klist

klist [-c cache_name] [-f] [-e] [-s] [-a] [-n] [-l] [--version] [--help]
klist -k [-t] [-e] [-s] [-n] [keytab_name]

-c cache_name
    Specifies the credentials cache to list. If not specified, the default cache is used.

-f
    Displays the flags of the Kerberos tickets, such as forwardable, proxiable, renewable, etc.

-e
    Shows the encryption types of the session keys and the ticket-granting tickets.

-s
    Suppresses normal output and only sets the exit status. Useful for scripting to check if tickets exist.

-a
    Displays the addresses contained in the tickets. Useful for checking if address restrictions are in place.

-n
    Shows numerical UIDs/GIDs rather than resolving them to names, particularly when listing keytab entries.

-k
    Lists the entries in a keytab file instead of a credentials cache. If keytab_name is not specified, the default keytab (/etc/krb5.keytab) is used.

-t
    When used with -k, displays the timestamp of each keytab entry. It has no effect without -k.

-l
    Lists the credentials caches in a cache collection. This option is specific to credential cache collections.

--version
    Displays version information for the `klist` command.

--help
    Displays a brief help message explaining command usage and options.

`klist` is a utility command used to display the Kerberos principal and tickets held in a credentials cache, or the keys in a keytab file.

When executed without any options, `klist` typically shows the default credentials cache, which is usually located at `/tmp/krb5cc_UID` unless the KRB5CCNAME environment variable specifies a different path. It lists the primary Kerberos principal associated with the cache, the expiration time of the initial ticket-granting ticket (TGT), and details about service tickets acquired, including their expiration and the service principal name.

This command is essential for verifying successful Kerberos authentication and for monitoring the status of your Kerberos tickets. It allows users to quickly check if they have valid tickets, when they expire, and which services they are authorized to access. When used with the -k option, `klist` provides insight into the contents of a specified keytab file, detailing the principal names and key versions stored, which is crucial for service authentication configurations.

Permissions: To list a credentials cache, you must have read permissions on the cache file. For keytab files, read permissions are required on the specified keytab or the default one.
Default Cache: The default credentials cache location is system-dependent but commonly /tmp/krb5cc_UID. This can be overridden by the KRB5CCNAME environment variable.
Keytab Access: When using -k, ensure the process running `klist` has read access to the keytab file. Keytabs often contain sensitive cryptographic material and should be properly secured.

Unless specified with -c or overridden by the KRB5CCNAME environment variable, `klist` will check for the default credentials cache. This is typically located at /tmp/krb5cc_UID, where UID is the numerical user ID of the current user.

When using the -f option, `klist` displays various flags associated with Kerberos tickets. Common flags include:
F (Forwardable): The ticket can be forwarded to another host.
P (Proxiable): A proxy ticket can be generated from this ticket.
R (Renewable): The ticket can be renewed beyond its initial lifetime.
I (Initial): The ticket was obtained directly via password or keytab.
H (Hardware authenticated): The authentication involved hardware (e.g., smart card).
A (Auth-data required): The ticket contains authorization data that must be honored.

Keytab files (used with -k) are essential for services or scripts that need to authenticate to Kerberos without user interaction. They contain service principal names and their cryptographic keys. `klist -kt` is commonly used by administrators to verify the contents and timestamps of keytab files, ensuring the correct keys are present and up-to-date for service principals.

The `klist` command is an integral part of the MIT Kerberos distribution, which has its roots in Project Athena at MIT in the 1980s. Designed as a secure network authentication protocol, Kerberos was developed to provide strong authentication for client/server applications by using secret-key cryptography. `klist` emerged as a fundamental utility to allow users to inspect their acquired Kerberos credentials, enabling them to verify the success of the `kinit` command (which obtains tickets) and understand the validity period of their authentication. Its core functionality has remained largely consistent over decades, reflecting the stable and robust nature of the Kerberos protocol itself. The command is a cornerstone for troubleshooting Kerberos authentication issues and managing user sessions in Kerberized environments.

kinit(1), kdestroy(1), kpasswd(1), kvno(1), krb5.conf(5)