kinit

Authenticate a user and obtain a ticket-granting ticket

$ kinit [username]

$ kinit -R

$ kinit -l [5h]

$ kinit -r [1w]

$ kinit -p [principal@REALM]

$ kinit -t [path/to/keytab]

kinit [-A] [-f] [-F] [-p] [-P] [-R] [-v] [-l lifetime] [-s start_time] [-r renewable_life] [-k [-t keytab_file]] [-C cache_name] [principal]

-A
    Do not include addresses in the ticket. This can be useful in environments where your IP address frequently changes (e.g., VPN).

-f
    Request a forwardable ticket. This allows the TGT to be forwarded to another host, enabling multi-hop authentication.

-F
    Do not request a forwardable ticket. This is the default behavior if -f is not specified.

-p
    Request a proxiable ticket. Similar to forwardable, but for obtaining new tickets locally on behalf of the principal.

-P
    Do not request a proxiable ticket. This is the default behavior if -p is not specified.

-R
    Request a renewable ticket. This allows the ticket's lifetime to be extended without requiring a new password-based authentication.

-v
    Be verbose. Display more information during the authentication process.

-l lifetime
    Specify the requested lifetime of the TGT. Examples: '12h' for 12 hours, '3d' for 3 days.

-s start_time
    Specify the desired start time of the TGT. This can be used to request a ticket that becomes valid in the future.

-r renewable_life
    Specify the maximum renewable lifetime of the TGT. This is only applicable if -R is also specified.

-k
    Use a keytab file for authentication instead of prompting for a password. This is essential for non-interactive use, such as in scripts.

-t keytab_file
    Specify the path to the keytab file to be used with the -k option. If omitted, the default keytab (e.g., /etc/krb5.keytab) is used.

-C cache_name
    Specify the path or name of the credentials cache file where the TGT will be stored. This overrides the default location.

principal
    The Kerberos principal name to obtain a ticket for (e.g., user@REALM.COM). If omitted, kinit attempts to determine the principal from the current user and realm configuration.

kinit is the primary command-line tool used to obtain and cache Kerberos ticket-granting tickets (TGTs). This initial ticket is essential for authenticating to a Kerberos Key Distribution Center (KDC) and subsequently accessing various Kerberos-protected services without repeated password prompts.

When invoked, kinit typically prompts the user for their Kerberos principal's password. Upon successful authentication with the KDC, a TGT is issued and stored in the user's default credentials cache. This TGT acts as proof of identity and is later used by other Kerberos-aware applications (e.g., ssh, scp, ftp) to request service-specific tickets from the KDC, enabling secure access to network resources.

Beyond password-based authentication, kinit also supports non-interactive authentication using a keytab file, which is crucial for scripts and automated processes. It can also manage ticket properties like lifetime, renewability, and forwarding capabilities.

Time Synchronization: Kerberos relies heavily on accurate time synchronization. A significant clock skew (typically more than 5 minutes) between the client, KDC, and services can prevent successful authentication, resulting in 'Clock skew too great' errors.

Password Security: When kinit prompts for a password, the input is often echoed to the terminal, and it might be stored in command history. For automated processes or enhanced security, using keytab files (with the -k option) is strongly recommended over supplying passwords interactively or via scripts.

Firewall Considerations: Ensure that network firewalls allow communication on standard Kerberos ports (UDP/TCP 88 for KDC, UDP/TCP 464 for password changes) to reach the Kerberos Key Distribution Center.

The credentials cache is a temporary storage location (commonly a file like /tmp/krb5cc_<uid>, where <uid> is the user's ID, or a memory-based cache) where kinit stores the obtained TGT and subsequent service tickets. This cache is automatically consulted by other Kerberos-aware applications to retrieve tickets, thereby avoiding repeated password prompts. The default cache location can often be overridden by the KRB5CCNAME environment variable or the -C option.

A keytab file (short for 'key table') contains one or more pairs of Kerberos principals and their encrypted keys. It allows kinit (and other Kerberos utilities) to authenticate to the KDC without requiring human interaction, making it invaluable for background processes, cron jobs, and service accounts. Using kinit -k specifies authentication via a keytab rather than a password. These files are highly sensitive and must be kept secure, typically with strict file permissions.

kinit is a foundational client command within the MIT Kerberos V5 distribution, which originated from the Massachusetts Institute of Technology's Project Athena in the 1980s. The V5 protocol, largely implemented by kinit, represented a significant evolution from the earlier Kerberos V4, introducing enhanced security features, improved cross-realm authentication, and greater flexibility. It has since become the de facto standard for secure authentication in countless distributed computing environments.

klist(1), kdestroy(1), kvno(1), kpasswd(1), krb5.conf(5)