Back to Commands

kinit

securityLinux/Unix/macOS
The kinit command is one of the most frequently used commands in Linux/Unix-like operating systems. kinit Obtain and cache Kerberos ticket-granting ticket
See ExamplesView Syntax

Quick Reference

Command Name:

kinit

Category:

security

Platform:

Linux/Unix/macOS

Basic Usage:

kinit [options] [arguments]

Common Use Cases

    Syntax

    kinit [options] [principal]

    Options

    Option Description
    -l lifetime Specify ticket lifetime (e.g., 10h for 10 hours)
    -r renewable_life Specify renewable lifetime (e.g., 7d for 7 days)
    -s start_time Specify a start time for the ticket (e.g., +1h for 1 hour from now)
    -f Request a forwardable ticket
    -p Request a proxiable ticket
    -c cache_name Use an alternate credentials cache
    -k Obtain the ticket using a keytab
    -t keytab_file Specify the keytab file to use
    -A Request address-less tickets
    -n Request anonymous processing
    -S service Request a ticket for a specific service
    -v Verbose output mode
    -R Renew a ticket
    -T Get a ticket based on a ticket (renewal)

    Examples

    How to Use These Examples

    The examples below show common ways to use the kinit command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    kinit
    Obtain a ticket for the default principal.
    kinit user@EXAMPLE.COM
    Obtain a ticket for the specified principal.
    # Advanced Examples Advanced
    kinit -l 10h user@EXAMPLE.COM Obtain a ticket with a 10-hour lifetime. kinit -r 7d Obtain a ticket with a 7-day renewable lifetime. kinit -k -t /etc/krb5.keytab host/server.example.com@EXAMPLE.COM Obtain a ticket using a keytab file. kinit -c /tmp/krb5cc_special Specify an alternate credentials cache. kinit -f Request a forwardable ticket. kinit -p Request a proxiable ticket. kinit -n Request anonymous processing. kinit -S service/host@REALM Request a ticket for a specific service.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    kinit is a command-line tool used to obtain and cache Kerberos ticket-granting tickets (TGTs). It's a fundamental component of the Kerberos authentication system, which provides secure authentication for client/server applications through secret-key cryptography. Key features of kinit: 1. Initial Authentication: kinit initiates the Kerberos authentication process by requesting a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). This TGT can then be used to obtain service tickets for specific network services without requiring the user to re-enter their password. 2. Credential Caching: After successful authentication, kinit stores the obtained tickets in a credential cache (typically in /tmp or in a kernel keyring) for future use by Kerberos-aware applications. 3. Ticket Lifetime Management: The command allows users to specify various time parameters for tickets, including their initial lifetime and renewable lifetime, providing control over security policies and convenience. 4. Keytab Integration: For automated services and scripts, kinit can authenticate using keys stored in a keytab file rather than requiring interactive password entry, enabling unattended authentication processes. 5. Ticket Properties: kinit provides options to request tickets with specific properties like forwardability (allowing them to be forwarded to another host) and proxiability (allowing them to be used as proxies). 6. Multiple Principal Support: Users can authenticate as different principals (user identities) by specifying the desired principal name, which is useful in environments where users may have multiple roles or identities. 7. Cache Selection: By specifying alternate credential caches, users can maintain separate authentication contexts for different purposes or security domains. Common use cases for kinit include: - Authenticating to Kerberos-protected services like SSH, NFS, LDAP, or databases - Single sign-on solutions in enterprise environments - Automated service authentication in scripts and applications - Accessing resources across organizational boundaries in federated environments - Renewing authentication credentials before they expire - Obtaining specialized tickets for specific services or with particular attributes kinit is available on most Unix-like operating systems (Linux, macOS, BSD) with Kerberos implementations such as MIT Kerberos or Heimdal. It's typically used in enterprise environments, educational institutions, and other organizations that employ Kerberos for centralized authentication services.

    Related Commands

    These commands are frequently used alongside kinit or serve similar purposes:

    klist
    kdestroy
    kpasswd
    ksu
    kvno
    kadmin
    ktutil
    kswitch
    krb5-config
    gss-client
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the kinit command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ kinit
    View All Commands