kvno - print key version numbers of Kerberos principals

Author

MIT

Copyright

       1985-2024, MIT

1.21.3                                                                                                   KVNO(1)

Description

       kvno acquires a service ticket for the specified Kerberos principals  and  prints  out  the  key  version
       numbers of each.

Environment

       See kerberos(7) for a description of Kerberos environment variables.

Files

FILE:/tmp/krb5cc_%{uid}
              Default location of the credentials cache

Name

       kvno - print key version numbers of Kerberos principals

Options

-cccache
Specifies the name of a credentials cache to use (if not the default)

-eetype
Specifies the enctype which will be requested for the session key of all the services named on the
command line. This is useful in certain backward compatibility situations.

-kkeytab
Decrypt the acquired tickets using keytab to confirm their validity.

-q Suppress printing output when successful. If a service ticket cannot be obtained, an error
message will still be printed and kvno will exit with nonzero status.

-u Use the unknown name type in requested service principal names. This option Cannot be used with
-S.

-P Specifies that the service1service2 ... arguments are to be treated as services for which
credentials should be acquired using constrained delegation. This option is only valid when used
in conjunction with protocol transition.

-Ssname
Specifies that the service1service2 ... arguments are interpreted as hostnames, and the service
principals are to be constructed from those hostnames and the service name sname. The service
hostnames will be canonicalized according to the usual rules for constructing service principals.

-Ifor_user
Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of
for_user. If constrained delegation is not requested, the service name must match the credentials
cache client principal.

-Ufor_user
Same as -I, but treats for_user as an enterprise name.

-Fcert_file
Specifies that protocol transition is to be used, identifying the client principal with the X.509
certificate in cert_file. The certificate file must be in PEM format.

--cached-only
Only retrieve credentials already present in the cache, not from the KDC. (Added in release
1.19.)

--no-store
Do not store retrieved credentials in the cache. If --out-cache is also specified, credentials
will still be stored into the output credential cache. (Added in release 1.19.)

--out-cacheccache
Initialize ccache and store all retrieved credentials into it. Do not store acquired credentials
in the input cache. (Added in release 1.19.)

--u2uccache
Requests a user-to-user ticket. ccache must contain a local krbtgt ticket for the server
principal. The reported version number will typically be 0, as the resulting ticket is not
encrypted in the server's long-term key.

Synopsis

kvno  [-cccache]  [-eetype]  [-kkeytab]  [-q]  [-u  |  -Ssname] [-P] [--cached-only] [--no-store]
       [--out-cachecache] [[{-Fcert_file | {-I | -U} for_user} [-P]] | --u2uccache] service1service2 ...