LinuxCommandLibrary

klist

List Kerberos tickets

SYNOPSIS

klist [-l] [-a] [-c] [-k] [-t] [-T] [-e] [-K] [-C] [-V] [cache_name]

PARAMETERS

-l
    List all available credential caches

-a
    List all tickets from all caches

-c
    List tickets only from primary cache (default)

-k
    Treat argument as keytab file and list entries

-t
    Show expiration timestamps only

-T
    Show remaining lifetime for renewable tickets

-e
    Display ticket encryption types

-K
    Show keytab entries with raw keys (dangerous)

-C
    Show credential cache name

-V
    Print version information

DESCRIPTION

klist is a command-line utility in the Kerberos authentication suite that displays the contents of the user's credential cache, showing active Kerberos tickets. Kerberos, developed by MIT, provides secure network authentication using tickets issued by a Key Distribution Center (KDC). These tickets, including the essential Ticket Granting Ticket (TGT), authorize access to services without repeated password entry.

Running klist without options lists tickets from the default cache (typically FILE:/tmp/krb5cc_<uid>), displaying columns for client principal, server principal, issue time, expiration time, and renew time if applicable. This helps verify login status, ticket validity, and debug issues in environments like LDAP, Active Directory, NFS, or SSH with GSSAPI.

Key features include viewing multiple caches, keytab entries for services, encryption types, and timestamps. Output aids in monitoring ticket lifetimes to prevent expiration-related access denials. Part of krb5-user package on Debian-based systems.

CAVEATS

No output if no tickets exist; requires krb5-user package; keytabs with -K expose sensitive keys; cache paths vary by KRB5CCNAME env var.

DEFAULT OUTPUT FORMAT

Columns: Valid starting, Expires, Service principal, 02/01/24 12:00:00 (example timestamps).
Header includes cache file and default principal.

COMMON USAGE EXAMPLE

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EXAMPLE.COM

Valid starting Expires Service principal
09/15/24 09:00:00 09/15/24 17:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM

HISTORY

Introduced in MIT Kerberos 5 (krb5) release circa 1993 as part of core utilities; evolved with Heimdal fork but standardized in Linux distros via MIT implementation; enhanced for keytabs and multi-cache support in later versions.

SEE ALSO

kinit(1), kdestroy(1), ktutil(1), kswitch(1)

Copied to clipboard