|
HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 3 Kerberos Client Programs
User Client Programs
This section describes the user client programs kinit,
klist, kdestroy, and kpasswd. kinit | |
The kinit program allows the user
to obtain and cache a Kerberos ticket-granting ticket. A Kerberos principal
name must have already been created for the user, or another pre-existing
principal must be specified. The kinit program optionally uses
the logical name KRB5CCNAME to specify
the location and name of the credentials (ticket) cache. The default
location for the credentials cache is in the [.KRB.<nodename>] subdirectory
of the user’s login directory. The default name of the
credentials cache is KRB5CC_xxxxxx.; where xxxxxx is
a randomly generated numeric string. SYNOPSISkinit | | [-5] [-4] [-V] [-l lifetime]
[-s start_time] [-r renewable_life][-p]
[-P] [-f] [-F] [-A] [-v] [-R] [-k [-t keytab_file]] [-c cache_name]
[-S service_name] [principal] |
OPTIONS -5 | | Get Kerberos 5 tickets, overriding the default built-in
behavior. This option may be used with -4. | -4 | | Get Kerberos 4 tickets, overriding the default built-in
behavior. This option may be used with -5. | -V | | Display verbose output. | -l lifetime | | Request a ticket whose lifetime is specified by lifetime.
The value for lifetime must be followed immediately
by one of the following delimiters: For example: You cannot mix units; a value of 30h30m will
result in an error.If the -l option is not
specified, the default ticket lifetime (configured by each site)
is used. Specifying a ticket lifetime longer than the maximum ticket
lifetime (configured by each site) results in a ticket with the maximum
lifetime. | -s start_time | | Request a postdated ticket, valid starting at start_time.
Postdated tickets are issued with the invalid flag set, and need
to be fed back to the KDC before use. | -r renewable_life | | Request renewable tickets, with a total lifetime
of renewable_life. The duration is the
same format as the -l option, with the
same delimiters. (Not applicable to Kerberos 4.) | -f | | Request tickets that can be forwarded to another
system. (Not applicable to Kerberos 4.) | -F | | Do not request forwardable tickets. (Not applicable
to Kerberos 4.) | -p | | Request proxiable tickets. (Not applicable to Kerberos
4.) | -P | | Do not request proxiable tickets. (Not applicable
to Kerberos 4.) | -A | | Request address-less tickets. (Not applicable to
Kerberos 4.) | -v | | Request that the ticket granting ticket in the cache
(with the invalid option set) be passed to the KDC for validation.
If the ticket is within its requested time range, the cache is replaced
with the validated ticket. (Not applicable to Kerberos 4.) | -R | | Request renewal of the ticket-granting ticket. Note
that an expired ticket cannot be renewed, even if the ticket is
still within its renewable life. When using this option with Kerberos
4, the KDC must support Kerberos 5 to Kerberos 4 ticket conversion. | -k [-t keytab_file] | | Request a host ticket, obtained from a key in the
local host’s keytab file. The name and location of the
keytab file may be specified with the -t keytab_file option;
otherwise the default name and location will be used. When using
this option with Kerberos 4, the KDC must support Kerberos 5 to
Kerberos 4 ticket conversion. | -c cache_name | | Use cache_name as the credentials
(ticket) cache name and location; if this option is not used, the
default cache name and location are used. The default credentials cache may vary between systems. If
the KRB5CCNAME logical name is set, its
value is used to name the default ticket cache. Any existing contents
of the cache are destroyed by kinit. (Not
applicable to Kerberos 4). | -S service_name | | Specify an alternate service name to use when getting
initial tickets. |
klist | |
The klist program allows the user
to display information about their cached Kerberos tickets. (Applicable to
Kerberos 5, or to Kerberos 4 ticket conversion if you use both Kerberos
5 and Kerberos 4 with a KDC that supports Kerberos 5.) SYNOPSIS klist | | [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t]
[-K]][ cache_name | keytab_name ] |
OPTIONS-5 | | List Kerberos 5 credentials. This overrides whatever
the default built-in behavior may be. This option may be used with -4. | -4 | | List Kerberos 4 credentials. This overrides whatever
the default built-in behavior may be. This option may be used with -5. | -e | | Display the encryption types of the session key
and the ticket for each credential in the credential cache, or each
key in the keytab file. | -c | | List the tickets held in a credentials cache. This
is the default if neither -c nor -k is specified. | -f | | Show the options present in the credentials. Possible
options are as follows: | -s | | Cause klist to run silently
(produce no output) but to still set the exit status according to whether
it finds the credential cache. The exit status is SS$_NORMAL if klist finds
a credentials cache. | -a | | Display list of addresses in credentials. | -n | | Show numeric addresses instead of reverse-resolving
addresses. | -k | | List the keys held in a keytab file. | -t | | Display the time entry timestamps for each keytab
entry in the keytab file. | -K | | Display the value of the encryption key in each
keytab entry in the keytab file. |
If cache_name or keytab_name is
not specified, klist will display the credentials
in the default credentials cache or keytab file as appropriate.
If the KRB5CCNAME logical name is set,
its value will be used to name the default ticket cache. kdestroy | |
The kdestroy program destroys the
user’s active Kerberos authorization tickets by writing
zeros to the specified credentials cache that contains them. If
the credentials cache is not specified, the default credentials
cache is destroyed. The default behavior is to destroy both Kerberos
5 and Kerberos 4 credentials. SYNOPSISkdestroy | | [-5] [-4] [-q] [ -c cache_name] |
OPTIONS-5 | | Destroy Kerberos 5 credentials. This option may
be used with -4. |
-4 | | Destroy Kerberos 4 credentials. This option may
be used with -5. |
-q | | Quiet mode. Normally, kdestroy beeps
if it fails to destroy the user’s tickets, in addition
to issuing an error message. The -q option
suppresses the beep, and only an error is issued. |
-c cache_name | | Use cache_name as the credentials
(ticket) cache name and location. If this option is not used, the
default cache name and location are used. If the KRB5CCNAME logical name is
set, its value is used to name the default ticket cache. |
HP recommends that you place the kdestroy
command in a logout command file, so that your tickets are destroyed
automatically when you log out. kpasswd | |
The kpasswd program is used to change
a Kerberos principal’s password. The kpasswd program
prompts for the current Kerberos password, which is used to obtain
a changepw ticket from the KDC for the
user’s Kerberos realm. If kpasswd successfully
obtains the changepw ticket, the user is
prompted twice for the new password, and the password is changed. If the principal is governed by a policy that specifies the
length or number of character classes required in the new password,
the new password must conform to the policy. (The five-character
classes are: lowercase, uppercase, numbers, punctuation, and all
other characters.) SYNOPSISOPTIONSprincipal | | Change the password for the Kerberos principal specified
by principal. Otherwise, the principal
is derived from the identity of the user invoking the kpasswd command. |
|
|