klist

klist [-c cache_name] [-f] [-s] [-k keytab_name] [-e] [-i] [-a] [-n] [-p] [-u] [-v] [-V]

-c cache_name
    Specify the credentials cache to use. If not specified, the default cache is used.

-k keytab_name
    List the keys in the specified keytab file.

-f
    Show the flags present in the ticket.

-s
    Suppress the output of the ticket list and summary. Useful when only interested in errors.

-e
    Display the encryption type of the session key.

-i
    Display the initial ticket for each principal.

-a
    Display addresses. When used with -k, display the key version number (kvno).

-n
    Show numeric addresses instead of attempting to resolve them.

-p
    Display the principal name associated with each ticket.

-u
    Display user-to-user tickets.

-v
    Be verbose; show more information about each ticket.

-V
    Display the version number of klist.

The klist command displays the Kerberos principal name and Kerberos tickets held in a credentials cache.
It is a tool for examining the contents of your Kerberos ticket cache, allowing you to see what tickets you have, when they expire, and other information about them. This is essential for troubleshooting Kerberos authentication issues and managing your Kerberos identity.
It uses the default credential cache unless otherwise specified, such as a different cache specified via the -c flag or the KRB5CCNAME environment variable. Understanding the output of klist is crucial for administrators and users working in Kerberos-enabled environments.

The output of klist typically includes the principal, the issued and expires times, service principal, flags, and encryption type.
Carefully analyze these fields to ensure tickets are valid and correctly configured. A common cause of authentication issues are expired tickets.

klist is a valuable tool for troubleshooting Kerberos authentication. If a user is unable to authenticate, klist can be used to verify that they have a valid Kerberos ticket. Inspecting the flag field can help you determine if forwarding or proxiable tickets are available as expected. The command can also confirm which Kerberos realm your current ticket is related to.

klist is a standard Kerberos utility, developed alongside Kerberos itself. It has been available since the early days of Kerberos (version 4 and 5) to manage Kerberos tickets. The tool evolved with Kerberos, adding options to support new Kerberos features such as keytabs and different encryption types. Its core functionality remains the same: displaying and examining Kerberos tickets.

kinit(1), kdestroy(1)