HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 3 Kerberos Client Programs

User Client Programs

 » Table of Contents

 » Glossary

 » Index

This section describes the user client programs kinit, klist, kdestroy, and kpasswd.

kinit

The kinit program allows the user to obtain and cache a Kerberos ticket-granting ticket. A Kerberos principal name must have already been created for the user, or another pre-existing principal must be specified.

The kinit program optionally uses the logical name KRB5CCNAME to specify the location and name of the credentials (ticket) cache. The default location for the credentials cache is in the [.KRB.<nodename>] subdirectory of the user’s login directory. The default name of the credentials cache is KRB5CC_xxxxxx.; where xxxxxx is a randomly generated numeric string.

SYNOPSIS

kinit 

[-5] [-4] [-V] [-l lifetime] [-s start_time] [-r renewable_life][-p] [-P] [-f] [-F] [-A] [-v] [-R] [-k [-t keytab_file]] [-c cache_name] [-S service_name] [principal]

OPTIONS

-5 

Get Kerberos 5 tickets, overriding the default built-in behavior. This option may be used with -4.

-4 

Get Kerberos 4 tickets, overriding the default built-in behavior. This option may be used with -5.

-V 

Display verbose output.

-l lifetime 

Request a ticket whose lifetime is specified by lifetime. The value for lifetime must be followed immediately by one of the following delimiters:

  • s seconds

  • m minutes

  • h hours

  • d days

For example:

kinit -l 90m
You cannot mix units; a value of 30h30m will result in an error.

If the -l option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) results in a ticket with the maximum lifetime.

-s start_time 

Request a postdated ticket, valid starting at start_time. Postdated tickets are issued with the invalid flag set, and need to be fed back to the KDC before use.

-r renewable_life  

Request renewable tickets, with a total lifetime of renewable_life. The duration is the same format as the -l option, with the same delimiters. (Not applicable to Kerberos 4.)

-f 

Request tickets that can be forwarded to another system. (Not applicable to Kerberos 4.)

-F 

Do not request forwardable tickets. (Not applicable to Kerberos 4.)

-p 

Request proxiable tickets. (Not applicable to Kerberos 4.)

-P 

Do not request proxiable tickets. (Not applicable to Kerberos 4.)

-A 

Request address-less tickets. (Not applicable to Kerberos 4.)

-v 

Request that the ticket granting ticket in the cache (with the invalid option set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. (Not applicable to Kerberos 4.)

-R 

Request renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. When using this option with Kerberos 4, the KDC must support Kerberos 5 to Kerberos 4 ticket conversion.

-k [-t keytab_file]  

Request a host ticket, obtained from a key in the local host’s keytab file. The name and location of the keytab file may be specified with the -t keytab_file option; otherwise the default name and location will be used. When using this option with Kerberos 4, the KDC must support Kerberos 5 to Kerberos 4 ticket conversion.

-c cache_name  

Use cache_name as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used.

The default credentials cache may vary between systems. If the KRB5CCNAME logical name is set, its value is used to name the default ticket cache. Any existing contents of the cache are destroyed by kinit. (Not applicable to Kerberos 4).

-S service_name  

Specify an alternate service name to use when getting initial tickets.

klist

The klist program allows the user to display information about their cached Kerberos tickets. (Applicable to Kerberos 5, or to Kerberos 4 ticket conversion if you use both Kerberos 5 and Kerberos 4 with a KDC that supports Kerberos 5.)

SYNOPSIS

klist 

[-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t] [-K]][ cache_name | keytab_name ]

OPTIONS

-5 

List Kerberos 5 credentials. This overrides whatever the default built-in behavior may be. This option may be used with -4.

-4 

List Kerberos 4 credentials. This overrides whatever the default built-in behavior may be. This option may be used with -5.

-e 

Display the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file.

-c 

List the tickets held in a credentials cache. This is the default if neither -c nor -k is specified.

-f 

Show the options present in the credentials. Possible options are as follows:

  • A Pre-authenticated

  • a anonymous

  • D postDateable

  • d postdated

  • F Forwardable

  • f forwarded

  • H Hardware authenticated

  • I Initial

  • i invalid

  • O OK as delegate

  • P Proxiable

  • p proxy

  • R Renewable

  • T Transit policy checked

-s 

Cause klist to run silently (produce no output) but to still set the exit status according to whether it finds the credential cache. The exit status is SS$_NORMAL if klist finds a credentials cache.

-a 

Display list of addresses in credentials.

-n 

Show numeric addresses instead of reverse-resolving addresses.

-k 

List the keys held in a keytab file.

-t 

Display the time entry timestamps for each keytab entry in the keytab file.

-K 

Display the value of the encryption key in each keytab entry in the keytab file.

If cache_name or keytab_name is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the KRB5CCNAME logical name is set, its value will be used to name the default ticket cache.

kdestroy

The kdestroy program destroys the user’s active Kerberos authorization tickets by writing zeros to the specified credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. The default behavior is to destroy both Kerberos 5 and Kerberos 4 credentials.

SYNOPSIS

kdestroy 

[-5] [-4] [-q] [ -c cache_name]

OPTIONS

-5 

Destroy Kerberos 5 credentials. This option may be used with -4.

-4 

Destroy Kerberos 4 credentials. This option may be used with -5.

-q 

Quiet mode. Normally, kdestroy beeps if it fails to destroy the user’s tickets, in addition to issuing an error message. The -q option suppresses the beep, and only an error is issued.

-c cache_name 

Use cache_name as the credentials (ticket) cache name and location. If this option is not used, the default cache name and location are used.

If the KRB5CCNAME logical name is set, its value is used to name the default ticket cache.

HP recommends that you place the kdestroy command in a logout command file, so that your tickets are destroyed automatically when you log out.

kpasswd

The kpasswd program is used to change a Kerberos principal’s password. The kpasswd program prompts for the current Kerberos password, which is used to obtain a changepw ticket from the KDC for the user’s Kerberos realm. If kpasswd successfully obtains the changepw ticket, the user is prompted twice for the new password, and the password is changed.

If the principal is governed by a policy that specifies the length or number of character classes required in the new password, the new password must conform to the policy. (The five-character classes are: lowercase, uppercase, numbers, punctuation, and all other characters.)

SYNOPSIS

kpasswd 

[principal]

OPTIONS

principal 

Change the password for the Kerberos principal specified by principal. Otherwise, the principal is derived from the identity of the user invoking the kpasswd command.