LinuxCommandLibrary

kinit

Obtain Kerberos ticket-granting ticket

TLDR

Authenticate a user and obtain a ticket-granting ticket

$ kinit [username]
copy

Renew a ticket-granting ticket
$ kinit -R
copy

Specify a lifetime for the ticket
$ kinit -l [5h]
copy

Specify a total renewable lifetime for the ticket
$ kinit -r [1w]
copy

Specify a different principal name to authenticate as
$ kinit -p [principal@REALM]
copy

Specify a different keytab file to authenticate with
$ kinit -t [path/to/keytab]
copy

SYNOPSIS

kinit [options] [principal[@REALM]] [keytab_file]

PARAMETERS

-A, --forwardable
    request forwardable ticket

-a, --noaddresses
    request ticket without address

-C, --canonicalize
    canonicalize principal name

-c CCACHE, --cache=CCACHE
    credentials cache name/location

-f, --forwardable
    alias for -A, forwardable ticket

-F, --no-forwardable
    non-forwardable ticket

-k, --use-keytab
    use keytab instead of password

-K, --renewable
    renew TGT if possible

-l lifetime, --lifetime=lifetime
    ticket lifetime (e.g., 10h)

-n, --anonymous
    request anonymous ticket

-p, --proxiable
    request proxiable ticket

-R, --renew
    renew existing TGT

-r time, --renewable-life=time
    renewable ticket lifetime

-S service, --service-name=service
    service principal name

-t FILE, --keytab=FILE
    keytab file with -k

-T, --tickets
    alias for -t, start ticket acquisition

-V, --version
    print version info

DESCRIPTION

kinit is a command-line tool from the Kerberos authentication system (krb5) used to request and cache initial ticket-granting tickets (TGTs) from a Key Distribution Center (KDC). It authenticates users or services by prompting for a password or using a keytab file, then stores the ticket in a credentials cache (default: /tmp/krb5cc_<uid>).

This enables single sign-on (SSO) for Kerberos-secured services like SSH (GSSAPI), NFSv4, Hadoop, or HPC clusters. Without a TGT, access is denied. Run kinit username@REALM to start; the shell inherits the ticket for subprocesses.

Options control ticket properties (lifetime, forwardability, renewability), cache location, and service principals. For automation, use -k -t keytab. Tickets expire (default 10 hours, renewable up to 1 day), requiring re-run or kinit -R. Integrates with PAM for login integration.

Requires krb5-user package and valid /etc/krb5.conf. View with klist, destroy with kdestroy. Essential for enterprise environments using Kerberos for secure, passwordless access.

CAVEATS

Requires configured /etc/krb5.conf and reachable KDC. Password prompts not script-friendly without expect tools. Tickets bound to host/user; sharing insecure. Pre-1.20 versions lack some options.

DEFAULT CACHE

/tmp/krb5cc_<uid>; set KRB5CCNAME env var to override.

ENVIRONMENT VARS

KRB5CCNAME (cache), KRB5_CONFIG (config file), KRB5_KTNAME (keytab).

HISTORY

Developed as part of MIT Kerberos 5 (krb5), first released 1993. Evolved from Project Athena; now standard in Linux distros via heimdal/MIT packages. Key enhancements in krb5-1.10+ for keytabs, PKINIT; widely used since 2000s in enterprise Unix/Linux.

SEE ALSO

klist(1), kdestroy(1), kpasswd(1), ktutil(1), krb5.conf(5)

Copied to clipboard