtain a ticket that starts to be valid
134.Ar time
135(which can really be a generic time specification, like
136.Sq 1h )
137seconds into the future.
138.It Fl k , Fl Fl use-keytab
139The same as
140.Fl Fl keytab ,
141but with the default keytab name (normally
142.Ar FILE:/etc/krb5.keytab ) .
143.It Fl v , Fl Fl validate
144Try to validate an invalid ticket.
145.It Fl e , Fl Fl enctypes= Ns Ar enctypes
146Request tickets with this particular enctype.
147.It Fl Fl password-file= Ns Ar filename
148read the password from the first line of
149.Ar filename .
150If the
151.Ar filename
152is
153.Ar STDIN ,
154the password will be read from the standard input.
155.It Fl Fl fcache-version= Ns Ar version-number
156Create a credentials cache of version
157.Ar version-number .
158.It Fl a , Fl Fl extra-addresses= Ns Ar enctypes
159Adds a set of addresses that will, in addition to the systems local
160addresses, be put in the ticket.
161This can be useful if all addresses a client can use can't be
162automatically figured out.
163One such example is if the client is behind a firewall.
164Also settable via
165.Li libdefaults/extra_addresses
166in
167.Xr krb5.conf 5 .
168.It Fl A , Fl Fl no-addresses
169Request a ticket with no addresses.
170.It Fl n , Fl Fl anonymous
171Request an anonymous ticket.
172With the default (false) setting of the
173.Ar historical_anon_pkinit
174configuration parameter, if the principal is specified as @REALM, then
175anonymous PKINIT will be used to acquire an unauthenticated anonymous ticket
176and both the client name and (with fully RFC-comformant KDCs) realm in the
177returned ticket will be anonymized.
178Otherwise, authentication proceeds as normal and the anonymous ticket will have
179only the client name anonymized.
180With
181.Ar historical_anon_pkinit
182set to
183.Li true ,
184the principal is interpreted as a realm even without an at-sign prefix, and it
185is not possible to obtain authenticated anonymized tickets.
186.It Fl Fl enterprise
187Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
188names are email like principals that are stored in the name part of
189the principal, and since there are two @ characters the parser needs
190to know that the first is not a realm.
191An example of an enterprise name is
192.Dq lha@e.kth.se@KTH.SE ,
193and this option is usually used with canonicalize so that the
194principal returned from the KDC will typically be the real principal
195name.
196.It Fl Fl afslog
197Gets AFS tickets, converts them to version 4 format, and stores them
198in the kernel.
199Only useful if you have AFS.
200.El
201.Pp
202The
203.Ar forwardable ,
204.Ar proxiable ,
205.Ar ticket_life ,
206and
207.Ar renewable_life
208options can be set to a default value from the
209.Dv appdefaults
210section in krb5.conf, see
211.Xr krb5_appdefault 3 .
212.Pp
213If  a
214.Ar command
215is given,
216.Nm
217will set up new credentials caches, and AFS PAG, and then run the given
218command.
219When it finishes the credentials will be removed.
220.Sh ENVIRONMENT
221.Bl -tag -width Ds
222.It Ev KRB5CCNAME
223Specifies the default credentials cache.
224.It Ev KRB5_CONFIG
225The file name of
226.Pa krb5.conf ,
227the default being
228.Pa /etc/krb5.conf .
229.El
230.\".Sh FILES
231.\".Sh EXAMPLES
232.\".Sh DIAGNOSTICS
233.Sh SEE ALSO
234.Xr kdestroy 1 ,
235.Xr klist 1 ,
236.Xr krb5_appdefault 3 ,
237.Xr krb5.conf 5
238.\".Sh STANDARDS
239.\".Sh HISTORY
240.\".Sh AUTHORS
241.\".Sh BUGS
242