diff options
author | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
commit | 33a9b234e7087f573ef08cd7318c6497ba08b439 (patch) | |
tree | d0ea40ad3bf5463a3c55795977c71bcb7d781b4b /doc/html/user/user_commands/kinit.html | |
download | src-test2-33a9b234e7087f573ef08cd7318c6497ba08b439.tar.gz src-test2-33a9b234e7087f573ef08cd7318c6497ba08b439.zip |
Import MIT KRB5 1.15.1, which will gracefully replace KTH Heimdal.vendor/krb5/1.15.1
The tarball used in this import is the same tarball used in
ports/krb5-115 r435378.
Obtained from: http://web.mit.edu/kerberos/dist/
Thanks to: pfg (for all your tireless behind-the-scenes effort)
Notes
Notes:
svn path=/vendor-crypto/krb5/dist/; revision=320790
svn path=/vendor-crypto/krb5/1.15.1/; revision=320791; tag=vendor/krb5/1.15.1
Diffstat (limited to 'doc/html/user/user_commands/kinit.html')
-rw-r--r-- | doc/html/user/user_commands/kinit.html | 354 |
1 files changed, 354 insertions, 0 deletions
diff --git a/doc/html/user/user_commands/kinit.html b/doc/html/user/user_commands/kinit.html new file mode 100644 index 000000000000..0b877cc2763e --- /dev/null +++ b/doc/html/user/user_commands/kinit.html @@ -0,0 +1,354 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kinit — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="User commands" href="index.html" /> + <link rel="next" title="klist" href="klist.html" /> + <link rel="prev" title="kdestroy" href="kdestroy.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kdestroy.html" title="kdestroy" + accesskey="P">previous</a> | + <a href="klist.html" title="klist" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kinit">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kinit"> +<span id="kinit-1"></span><h1>kinit<a class="headerlink" href="#kinit" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>kinit</strong> +[<strong>-V</strong>] +[<strong>-l</strong> <em>lifetime</em>] +[<strong>-s</strong> <em>start_time</em>] +[<strong>-r</strong> <em>renewable_life</em>] +[<strong>-p</strong> | -<strong>P</strong>] +[<strong>-f</strong> | -<strong>F</strong>] +[<strong>-a</strong>] +[<strong>-A</strong>] +[<strong>-C</strong>] +[<strong>-E</strong>] +[<strong>-v</strong>] +[<strong>-R</strong>] +[<strong>-k</strong> [-<strong>t</strong> <em>keytab_file</em>]] +[<strong>-c</strong> <em>cache_name</em>] +[<strong>-n</strong>] +[<strong>-S</strong> <em>service_name</em>] +[<strong>-I</strong> <em>input_ccache</em>] +[<strong>-T</strong> <em>armor_ccache</em>] +[<strong>-X</strong> <em>attribute</em>[=<em>value</em>]] +[<em>principal</em>]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kinit obtains and caches an initial ticket-granting ticket for +<em>principal</em>. If <em>principal</em> is absent, kinit chooses an appropriate +principal name based on existing credential cache contents or the +local username of the user invoking kinit. Some options modify the +choice of principal name.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><strong>-V</strong></dt> +<dd>display verbose output.</dd> +<dt><strong>-l</strong> <em>lifetime</em></dt> +<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests a ticket with the lifetime +<em>lifetime</em>.</p> +<p>For example, <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5:30</span></tt> or <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-l</span> <span class="pre">5h30m</span></tt>.</p> +<p class="last">If the <strong>-l</strong> option is not specified, the default ticket lifetime +(configured by each site) is used. Specifying a ticket lifetime +longer than the maximum ticket lifetime (configured by each site) +will not override the configured maximum ticket lifetime.</p> +</dd> +<dt><strong>-s</strong> <em>start_time</em></dt> +<dd><p class="first">(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests a postdated ticket. Postdated +tickets are issued with the <strong>invalid</strong> flag set, and need to be +resubmitted to the KDC for validation before use.</p> +<p class="last"><em>start_time</em> specifies the duration of the delay before the ticket +can become valid.</p> +</dd> +<dt><strong>-r</strong> <em>renewable_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Requests renewable tickets, with a total +lifetime of <em>renewable_life</em>.</dd> +<dt><strong>-f</strong></dt> +<dd>requests forwardable tickets.</dd> +<dt><strong>-F</strong></dt> +<dd>requests non-forwardable tickets.</dd> +<dt><strong>-p</strong></dt> +<dd>requests proxiable tickets.</dd> +<dt><strong>-P</strong></dt> +<dd>requests non-proxiable tickets.</dd> +<dt><strong>-a</strong></dt> +<dd>requests tickets restricted to the host’s local address[es].</dd> +<dt><strong>-A</strong></dt> +<dd>requests tickets not restricted by address.</dd> +<dt><strong>-C</strong></dt> +<dd>requests canonicalization of the principal name, and allows the +KDC to reply with a different client principal from the one +requested.</dd> +<dt><strong>-E</strong></dt> +<dd>treats the principal name as an enterprise name (implies the +<strong>-C</strong> option).</dd> +<dt><strong>-v</strong></dt> +<dd>requests that the ticket-granting ticket in the cache (with the +<strong>invalid</strong> flag set) be passed to the KDC for validation. If the +ticket is within its requested time range, the cache is replaced +with the validated ticket.</dd> +<dt><strong>-R</strong></dt> +<dd><p class="first">requests renewal of the ticket-granting ticket. Note that an +expired ticket cannot be renewed, even if the ticket is still +within its renewable life.</p> +<p class="last">Note that renewable tickets that have expired as reported by +<a class="reference internal" href="klist.html#klist-1"><em>klist</em></a> may sometimes be renewed using this option, +because the KDC applies a grace period to account for client-KDC +clock skew. See <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> <strong>clockskew</strong> setting.</p> +</dd> +<dt><strong>-k</strong> [<strong>-i</strong> | <strong>-t</strong> <em>keytab_file</em>]</dt> +<dd>requests a ticket, obtained from a key in the local host’s keytab. +The location of the keytab may be specified with the <strong>-t</strong> +<em>keytab_file</em> option, or with the <strong>-i</strong> option to specify the use +of the default client keytab; otherwise the default keytab will be +used. By default, a host ticket for the local host is requested, +but any principal may be specified. On a KDC, the special keytab +location <tt class="docutils literal"><span class="pre">KDB:</span></tt> can be used to indicate that kinit should open +the KDC database and look up the key directly. This permits an +administrator to obtain tickets as any principal that supports +authentication based on the key.</dd> +<dt><strong>-n</strong></dt> +<dd><p class="first">Requests anonymous processing. Two types of anonymous principals +are supported.</p> +<p>For fully anonymous Kerberos, configure pkinit on the KDC and +configure <strong>pkinit_anchors</strong> in the client’s <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. +Then use the <strong>-n</strong> option with a principal of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> +(an empty principal name followed by the at-sign and a realm +name). If permitted by the KDC, an anonymous ticket will be +returned.</p> +<p>A second form of anonymous tickets is supported; these +realm-exposed tickets hide the identity of the client but not the +client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-n</span></tt> with a normal +principal name. If supported by the KDC, the principal (but not +realm) will be replaced by the anonymous principal.</p> +<p class="last">As of release 1.8, the MIT Kerberos KDC only supports fully +anonymous operation.</p> +</dd> +</dl> +<p><strong>-I</strong> <em>input_ccache</em></p> +<blockquote> +<div>Specifies the name of a credentials cache that already contains a +ticket. When obtaining that ticket, if information about how that +ticket was obtained was also stored to the cache, that information +will be used to affect how new credentials are obtained, including +preselecting the same methods of authenticating to the KDC.</div></blockquote> +<dl class="docutils"> +<dt><strong>-T</strong> <em>armor_ccache</em></dt> +<dd>Specifies the name of a credentials cache that already contains a +ticket. If supported by the KDC, this cache will be used to armor +the request, preventing offline dictionary attacks and allowing +the use of additional preauthentication mechanisms. Armoring also +makes sure that the response from the KDC is not modified in +transit.</dd> +<dt><strong>-c</strong> <em>cache_name</em></dt> +<dd><p class="first">use <em>cache_name</em> as the Kerberos 5 credentials (ticket) cache +location. If this option is not used, the default cache location +is used.</p> +<p class="last">The default cache location may vary between systems. If the +<strong>KRB5CCNAME</strong> environment variable is set, its value is used to +locate the default cache. If a principal name is specified and +the type of the default cache supports a collection (such as the +DIR type), an existing cache containing credentials for the +principal is selected or a new one is created and becomes the new +primary cache. Otherwise, any existing contents of the default +cache are destroyed by kinit.</p> +</dd> +<dt><strong>-S</strong> <em>service_name</em></dt> +<dd>specify an alternate service name to use when getting initial +tickets.</dd> +<dt><strong>-X</strong> <em>attribute</em>[=<em>value</em>]</dt> +<dd><p class="first">specify a pre-authentication <em>attribute</em> and <em>value</em> to be +interpreted by pre-authentication modules. The acceptable +attribute and value values vary from module to module. This +option may be specified multiple times to specify multiple +attributes. If no value is specified, it is assumed to be “yes”.</p> +<p>The following attributes are recognized by the PKINIT +pre-authentication mechanism:</p> +<dl class="last docutils"> +<dt><strong>X509_user_identity</strong>=<em>value</em></dt> +<dd>specify where to find user’s X509 identity information</dd> +<dt><strong>X509_anchors</strong>=<em>value</em></dt> +<dd>specify where to find trusted X509 anchor information</dd> +<dt><strong>flag_RSA_PROTOCOL</strong>[<strong>=yes</strong>]</dt> +<dd>specify use of RSA, rather than the default Diffie-Hellman +protocol</dd> +</dl> +</dd> +</dl> +</div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>kinit uses the following environment variables:</p> +<dl class="docutils"> +<dt><strong>KRB5CCNAME</strong></dt> +<dd>Location of the default Kerberos 5 credentials cache, in the form +<em>type</em>:<em>residual</em>. If no <em>type</em> prefix is present, the <strong>FILE</strong> +type is assumed. The type of the default cache may determine the +availability of a cache collection; for instance, a default cache +of type <strong>DIR</strong> causes caches within the directory to be present +in the collection.</dd> +</dl> +</div> +<div class="section" id="files"> +<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a></dt> +<dd>default location of Kerberos 5 credentials cache</dd> +<dt><a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a></dt> +<dd>default location for the local host’s keytab.</dd> +</dl> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="klist.html#klist-1"><em>klist</em></a>, <a class="reference internal" href="kdestroy.html#kdestroy-1"><em>kdestroy</em></a>, kerberos(1)</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kinit</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> +<li><a class="reference internal" href="#files">FILES</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For users</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li> +<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li> +<li class="toctree-l2"><a class="reference internal" href="../user_config/index.html">User config files</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">User commands</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kdestroy.html">kdestroy</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kinit</a></li> +<li class="toctree-l3"><a class="reference internal" href="klist.html">klist</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpasswd.html">kpasswd</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5-config.html">krb5-config</a></li> +<li class="toctree-l3"><a class="reference internal" href="ksu.html">ksu</a></li> +<li class="toctree-l3"><a class="reference internal" href="kswitch.html">kswitch</a></li> +<li class="toctree-l3"><a class="reference internal" href="kvno.html">kvno</a></li> +<li class="toctree-l3"><a class="reference internal" href="sclient.html">sclient</a></li> +</ul> +</li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kdestroy.html" title="kdestroy" + >previous</a> | + <a href="klist.html" title="klist" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kinit">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |