Reduce costly production bugs

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Kinit - Obtain Kerberos Ticket

Obtain and cache an initial ticket-granting ticket for Kerberos authentication with the kinit command. Learn to use kinit for principal, cache, lifetime, keytab, and password file options.

Kinit Command Reference

Obtain Kerberos Ticket Granting Ticket (TGT)

The kinit command is a fundamental utility in Kerberos environments used to obtain and cache an initial ticket-granting ticket (TGT). This TGT is essential for authenticating to Kerberos services. Understanding its various options allows for flexible and secure authentication management.

Understanding kinit Options

kinit provides several options to customize how you obtain and manage your Kerberos tickets:

  • Default Principal: Running kinit without arguments typically prompts for the principal's password and obtains a TGT for the default principal.
  • Specific Principal: Use kinit username@REALM to specify a different user principal and realm for authentication.
  • Credentials Cache: The -c /path/to/credentials_cache option allows you to specify a custom location for storing the Kerberos credentials cache.
  • Ticket Lifetime: Control the duration of the obtained ticket with the -l duration flag (e.g., -l 10h for 10 hours).
  • Renewable Tickets: The -r duration option sets the maximum lifetime for ticket renewal (e.g., -r 7d for 7 days).
  • Keytab Authentication: For automated processes or services, use -k -t /path/to/keytab_file to authenticate using a keytab file instead of a password.
  • Password File: Securely provide a password from a file using input redirection: kinit < username.passfile.
  • Silent Operation: The -s flag attempts to obtain tickets silently, which is useful in scripting scenarios where interactive password prompts are not feasible.
  • Verification: Combine kinit with klist -s (e.g., kinit && klist -s) to obtain a ticket and immediately verify its presence in the cache.

Example Usage Scenarios

Here are common ways to use the kinit command:

# Obtain an initial ticket-granting ticket for the default principal
kinit

# Obtain a ticket for a specific principal (e.g., 'user1' in 'MY.REALM')
kinit user1@MY.REALM

# Specify a different cache file for the ticket
kinit -c /tmp/my_krb5cc_file

# Obtain a ticket with a specific lifetime (e.g., 8 hours)
kinit -l 8h

# Obtain a renewable ticket with a specific renewal lifetime (e.g., 3 days)
kinit -r 3d

# Use a specific keytab file to authenticate (e.g., for a service account)
kinit -k -t /etc/krb5.keytab

# Use a password from a file instead of prompting (ensure file permissions are secure)
kinit < /etc/secure/my_password.txt

# Obtain tickets silently (useful for cron jobs or automated scripts)
kinit -s

# Obtain a ticket and immediately verify its existence
kinit && klist -s

While kinit is for obtaining tickets, other Kerberos utilities are crucial for managing and using them:

  • klist: Displays the tickets currently held in the credentials cache.
  • kdestroy: Destroys tickets in the credentials cache.
  • kpasswd: Changes a user's Kerberos password.

For more in-depth information on Kerberos configuration and advanced usage, consult the MIT Kerberos documentation.

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments