Obtaining Tickets with kinit
If your site is using the Kerberos V5 login program, you will get
Kerberos tickets automatically when you log in. If your site uses a
different login program, you may need to explicitly obtain your Kerberos
tickets, using the kinit
program. Similarly, if your Kerberos
tickets expire, use the kinit
program to obtain new ones.
To use the kinit
program, simply type kinit and then type
your password at the prompt. For example, Jennifer (whose username is
jennifer
) works for Bleep, Inc. (a fictitious company
with the domain name mit.edu
and the Kerberos realm
ATHENA.MIT.EDU
). She would type:
shell% kinit
Password for [email protected]: <-- [Type jennifer's password here.]
shell%
If you type your password incorrectly, kinit will give you the following
error message:
shell% kinit
Password for [email protected]: <-- [Type the wrong password here.]
kinit: Password incorrect
shell%
and you won't get Kerberos tickets.
Notice that kinit
assumes you want tickets for your own
username in your default realm.
Suppose Jennifer's friend David is visiting, and he wants to borrow a
window to check his mail. David needs to get tickets for himself in his
own realm, EXAMPLE.COM.1 He would type:
shell% kinit [email protected]
Password for [email protected]: <-- [Type david's password here.]
shell%
David would then have tickets which he could use to log onto
his own machine. Note that he typed his password locally on Jennifer's
machine, but it never went over the network. Kerberos on the local host
performed the authentication to the KDC in the other realm.
If you want to be able to forward your tickets to another host, you need
to request forwardable tickets. You do this by specifying the
-f option:
shell% kinit -f
Password for [email protected]: <-- [Type your password here.]
shell%
Note that kinit
does not tell you that it obtained forwardable
tickets; you can verify this using the klist
command
(see Viewing Your Tickets with klist).
Normally, your tickets are good for your system's default ticket
lifetime, which is ten hours on many systems. You can specify a
different ticket lifetime with the -l
option. Add the letter
s
to the value for seconds, m
for minutes, h
for
hours, or d
for days.
For example, to obtain forwardable tickets for
[email protected]
that would be good for
three hours, you would type:
shell% kinit -f -l 3h [email protected]
Password for [email protected]: <-- [Type david's password here.]
shell%
You cannot mix units; specifying a lifetime of 3h30m
would result
in an error. Note also that most systems specify a maximum ticket
lifetime. If you request a longer ticket lifetime, it will be
automatically truncated to the maximum lifetime.