Provided by: krb5-user_1.16-2ubuntu0.4_amd64 bug

NAME
       kinit - obtain and cache Kerberos ticket-granting ticket


SYNOPSIS
       kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v]
       [-R] [-k [-t keytab_file]] [-c cache_name] [-n] [-S service_name] [-I input_ccache] [-T armor_ccache] [-X
       attribute[=value]] [principal]


DESCRIPTION
       kinit  obtains and caches an initial ticket-granting ticket for principal.  If principal is absent, kinit
       chooses an appropriate principal name based on existing credential cache contents or the  local  username
       of the user invoking kinit.  Some options modify the choice of principal name.


OPTIONS
       -V     display verbose output.

       -l lifetime
              (duration string.)  Requests a ticket with the lifetime lifetime.

              For example, kinit -l 5:30 or kinit -l 5h30m.

              If  the -l option is not specified, the default ticket lifetime (configured by each site) is used.
              Specifying a ticket lifetime longer than the maximum ticket lifetime  (configured  by  each  site)
              will not override the configured maximum ticket lifetime.

       -s start_time
              (duration  string.)   Requests  a postdated ticket.  Postdated tickets are issued with the invalid
              flag set, and need to be resubmitted to the KDC for validation before use.

              start_time specifies the duration of the delay before the ticket can become valid.

       -r renewable_life
              (duration string.)  Requests renewable tickets, with a total lifetime of renewable_life.

       -f     requests forwardable tickets.

       -F     requests non-forwardable tickets.

       -p     requests proxiable tickets.

       -P     requests non-proxiable tickets.

       -a     requests tickets restricted to the host's local address[es].

       -A     requests tickets not restricted by address.

       -C     requests canonicalization of the principal name, and allows the KDC  to  reply  with  a  different
              client principal from the one requested.

       -E     treats the principal name as an enterprise name (implies the -C option).

       -v     requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the
              KDC for validation.  If the ticket is within its requested time range, the cache is replaced  with
              the validated ticket.

       -R     requests  renewal  of  the ticket-granting ticket.  Note that an expired ticket cannot be renewed,
              even if the ticket is still within its renewable life.

              Note that renewable tickets that have expired as reported by klist(1)  may  sometimes  be  renewed
              using  this  option,  because the KDC applies a grace period to account for client-KDC clock skew.
              See krb5.conf(5) clockskew setting.

       -k [-i | -t keytab_file]
              requests a ticket, obtained from a key in the local host's keytab.  The location of the keytab may
              be  specified  with  the  -t  keytab_file  option, or with the -i option to specify the use of the
              default client keytab; otherwise the default keytab will be used.  By default, a host  ticket  for
              the  local  host  is  requested, but any principal may be specified.  On a KDC, the special keytab
              location KDB: can be used to indicate that kinit should open the KDC database and look up the  key
              directly.   This  permits  an  administrator  to  obtain  tickets  as  any principal that supports
              authentication based on the key.

       -n     Requests anonymous processing.  Two types of anonymous principals are supported.

              For fully anonymous Kerberos, configure pkinit on the KDC  and  configure  pkinit_anchors  in  the
              client's  krb5.conf(5).   Then  use  the  -n  option with a principal of the form @REALM (an empty
              principal name followed by the at-sign and a realm name).  If permitted by the KDC,  an  anonymous
              ticket will be returned.

              A  second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of
              the client but not the client's realm.  For this mode, use kinit -n with a normal principal  name.
              If  supported  by  the  KDC,  the  principal  (but  not  realm)  will be replaced by the anonymous
              principal.

              As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.

       -I input_ccache
          Specifies the name of a credentials cache that already contains a ticket.  When obtaining that ticket,
          if  information about how that ticket was obtained was also stored to the cache, that information will
          be used to affect how new credentials  are  obtained,  including  preselecting  the  same  methods  of
          authenticating to the KDC.

       -T armor_ccache
              Specifies  the  name  of  a credentials cache that already contains a ticket.  If supported by the
              KDC, this cache will be used to armor the  request,  preventing  offline  dictionary  attacks  and
              allowing  the  use  of additional preauthentication mechanisms.  Armoring also makes sure that the
              response from the KDC is not modified in transit.

       -c cache_name
              use cache_name as the Kerberos 5 credentials (ticket) cache location.  If this option is not used,
              the default cache location is used.

              The  default  cache  location may vary between systems.  If the KRB5CCNAME environment variable is
              set, its value is used to locate the default cache.  If a principal name is specified and the type
              of  the  default  cache supports a collection (such as the DIR type), an existing cache containing
              credentials for the principal is selected or a new one is created  and  becomes  the  new  primary
              cache.  Otherwise, any existing contents of the default cache are destroyed by kinit.

       -S service_name
              specify an alternate service name to use when getting initial tickets.

       -X attribute[=value]
              specify  a pre-authentication attribute and value to be interpreted by pre-authentication modules.
              The acceptable attribute and value values  vary  from  module  to  module.   This  option  may  be
              specified  multiple times to specify multiple attributes.  If no value is specified, it is assumed
              to be "yes".

              The following attributes are recognized by the PKINIT pre-authentication mechanism:

              X509_user_identity=value
                     specify where to find user's X509 identity information

              X509_anchors=value
                     specify where to find trusted X509 anchor information

              flag_RSA_PROTOCOL[=yes]
                     specify use of RSA, rather than the default Diffie-Hellman protocol


ENVIRONMENT
       kinit uses the following environment variables:

       KRB5CCNAME
              Location of the default Kerberos 5 credentials cache, in  the  form  type:residual.   If  no  type
              prefix  is  present,  the  FILE  type is assumed.  The type of the default cache may determine the
              availability of a cache collection; for instance, a default cache of type DIR causes caches within
              the directory to be present in the collection.


FILES
       FILE:/tmp/krb5cc_%{uid}
              default location of Kerberos 5 credentials cache

       FILE:/etc/krb5.keytab
              default location for the local host's keytab.


SEE ALSO
       klist(1), kdestroy(1), kerberos(1)


AUTHOR
       MIT


COPYRIGHT
       1985-2017, MIT