Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Node:Obtaining Tickets with kinit, Next:, Previous:Kerberos Ticket Properties, Up:Ticket Management


Obtaining Tickets with kinit

If your site is using the Kerberos V5 login program, you will get Kerberos tickets automatically when you log in. If your site uses a different login program, you may need to explicitly obtain your Kerberos tickets, using the kinit program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones.

To use the kinit program, simply type kinit and then type your password at the prompt. For example, Jennifer (whose username is jennifer) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type: 

     shell% kinit
     Password for [email protected]: <-- [Type jennifer's password here.]
     shell%

If you type your password incorrectly, kinit will give you the following error message: 

     shell% kinit
     Password for [email protected]: <-- [Type the wrong password here.]
     kinit: Password incorrect
     shell%

and you won't get Kerberos tickets.

Notice that kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM.1 He would type: 

     shell% kinit [email protected]
     Password for [email protected]: <-- [Type david's password here.]
     shell%

David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm.

If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the -f option: 

     shell% kinit -f
     Password for [email protected]: <-- [Type your password here.]
     shell%

Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the klist command (see Viewing Your Tickets with klist).

Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the -l option. Add the letter s to the value for seconds, m for minutes, h for hours, or d for days. For example, to obtain forwardable tickets for [email protected] that would be good for three hours, you would type: 

     shell% kinit -f -l 3h [email protected]
     Password for [email protected]: <-- [Type david's password here.]
     shell%

You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime.

Footnotes

  1. Note: the realm EXAMPLE.COM must be listed in your computer's Kerberos configuration file, /etc/krb5.conf.


  
 
  © 1985-2006 by the Massachusetts Institute of Technology - Reproduced with permission. Design by Interspire