path: root/crypto/krb5/doc/pdf/user.tex

%% Generated by Sphinx.
\def\sphinxdocclass{report}
\documentclass[letterpaper,10pt,english]{sphinxmanual}
\ifdefined\pdfpxdimen
   \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
\fi \sphinxpxdimen=.75bp\relax
\ifdefined\pdfimageresolution
    \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax
\fi
%% let collapsible pdf bookmarks panel have high depth per default
\PassOptionsToPackage{bookmarksdepth=5}{hyperref}

\PassOptionsToPackage{booktabs}{sphinx}
\PassOptionsToPackage{colorrows}{sphinx}

\PassOptionsToPackage{warn}{textcomp}
\usepackage[utf8]{inputenc}
\ifdefined\DeclareUnicodeCharacter
% support both utf8 and utf8x syntaxes
  \ifdefined\DeclareUnicodeCharacterAsOptional
    \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}}
  \else
    \let\sphinxDUC\DeclareUnicodeCharacter
  \fi
  \sphinxDUC{00A0}{\nobreakspace}
  \sphinxDUC{2500}{\sphinxunichar{2500}}
  \sphinxDUC{2502}{\sphinxunichar{2502}}
  \sphinxDUC{2514}{\sphinxunichar{2514}}
  \sphinxDUC{251C}{\sphinxunichar{251C}}
  \sphinxDUC{2572}{\textbackslash}
\fi
\usepackage{cmap}
\usepackage[T1]{fontenc}
\usepackage{amsmath,amssymb,amstext}
\usepackage{babel}



\usepackage{tgtermes}
\usepackage{tgheros}
\renewcommand{\ttdefault}{txtt}



\usepackage[Bjarne]{fncychap}
\usepackage{sphinx}

\fvset{fontsize=auto}
\usepackage{geometry}


% Include hyperref last.
\usepackage{hyperref}
% Fix anchor placement for figures with captions.
\usepackage{hypcap}% it must be loaded after hyperref.
% Set up styles of URL: it should be placed after hyperref.
\urlstyle{same}


\usepackage{sphinxmessages}
\setcounter{tocdepth}{1}



\title{Kerberos User Guide}
\date{ }
\release{1.22\sphinxhyphen{}final}
\author{MIT}
\newcommand{\sphinxlogo}{\vbox{}}
\renewcommand{\releasename}{Release}
\makeindex
\begin{document}

\ifdefined\shorthandoff
  \ifnum\catcode`\=\string=\active\shorthandoff{=}\fi
  \ifnum\catcode`\"=\active\shorthandoff{"}\fi
\fi

\pagestyle{empty}
\sphinxmaketitle
\pagestyle{plain}
\sphinxtableofcontents
\pagestyle{normal}
\phantomsection\label{\detokenize{user/index::doc}}


\sphinxstepscope


\chapter{Password management}
\label{\detokenize{user/pwd_mgmt:password-management}}\label{\detokenize{user/pwd_mgmt::doc}}
\sphinxAtStartPar
Your password is the only way Kerberos has of verifying your identity.
If someone finds out your password, that person can masquerade as
you—send email that comes from you, read, edit, or delete your files,
or log into other hosts as you—and no one will be able to tell the
difference.  For this reason, it is important that you choose a good
password, and keep it secret.  If you need to give access to your
account to someone else, you can do so through Kerberos (see
{\hyperref[\detokenize{user/pwd_mgmt:grant-access}]{\sphinxcrossref{\DUrole{std,std-ref}{Granting access to your account}}}}).  You should never tell your password to anyone,
including your system administrator, for any reason.  You should
change your password frequently, particularly any time you think
someone may have found out what it is.


\section{Changing your password}
\label{\detokenize{user/pwd_mgmt:changing-your-password}}
\sphinxAtStartPar
To change your Kerberos password, use the {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}} command.
It will ask you for your old password (to prevent someone else from
walking up to your computer when you’re not there and changing your
password), and then prompt you for the new one twice.  (The reason you
have to type it twice is to make sure you have typed it correctly.)
For example, user \sphinxcode{\sphinxupquote{david}} would do the following:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password} \PYG{n}{again}\PYG{o}{.}
\PYG{n}{Password} \PYG{n}{changed}\PYG{o}{.}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If \sphinxcode{\sphinxupquote{david}} typed the incorrect old password, he would get the
following message:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{incorrect} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{ticket}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you make a mistake and don’t type the new password the same way
twice, kpasswd will ask you to try again:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{a} \PYG{n}{different} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{mismatch} \PYG{k}{while} \PYG{n}{reading} \PYG{n}{password}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Once you change your password, it takes some time for the change to
propagate through the system.  Depending on how your system is set up,
this might be anywhere from a few minutes to an hour or more.  If you
need to get new Kerberos tickets shortly after changing your password,
try the new password.  If the new password doesn’t work, try again
using the old one.


\section{Granting access to your account}
\label{\detokenize{user/pwd_mgmt:granting-access-to-your-account}}\label{\detokenize{user/pwd_mgmt:grant-access}}
\sphinxAtStartPar
If you need to give someone access to log into your account, you can
do so through Kerberos, without telling the person your password.
Simply create a file called {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} in your home directory.
This file should contain the Kerberos principal of each person to whom
you wish to give access.  Each principal must be on a separate line.
Here is a sample .k5login file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\end{sphinxVerbatim}

\sphinxAtStartPar
This file would allow the users \sphinxcode{\sphinxupquote{jennifer}} and \sphinxcode{\sphinxupquote{david}} to use your
user ID, provided that they had Kerberos tickets in their respective
realms.  If you will be logging into other hosts across a network, you
will want to include your own Kerberos principal in your .k5login file
on each of these hosts.

\sphinxAtStartPar
Using a .k5login file is much safer than giving out your password,
because:
\begin{itemize}
\item {} 
\sphinxAtStartPar
You can take access away any time simply by removing the principal
from your .k5login file.

\item {} 
\sphinxAtStartPar
Although the user has full access to your account on one particular
host (or set of hosts if your .k5login file is shared, e.g., over
NFS), that user does not inherit your network privileges.

\item {} 
\sphinxAtStartPar
Kerberos keeps a log of who obtains tickets, so a system
administrator could find out, if necessary, who was capable of using
your user ID at a particular time.

\end{itemize}

\sphinxAtStartPar
One common application is to have a .k5login file in root’s home
directory, giving root access to that machine to the Kerberos
principals listed.  This allows system administrators to allow users
to become root locally, or to log in remotely as root, without their
having to give out the root password, and without anyone having to
type the root password over the network.


\section{Password quality verification}
\label{\detokenize{user/pwd_mgmt:password-quality-verification}}
\sphinxAtStartPar
TODO

\sphinxstepscope


\chapter{Ticket management}
\label{\detokenize{user/tkt_mgmt:ticket-management}}\label{\detokenize{user/tkt_mgmt::doc}}
\sphinxAtStartPar
On many systems, Kerberos is built into the login program, and you get
tickets automatically when you log in.  Other programs, such as ssh,
can forward copies of your tickets to a remote host.  Most of these
programs also automatically destroy your tickets when they exit.
However, MIT recommends that you explicitly destroy your Kerberos
tickets when you are through with them, just to be sure.  One way to
help ensure that this happens is to add the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command
to your .logout file.  Additionally, if you are going to be away from
your machine and are concerned about an intruder using your
permissions, it is safest to either destroy all copies of your
tickets, or use a screensaver that locks the screen.


\section{Kerberos ticket properties}
\label{\detokenize{user/tkt_mgmt:kerberos-ticket-properties}}
\sphinxAtStartPar
There are various properties that Kerberos tickets can have:

\sphinxAtStartPar
If a ticket is \sphinxstylestrong{forwardable}, then the KDC can issue a new ticket
(with a different network address, if necessary) based on the
forwardable ticket.  This allows for authentication forwarding without
requiring a password to be typed in again.  For example, if a user
with a forwardable TGT logs into a remote system, the KDC could issue
a new TGT for that user with the network address of the remote system,
allowing authentication on that host to work as though the user were
logged in locally.

\sphinxAtStartPar
When the KDC creates a new ticket based on a forwardable ticket, it
sets the \sphinxstylestrong{forwarded} flag on that new ticket.  Any tickets that are
created based on a ticket with the forwarded flag set will also have
their forwarded flags set.

\sphinxAtStartPar
A \sphinxstylestrong{proxiable} ticket is similar to a forwardable ticket in that it
allows a service to take on the identity of the client.  Unlike a
forwardable ticket, however, a proxiable ticket is only issued for
specific services.  In other words, a ticket\sphinxhyphen{}granting ticket cannot be
issued based on a ticket that is proxiable but not forwardable.

\sphinxAtStartPar
A \sphinxstylestrong{proxy} ticket is one that was issued based on a proxiable ticket.

\sphinxAtStartPar
A \sphinxstylestrong{postdated} ticket is issued with the invalid flag set.  After the
starting time listed on the ticket, it can be presented to the KDC to
obtain valid tickets.

\sphinxAtStartPar
Ticket\sphinxhyphen{}granting tickets with the \sphinxstylestrong{postdateable} flag set can be used
to obtain postdated service tickets.

\sphinxAtStartPar
\sphinxstylestrong{Renewable} tickets can be used to obtain new session keys without
the user entering their password again.  A renewable ticket has two
expiration times.  The first is the time at which this particular
ticket expires.  The second is the latest possible expiration time for
any ticket issued based on this renewable ticket.

\sphinxAtStartPar
A ticket with the \sphinxstylestrong{initial flag} set was issued based on the
authentication protocol, and not on a ticket\sphinxhyphen{}granting ticket.
Application servers that wish to ensure that the user’s key has been
recently presented for verification could specify that this flag must
be set to accept the ticket.

\sphinxAtStartPar
An \sphinxstylestrong{invalid} ticket must be rejected by application servers.
Postdated tickets are usually issued with this flag set, and must be
validated by the KDC before they can be used.

\sphinxAtStartPar
A \sphinxstylestrong{preauthenticated} ticket is one that was only issued after the
client requesting the ticket had authenticated itself to the KDC.

\sphinxAtStartPar
The \sphinxstylestrong{hardware authentication} flag is set on a ticket which required
the use of hardware for authentication.  The hardware is expected to
be possessed only by the client which requested the tickets.

\sphinxAtStartPar
If a ticket has the \sphinxstylestrong{transit policy} checked flag set, then the KDC
that issued this ticket implements the transited\sphinxhyphen{}realm check policy
and checked the transited\sphinxhyphen{}realms list on the ticket.  The
transited\sphinxhyphen{}realms list contains a list of all intermediate realms
between the realm of the KDC that issued the first ticket and that of
the one that issued the current ticket.  If this flag is not set, then
the application server must check the transited realms itself or else
reject the ticket.

\sphinxAtStartPar
The \sphinxstylestrong{okay as delegate} flag indicates that the server specified in
the ticket is suitable as a delegate as determined by the policy of
that realm.  Some client applications may use this flag to decide
whether to forward tickets to a remote host, although many
applications do not honor it.

\sphinxAtStartPar
An \sphinxstylestrong{anonymous} ticket is one in which the named principal is a
generic principal for that realm; it does not actually specify the
individual that will be using the ticket.  This ticket is meant only
to securely distribute a session key.


\section{Obtaining tickets with kinit}
\label{\detokenize{user/tkt_mgmt:obtaining-tickets-with-kinit}}\label{\detokenize{user/tkt_mgmt:obtain-tkt}}
\sphinxAtStartPar
If your site has integrated Kerberos V5 with the login system, you
will get Kerberos tickets automatically when you log in.  Otherwise,
you may need to explicitly obtain your Kerberos tickets, using the
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} program.  Similarly, if your Kerberos tickets expire,
use the kinit program to obtain new ones.

\sphinxAtStartPar
To use the kinit program, simply type \sphinxcode{\sphinxupquote{kinit}} and then type your
password at the prompt. For example, Jennifer (whose username is
\sphinxcode{\sphinxupquote{jennifer}}) works for Bleep, Inc. (a fictitious company with the
domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU).  She would
type:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{jennifer}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you type your password incorrectly, kinit will give you the
following error message:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{the} \PYG{n}{wrong} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
and you won’t get Kerberos tickets.

\sphinxAtStartPar
By default, kinit assumes you want tickets for your own username in
your default realm.  Suppose Jennifer’s friend David is visiting, and
he wants to borrow a window to check his mail.  David needs to get
tickets for himself in his own realm, EXAMPLE.COM.  He would type:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
David would then have tickets which he could use to log onto his own
machine.  Note that he typed his password locally on Jennifer’s
machine, but it never went over the network.  Kerberos on the local
host performed the authentication to the KDC in the other realm.

\sphinxAtStartPar
If you want to be able to forward your tickets to another host, you
need to request forwardable tickets.  You do this by specifying the
\sphinxstylestrong{\sphinxhyphen{}f} option:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{your} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Note that kinit does not tell you that it obtained forwardable
tickets; you can verify this using the {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command (see
{\hyperref[\detokenize{user/tkt_mgmt:view-tkt}]{\sphinxcrossref{\DUrole{std,std-ref}{Viewing tickets with klist}}}}).

\sphinxAtStartPar
Normally, your tickets are good for your system’s default ticket
lifetime, which is ten hours on many systems.  You can specify a
different ticket lifetime with the \sphinxstylestrong{\sphinxhyphen{}l} option.  Add the letter
\sphinxstylestrong{s} to the value for seconds, \sphinxstylestrong{m} for minutes, \sphinxstylestrong{h} for hours, or
\sphinxstylestrong{d} for days.  For example, to obtain forwardable tickets for
\sphinxcode{\sphinxupquote{david@EXAMPLE.COM}} that would be good for three hours, you would
type:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3}\PYG{n}{h} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
You cannot mix units; specifying a lifetime of 3h30m would
result in an error.  Note also that most systems specify a
maximum ticket lifetime.  If you request a longer ticket
lifetime, it will be automatically truncated to the maximum
lifetime.
\end{sphinxadmonition}


\section{Viewing tickets with klist}
\label{\detokenize{user/tkt_mgmt:viewing-tickets-with-klist}}\label{\detokenize{user/tkt_mgmt:view-tkt}}
\sphinxAtStartPar
The {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command shows your tickets.  When you first obtain
tickets, you will have only the ticket\sphinxhyphen{}granting ticket.  The listing
would look like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The ticket cache is the location of your ticket file. In the above
example, this file is named \sphinxcode{\sphinxupquote{/tmp/krb5cc\_ttypa}}. The default
principal is your Kerberos principal.

\sphinxAtStartPar
The “valid starting” and “expires” fields describe the period of time
during which the ticket is valid.  The “service principal” describes
each ticket.  The ticket\sphinxhyphen{}granting ticket has a first component
\sphinxcode{\sphinxupquote{krbtgt}}, and a second component which is the realm name.

\sphinxAtStartPar
Now, if \sphinxcode{\sphinxupquote{jennifer}} connected to the machine \sphinxcode{\sphinxupquote{daffodil.mit.edu}},
and then typed “klist” again, she would have gotten the following
result:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Here’s what happened: when \sphinxcode{\sphinxupquote{jennifer}} used ssh to connect to the
host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, the ssh program presented her
ticket\sphinxhyphen{}granting ticket to the KDC and requested a host ticket for the
host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}.  The KDC sent the host ticket, which ssh
then presented to the host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, and she was allowed
to log in without typing her password.

\sphinxAtStartPar
Suppose your Kerberos tickets allow you to log into a host in another
domain, such as \sphinxcode{\sphinxupquote{trillium.example.com}}, which is also in another
Kerberos realm, \sphinxcode{\sphinxupquote{EXAMPLE.COM}}.  If you ssh to this host, you will
receive a ticket\sphinxhyphen{}granting ticket for the realm \sphinxcode{\sphinxupquote{EXAMPLE.COM}}, plus
the new host ticket for \sphinxcode{\sphinxupquote{trillium.example.com}}.  klist will now
show:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Depending on your host’s and realm’s configuration, you may also see a
ticket with the service principal \sphinxcode{\sphinxupquote{host/trillium.example.com@}}.  If
so, this means that your host did not know what realm
trillium.example.com is in, so it asked the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} KDC for
a referral.  The next time you connect to \sphinxcode{\sphinxupquote{trillium.example.com}},
the odd\sphinxhyphen{}looking entry will be used to avoid needing to ask for a
referral again.

\sphinxAtStartPar
You can use the \sphinxstylestrong{\sphinxhyphen{}f} option to view the flags that apply to your
tickets.  The flags are:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
F
&
\sphinxAtStartPar
Forwardable
\\
\sphinxhline
\sphinxAtStartPar
f
&
\sphinxAtStartPar
forwarded
\\
\sphinxhline
\sphinxAtStartPar
P
&
\sphinxAtStartPar
Proxiable
\\
\sphinxhline
\sphinxAtStartPar
p
&
\sphinxAtStartPar
proxy
\\
\sphinxhline
\sphinxAtStartPar
D
&
\sphinxAtStartPar
postDateable
\\
\sphinxhline
\sphinxAtStartPar
d
&
\sphinxAtStartPar
postdated
\\
\sphinxhline
\sphinxAtStartPar
R
&
\sphinxAtStartPar
Renewable
\\
\sphinxhline
\sphinxAtStartPar
I
&
\sphinxAtStartPar
Initial
\\
\sphinxhline
\sphinxAtStartPar
i
&
\sphinxAtStartPar
invalid
\\
\sphinxhline
\sphinxAtStartPar
H
&
\sphinxAtStartPar
Hardware authenticated
\\
\sphinxhline
\sphinxAtStartPar
A
&
\sphinxAtStartPar
preAuthenticated
\\
\sphinxhline
\sphinxAtStartPar
T
&
\sphinxAtStartPar
Transit policy checked
\\
\sphinxhline
\sphinxAtStartPar
O
&
\sphinxAtStartPar
Okay as delegate
\\
\sphinxhline
\sphinxAtStartPar
a
&
\sphinxAtStartPar
anonymous
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
Here is a sample listing.  In this example, the user \sphinxstyleemphasis{jennifer}
obtained her initial tickets (\sphinxstylestrong{I}), which are forwardable (\sphinxstylestrong{F})
and postdated (\sphinxstylestrong{d}) but not yet validated (\sphinxstylestrong{i}):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}320}
\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{n}{Valid} \PYG{n}{starting}      \PYG{n}{Expires}             \PYG{n}{Service} \PYG{n}{principal}
\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{06}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
        \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{FdiI}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
In the following example, the user \sphinxstyleemphasis{david}’s tickets were forwarded
(\sphinxstylestrong{f}) to this host from another host.  The tickets are reforwardable
(\sphinxstylestrong{F}):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}p11795}
\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}

\PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{52}\PYG{p}{:}\PYG{l+m+mi}{29}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
        \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{48}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
        \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}


\section{Destroying tickets with kdestroy}
\label{\detokenize{user/tkt_mgmt:destroying-tickets-with-kdestroy}}
\sphinxAtStartPar
Your Kerberos tickets are proof that you are indeed yourself, and
tickets could be stolen if someone gains access to a computer where
they are stored.  If this happens, the person who has them can
masquerade as you until they expire.  For this reason, you should
destroy your Kerberos tickets when you are away from your computer.

\sphinxAtStartPar
Destroying your tickets is easy.  Simply type kdestroy:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} fails to destroy your tickets, it will beep and
give an error message.  For example, if kdestroy can’t find any
tickets to destroy, it will give the following message:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
\PYG{n}{kdestroy}\PYG{p}{:} \PYG{n}{No} \PYG{n}{credentials} \PYG{n}{cache} \PYG{n}{file} \PYG{n}{found} \PYG{k}{while} \PYG{n}{destroying} \PYG{n}{cache}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxstepscope


\chapter{User config files}
\label{\detokenize{user/user_config/index:user-config-files}}\label{\detokenize{user/user_config/index::doc}}
\sphinxAtStartPar
The following files in your home directory can be used to control the
behavior of Kerberos as it applies to your account (unless they have
been disabled by your host’s configuration):

\sphinxstepscope


\section{kerberos}
\label{\detokenize{user/user_config/kerberos:kerberos}}\label{\detokenize{user/user_config/kerberos:kerberos-7}}\label{\detokenize{user/user_config/kerberos::doc}}

\subsection{DESCRIPTION}
\label{\detokenize{user/user_config/kerberos:description}}
\sphinxAtStartPar
The Kerberos system authenticates individual users in a network
environment.  After authenticating yourself to Kerberos, you can use
Kerberos\sphinxhyphen{}enabled programs without having to present passwords or
certificates to those programs.

\sphinxAtStartPar
If you receive the following response from {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}:

\sphinxAtStartPar
kinit: Client not found in Kerberos database while getting initial
credentials

\sphinxAtStartPar
you haven’t been registered as a Kerberos user.  See your system
administrator.

\sphinxAtStartPar
A Kerberos name usually contains three parts.  The first is the
\sphinxstylestrong{primary}, which is usually a user’s or service’s name.  The second
is the \sphinxstylestrong{instance}, which in the case of a user is usually null.
Some users may have privileged instances, however, such as \sphinxcode{\sphinxupquote{root}} or
\sphinxcode{\sphinxupquote{admin}}.  In the case of a service, the instance is the fully
qualified name of the machine on which it runs; i.e. there can be an
ssh service running on the machine ABC (\sphinxhref{mailto:ssh/ABC@REALM}{ssh/ABC@REALM}), which is
different from the ssh service running on the machine XYZ
(\sphinxhref{mailto:ssh/XYZ@REALM}{ssh/XYZ@REALM}).  The third part of a Kerberos name is the \sphinxstylestrong{realm}.
The realm corresponds to the Kerberos service providing authentication
for the principal.  Realms are conventionally all\sphinxhyphen{}uppercase, and often
match the end of hostnames in the realm (for instance, host01.example.com
might be in realm EXAMPLE.COM).

\sphinxAtStartPar
When writing a Kerberos name, the principal name is separated from the
instance (if not null) by a slash, and the realm (if not the local
realm) follows, preceded by an “@” sign.  The following are examples
of valid Kerberos names:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{david}
\PYG{n}{jennifer}\PYG{o}{/}\PYG{n}{admin}
\PYG{n}{joeuser}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{cbrown}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@FUBAR}\PYG{o}{.}\PYG{n}{ORG}
\end{sphinxVerbatim}

\sphinxAtStartPar
When you authenticate yourself with Kerberos you get an initial
Kerberos \sphinxstylestrong{ticket}.  (A Kerberos ticket is an encrypted protocol
message that provides authentication.)  Kerberos uses this ticket for
network utilities such as ssh.  The ticket transactions are done
transparently, so you don’t have to worry about their management.

\sphinxAtStartPar
Note, however, that tickets expire.  Administrators may configure more
privileged tickets, such as those with service or instance of \sphinxcode{\sphinxupquote{root}}
or \sphinxcode{\sphinxupquote{admin}}, to expire in a few minutes, while tickets that carry
more ordinary privileges may be good for several hours or a day.  If
your login session extends beyond the time limit, you will have to
re\sphinxhyphen{}authenticate yourself to Kerberos to get new tickets using the
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} command.

\sphinxAtStartPar
Some tickets are \sphinxstylestrong{renewable} beyond their initial lifetime.  This
means that \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}R}} can extend their lifetime without requiring
you to re\sphinxhyphen{}authenticate.

\sphinxAtStartPar
If you wish to delete your local tickets, use the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}
command.

\sphinxAtStartPar
Kerberos tickets can be forwarded.  In order to forward tickets, you
must request \sphinxstylestrong{forwardable} tickets when you kinit.  Once you have
forwardable tickets, most Kerberos programs have a command line option
to forward them to the remote host.  This can be useful for, e.g.,
running kinit on your local machine and then sshing into another to do
work.  Note that this should not be done on untrusted machines since
they will then have your tickets.


\subsection{ENVIRONMENT VARIABLES}
\label{\detokenize{user/user_config/kerberos:environment-variables}}
\sphinxAtStartPar
Several environment variables affect the operation of Kerberos\sphinxhyphen{}enabled
programs.  These include:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{KRB5CCNAME}}
\sphinxAtStartPar
Default name for the credentials cache file, in the form
\sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  The type of the default cache may determine
the availability of a cache collection.  \sphinxcode{\sphinxupquote{FILE}} is not a
collection type; \sphinxcode{\sphinxupquote{KEYRING}}, \sphinxcode{\sphinxupquote{DIR}}, and \sphinxcode{\sphinxupquote{KCM}} are.

\sphinxAtStartPar
If not set, the value of \sphinxstylestrong{default\_ccache\_name} from
configuration files (see \sphinxstylestrong{KRB5\_CONFIG}) will be used.  If that
is also not set, the default \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}}, and the
\sphinxstyleemphasis{residual} is the path /tmp/krb5cc\_*uid*, where \sphinxstyleemphasis{uid} is the
decimal user ID of the user.

\sphinxlineitem{\sphinxstylestrong{KRB5\_KTNAME}}
\sphinxAtStartPar
Specifies the location of the default keytab file, in the form
\sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  If no \sphinxstyleemphasis{type} is present, the \sphinxstylestrong{FILE} type is
assumed and \sphinxstyleemphasis{residual} is the pathname of the keytab file.  If
unset, \DUrole{xref,std,std-ref}{DEFKTNAME} will be used.

\sphinxlineitem{\sphinxstylestrong{KRB5\_CONFIG}}
\sphinxAtStartPar
Specifies the location of the Kerberos configuration file.  The
default is \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/krb5.conf}}.  Multiple filenames can
be specified, separated by a colon; all files which are present
will be read.

\sphinxlineitem{\sphinxstylestrong{KRB5\_KDC\_PROFILE}}
\sphinxAtStartPar
Specifies the location of the KDC configuration file, which
contains additional configuration directives for the Key
Distribution Center daemon and associated programs.  The default
is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}}.

\sphinxlineitem{\sphinxstylestrong{KRB5RCACHENAME}}
\sphinxAtStartPar
(New in release 1.18) Specifies the location of the default replay
cache, in the form \sphinxstyleemphasis{type}:\sphinxstyleemphasis{residual}.  The \sphinxcode{\sphinxupquote{file2}} type with a
pathname residual specifies a replay cache file in the version\sphinxhyphen{}2
format in the specified location.  The \sphinxcode{\sphinxupquote{none}} type (residual is
ignored) disables the replay cache.  The \sphinxcode{\sphinxupquote{dfl}} type (residual is
ignored) indicates the default, which uses a file2 replay cache in
a temporary directory.  The default is \sphinxcode{\sphinxupquote{dfl:}}.

\sphinxlineitem{\sphinxstylestrong{KRB5RCACHETYPE}}
\sphinxAtStartPar
Specifies the type of the default replay cache, if
\sphinxstylestrong{KRB5RCACHENAME} is unspecified.  No residual can be specified,
so \sphinxcode{\sphinxupquote{none}} and \sphinxcode{\sphinxupquote{dfl}} are the only useful types.

\sphinxlineitem{\sphinxstylestrong{KRB5RCACHEDIR}}
\sphinxAtStartPar
Specifies the directory used by the \sphinxcode{\sphinxupquote{dfl}} replay cache type.
The default is the value of the \sphinxstylestrong{TMPDIR} environment variable,
or \sphinxcode{\sphinxupquote{/var/tmp}} if \sphinxstylestrong{TMPDIR} is not set.

\sphinxlineitem{\sphinxstylestrong{KRB5\_TRACE}}
\sphinxAtStartPar
Specifies a filename to write trace log output to.  Trace logs can
help illuminate decisions made internally by the Kerberos
libraries.  For example, \sphinxcode{\sphinxupquote{env KRB5\_TRACE=/dev/stderr kinit}}
would send tracing information for {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} to
\sphinxcode{\sphinxupquote{/dev/stderr}}.  The default is not to write trace log output
anywhere.

\sphinxlineitem{\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}}
\sphinxAtStartPar
Default client keytab file name.  If unset, \DUrole{xref,std,std-ref}{DEFCKTNAME} will be
used).

\sphinxlineitem{\sphinxstylestrong{KPROP\_PORT}}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kprop(8)} port to use.  Defaults to 754.

\sphinxlineitem{\sphinxstylestrong{GSS\_MECH\_CONFIG}}
\sphinxAtStartPar
Specifies a filename containing GSSAPI mechanism module
configuration.  The default is to read \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech}}
and files with a \sphinxcode{\sphinxupquote{.conf}} suffix within the directory
\DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech.d}}.

\end{description}

\sphinxAtStartPar
Most environment variables are disabled for certain programs, such as
login system programs and setuid programs, which are designed to be
secure when run within an untrusted process environment.


\subsection{SEE ALSO}
\label{\detokenize{user/user_config/kerberos:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
{\hyperref[\detokenize{user/user_commands/kswitch:kswitch-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kswitch}}}}, {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}}, {\hyperref[\detokenize{user/user_commands/ksu:ksu-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ksu}}}},
\DUrole{xref,std,std-ref}{krb5.conf(5)}, \DUrole{xref,std,std-ref}{kdc.conf(5)}, \DUrole{xref,std,std-ref}{kadmin(1)},
\DUrole{xref,std,std-ref}{kadmind(8)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{krb5kdc(8)}


\subsection{BUGS}
\label{\detokenize{user/user_config/kerberos:bugs}}

\subsection{AUTHORS}
\label{\detokenize{user/user_config/kerberos:authors}}
\begin{DUlineblock}{0em}
\item[] Steve Miller, MIT Project Athena/Digital Equipment Corporation
\item[] Clifford Neuman, MIT Project Athena
\item[] Greg Hudson, MIT Kerberos Consortium
\item[] Robbie Harwood, Red Hat, Inc.
\end{DUlineblock}


\subsection{HISTORY}
\label{\detokenize{user/user_config/kerberos:history}}
\sphinxAtStartPar
The MIT Kerberos 5 implementation was developed at MIT, with
contributions from many outside parties.  It is currently maintained
by the MIT Kerberos Consortium.


\subsection{RESTRICTIONS}
\label{\detokenize{user/user_config/kerberos:restrictions}}
\sphinxAtStartPar
Copyright 1985, 1986, 1989\sphinxhyphen{}1996, 2002, 2011, 2018 Masachusetts
Institute of Technology

\sphinxstepscope


\section{.k5login}
\label{\detokenize{user/user_config/k5login:k5login}}\label{\detokenize{user/user_config/k5login:k5login-5}}\label{\detokenize{user/user_config/k5login::doc}}

\subsection{DESCRIPTION}
\label{\detokenize{user/user_config/k5login:description}}
\sphinxAtStartPar
The .k5login file, which resides in a user’s home directory, contains
a list of the Kerberos principals.  Anyone with valid tickets for a
principal in the file is allowed host access with the UID of the user
in whose home directory the file resides.  One common use is to place
a .k5login file in root’s home directory, thereby granting system
administrators remote root access to the host via Kerberos.


\subsection{EXAMPLES}
\label{\detokenize{user/user_config/k5login:examples}}
\sphinxAtStartPar
Suppose the user \sphinxcode{\sphinxupquote{alice}} had a .k5login file in her home directory
containing just the following line:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{bob}\PYG{n+nd}{@FOOBAR}\PYG{o}{.}\PYG{n}{ORG}
\end{sphinxVerbatim}

\sphinxAtStartPar
This would allow \sphinxcode{\sphinxupquote{bob}} to use Kerberos network applications, such as
ssh(1), to access \sphinxcode{\sphinxupquote{alice}}’s account, using \sphinxcode{\sphinxupquote{bob}}’s Kerberos
tickets.  In a default configuration (with \sphinxstylestrong{k5login\_authoritative} set
to true in \DUrole{xref,std,std-ref}{krb5.conf(5)}), this .k5login file would not let
\sphinxcode{\sphinxupquote{alice}} use those network applications to access her account, since
she is not listed!  With no .k5login file, or with \sphinxstylestrong{k5login\_authoritative}
set to false, a default rule would permit the principal \sphinxcode{\sphinxupquote{alice}} in the
machine’s default realm to access the \sphinxcode{\sphinxupquote{alice}} account.

\sphinxAtStartPar
Let us further suppose that \sphinxcode{\sphinxupquote{alice}} is a system administrator.
Alice and the other system administrators would have their principals
in root’s .k5login file on each host:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}

\PYG{n}{joeadmin}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
\end{sphinxVerbatim}

\sphinxAtStartPar
This would allow either system administrator to log in to these hosts
using their Kerberos tickets instead of having to type the root
password.  Note that because \sphinxcode{\sphinxupquote{bob}} retains the Kerberos tickets for
his own principal, \sphinxcode{\sphinxupquote{bob@FOOBAR.ORG}}, he would not have any of the
privileges that require \sphinxcode{\sphinxupquote{alice}}’s tickets, such as root access to
any of the site’s hosts, or the ability to change \sphinxcode{\sphinxupquote{alice}}’s
password.


\subsection{SEE ALSO}
\label{\detokenize{user/user_config/k5login:see-also}}
\sphinxAtStartPar
kerberos(1)

\sphinxstepscope


\section{.k5identity}
\label{\detokenize{user/user_config/k5identity:k5identity}}\label{\detokenize{user/user_config/k5identity:k5identity-5}}\label{\detokenize{user/user_config/k5identity::doc}}

\subsection{DESCRIPTION}
\label{\detokenize{user/user_config/k5identity:description}}
\sphinxAtStartPar
The .k5identity file, which resides in a user’s home directory,
contains a list of rules for selecting a client principals based on
the server being accessed.  These rules are used to choose a
credential cache within the cache collection when possible.

\sphinxAtStartPar
Blank lines and lines beginning with \sphinxcode{\sphinxupquote{\#}} are ignored.  Each line has
the form:
\begin{quote}

\sphinxAtStartPar
\sphinxstyleemphasis{principal} \sphinxstyleemphasis{field}=\sphinxstyleemphasis{value} …
\end{quote}

\sphinxAtStartPar
If the server principal meets all of the field constraints, then
principal is chosen as the client principal.  The following fields are
recognized:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{realm}}
\sphinxAtStartPar
If the realm of the server principal is known, it is matched
against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards.
For host\sphinxhyphen{}based server principals, the realm will generally only be
known if there is a \DUrole{xref,std,std-ref}{domain\_realm} section in
\DUrole{xref,std,std-ref}{krb5.conf(5)} with a mapping for the hostname.

\sphinxlineitem{\sphinxstylestrong{service}}
\sphinxAtStartPar
If the server principal is a host\sphinxhyphen{}based principal, its service
component is matched against \sphinxstyleemphasis{value}, which may be a pattern using
shell wildcards.

\sphinxlineitem{\sphinxstylestrong{host}}
\sphinxAtStartPar
If the server principal is a host\sphinxhyphen{}based principal, its hostname
component is converted to lower case and matched against \sphinxstyleemphasis{value},
which may be a pattern using shell wildcards.

\sphinxAtStartPar
If the server principal matches the constraints of multiple lines
in the .k5identity file, the principal from the first matching
line is used.  If no line matches, credentials will be selected
some other way, such as the realm heuristic or the current primary
cache.

\end{description}


\subsection{EXAMPLE}
\label{\detokenize{user/user_config/k5identity:example}}
\sphinxAtStartPar
The following example .k5identity file selects the client principal
\sphinxcode{\sphinxupquote{alice@KRBTEST.COM}} if the server principal is within that realm,
the principal \sphinxcode{\sphinxupquote{alice/root@EXAMPLE.COM}} if the server host is within
a servers subdomain, and the principal \sphinxcode{\sphinxupquote{alice/mail@EXAMPLE.COM}} when
accessing the IMAP service on \sphinxcode{\sphinxupquote{mail.example.com}}:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{alice}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}       \PYG{n}{realm}\PYG{o}{=}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{alice}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{o}{*}\PYG{o}{.}\PYG{n}{servers}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
\PYG{n}{alice}\PYG{o}{/}\PYG{n}{mail}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{n}{mail}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{service}\PYG{o}{=}\PYG{n}{imap}
\end{sphinxVerbatim}


\subsection{SEE ALSO}
\label{\detokenize{user/user_config/k5identity:see-also}}
\sphinxAtStartPar
kerberos(1), \DUrole{xref,std,std-ref}{krb5.conf(5)}

\sphinxstepscope


\chapter{User commands}
\label{\detokenize{user/user_commands/index:user-commands}}\label{\detokenize{user/user_commands/index:id1}}\label{\detokenize{user/user_commands/index::doc}}
\sphinxstepscope


\section{kdestroy}
\label{\detokenize{user/user_commands/kdestroy:kdestroy}}\label{\detokenize{user/user_commands/kdestroy:kdestroy-1}}\label{\detokenize{user/user_commands/kdestroy::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/kdestroy:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kdestroy}
{[}\sphinxstylestrong{\sphinxhyphen{}A}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}q}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}{]}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/kdestroy:description}}
\sphinxAtStartPar
The kdestroy utility destroys the user’s active Kerberos authorization
tickets by overwriting and deleting the credentials cache that
contains them.  If the credentials cache is not specified, the default
credentials cache is destroyed.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/kdestroy:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}A}}
\sphinxAtStartPar
Destroys all caches in the collection, if a cache collection is
available.  May be used with the \sphinxstylestrong{\sphinxhyphen{}c} option to specify the
collection to be destroyed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}}
\sphinxAtStartPar
Run quietly.  Normally kdestroy beeps if it fails to destroy the
user’s tickets.  The \sphinxstylestrong{\sphinxhyphen{}q} flag suppresses this behavior.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{cache\_name} as the credentials (ticket) cache name and
location; if this option is not used, the default cache name and
location are used.

\sphinxAtStartPar
The default credentials cache may vary between systems.  If the
\sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
name the default ticket cache.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}}
\sphinxAtStartPar
If a cache collection is available, destroy the cache for
\sphinxstyleemphasis{princ\_name} instead of the primary cache.  May be used with the
\sphinxstylestrong{\sphinxhyphen{}c} option to specify the collection to be searched.

\end{description}


\subsection{NOTE}
\label{\detokenize{user/user_commands/kdestroy:note}}
\sphinxAtStartPar
Most installations recommend that you place the kdestroy command in
your .logout file, so that your tickets are destroyed automatically
when you log out.


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/kdestroy:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{FILES}
\label{\detokenize{user/user_commands/kdestroy:files}}\begin{description}
\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFCCNAME}}
\sphinxAtStartPar
Default location of Kerberos 5 credentials cache

\end{description}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/kdestroy:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{kinit}
\label{\detokenize{user/user_commands/kinit:kinit}}\label{\detokenize{user/user_commands/kinit:kinit-1}}\label{\detokenize{user/user_commands/kinit::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/kinit:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kinit}
{[}\sphinxstylestrong{\sphinxhyphen{}V}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} | \sphinxhyphen{}\sphinxstylestrong{P}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}f} | \sphinxhyphen{}\sphinxstylestrong{F}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}a}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}A}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}C}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}E}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}v}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}R}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxhyphen{}\sphinxstylestrong{t} \sphinxstyleemphasis{keytab\_file}{]}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}n}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}{]}
{[}\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}{]}
{[}\sphinxstyleemphasis{principal}{]}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/kinit:description}}
\sphinxAtStartPar
kinit obtains and caches an initial ticket\sphinxhyphen{}granting ticket for
\sphinxstyleemphasis{principal}.  If \sphinxstyleemphasis{principal} is absent, kinit chooses an appropriate
principal name based on existing credential cache contents or the
local username of the user invoking kinit.  Some options modify the
choice of principal name.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/kinit:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}V}}
\sphinxAtStartPar
display verbose output.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Requests a ticket with the lifetime
\sphinxstyleemphasis{lifetime}.

\sphinxAtStartPar
For example, \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5:30}} or \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5h30m}}.

\sphinxAtStartPar
If the \sphinxstylestrong{\sphinxhyphen{}l} option is not specified, the default ticket lifetime
(configured by each site) is used.  Specifying a ticket lifetime
longer than the maximum ticket lifetime (configured by each site)
will not override the configured maximum ticket lifetime.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Requests a postdated ticket.  Postdated
tickets are issued with the \sphinxstylestrong{invalid} flag set, and need to be
resubmitted to the KDC for validation before use.

\sphinxAtStartPar
\sphinxstyleemphasis{start\_time} specifies the duration of the delay before the ticket
can become valid.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Requests renewable tickets, with a total
lifetime of \sphinxstyleemphasis{renewable\_life}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}}
\sphinxAtStartPar
requests forwardable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F}}
\sphinxAtStartPar
requests non\sphinxhyphen{}forwardable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p}}
\sphinxAtStartPar
requests proxiable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P}}
\sphinxAtStartPar
requests non\sphinxhyphen{}proxiable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}a}}
\sphinxAtStartPar
requests tickets restricted to the host’s local address{[}es{]}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}A}}
\sphinxAtStartPar
requests tickets not restricted by address.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}C}}
\sphinxAtStartPar
requests canonicalization of the principal name, and allows the
KDC to reply with a different client principal from the one
requested.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}E}}
\sphinxAtStartPar
treats the principal name as an enterprise name.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}v}}
\sphinxAtStartPar
requests that the ticket\sphinxhyphen{}granting ticket in the cache (with the
\sphinxstylestrong{invalid} flag set) be passed to the KDC for validation.  If the
ticket is within its requested time range, the cache is replaced
with the validated ticket.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}R}}
\sphinxAtStartPar
requests renewal of the ticket\sphinxhyphen{}granting ticket.  Note that an
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.

\sphinxAtStartPar
Note that renewable tickets that have expired as reported by
{\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} may sometimes be renewed using this option,
because the KDC applies a grace period to account for client\sphinxhyphen{}KDC
clock skew.  See \DUrole{xref,std,std-ref}{krb5.conf(5)} \sphinxstylestrong{clockskew} setting.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab\_file}{]}}
\sphinxAtStartPar
requests a ticket, obtained from a key in the local host’s keytab.
The location of the keytab may be specified with the \sphinxstylestrong{\sphinxhyphen{}t}
\sphinxstyleemphasis{keytab\_file} option, or with the \sphinxstylestrong{\sphinxhyphen{}i} option to specify the use
of the default client keytab; otherwise the default keytab will be
used.  By default, a host ticket for the local host is requested,
but any principal may be specified.  On a KDC, the special keytab
location \sphinxcode{\sphinxupquote{KDB:}} can be used to indicate that kinit should open
the KDC database and look up the key directly.  This permits an
administrator to obtain tickets as any principal that supports
authentication based on the key.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}}
\sphinxAtStartPar
Requests anonymous processing.  Two types of anonymous principals
are supported.

\sphinxAtStartPar
For fully anonymous Kerberos, configure pkinit on the KDC and
configure \sphinxstylestrong{pkinit\_anchors} in the client’s \DUrole{xref,std,std-ref}{krb5.conf(5)}.
Then use the \sphinxstylestrong{\sphinxhyphen{}n} option with a principal of the form \sphinxcode{\sphinxupquote{@REALM}}
(an empty principal name followed by the at\sphinxhyphen{}sign and a realm
name).  If permitted by the KDC, an anonymous ticket will be
returned.

\sphinxAtStartPar
A second form of anonymous tickets is supported; these
realm\sphinxhyphen{}exposed tickets hide the identity of the client but not the
client’s realm.  For this mode, use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}} with a normal
principal name.  If supported by the KDC, the principal (but not
realm) will be replaced by the anonymous principal.

\sphinxAtStartPar
As of release 1.8, the MIT Kerberos KDC only supports fully
anonymous operation.

\end{description}

\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache}
\begin{quote}

\sphinxAtStartPar
Specifies the name of a credentials cache that already contains a
ticket.  When obtaining that ticket, if information about how that
ticket was obtained was also stored to the cache, that information
will be used to affect how new credentials are obtained, including
preselecting the same methods of authenticating to the KDC.
\end{quote}
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}}
\sphinxAtStartPar
Specifies the name of a credentials cache that already contains a
ticket.  If supported by the KDC, this cache will be used to armor
the request, preventing offline dictionary attacks and allowing
the use of additional preauthentication mechanisms.  Armoring also
makes sure that the response from the KDC is not modified in
transit.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}
\sphinxAtStartPar
use \sphinxstyleemphasis{cache\_name} as the Kerberos 5 credentials (ticket) cache
location.  If this option is not used, the default cache location
is used.

\sphinxAtStartPar
The default cache location may vary between systems.  If the
\sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
locate the default cache.  If a principal name is specified and
the type of the default cache supports a collection (such as the
DIR type), an existing cache containing credentials for the
principal is selected or a new one is created and becomes the new
primary cache.  Otherwise, any existing contents of the default
cache are destroyed by kinit.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}}
\sphinxAtStartPar
specify an alternate service name to use when getting initial
tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}}
\sphinxAtStartPar
specify a pre\sphinxhyphen{}authentication \sphinxstyleemphasis{attribute} and \sphinxstyleemphasis{value} to be
interpreted by pre\sphinxhyphen{}authentication modules.  The acceptable
attribute and value values vary from module to module.  This
option may be specified multiple times to specify multiple
attributes.  If no value is specified, it is assumed to be “yes”.

\sphinxAtStartPar
The following attributes are recognized by the PKINIT
pre\sphinxhyphen{}authentication mechanism:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{X509\_user\_identity}=\sphinxstyleemphasis{value}}
\sphinxAtStartPar
specify where to find user’s X509 identity information

\sphinxlineitem{\sphinxstylestrong{X509\_anchors}=\sphinxstyleemphasis{value}}
\sphinxAtStartPar
specify where to find trusted X509 anchor information

\sphinxlineitem{\sphinxstylestrong{disable\_freshness}{[}\sphinxstylestrong{=yes}{]}}
\sphinxAtStartPar
disable sending freshness tokens (for testing purposes only)

\end{description}

\sphinxlineitem{\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}}
\sphinxAtStartPar
mutually exclusive.  If \sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} is set, ask the KDC to
include a PAC in authdata; if \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac} is set, ask the
KDC not to include a PAC; if neither are set,  the KDC will follow
its default, which is typically is to include a PAC if doing so is
supported.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/kinit:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{FILES}
\label{\detokenize{user/user_commands/kinit:files}}\begin{description}
\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFCCNAME}}
\sphinxAtStartPar
default location of Kerberos 5 credentials cache

\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFKTNAME}}
\sphinxAtStartPar
default location for the local host’s keytab.

\end{description}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/kinit:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{klist}
\label{\detokenize{user/user_commands/klist:klist}}\label{\detokenize{user/user_commands/klist:klist-1}}\label{\detokenize{user/user_commands/klist::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/klist:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{klist}
{[}\sphinxstylestrong{\sphinxhyphen{}e}{]}
{[}{[}\sphinxstylestrong{\sphinxhyphen{}c}{]} {[}\sphinxstylestrong{\sphinxhyphen{}l}{]} {[}\sphinxstylestrong{\sphinxhyphen{}A}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} {[}\sphinxstylestrong{\sphinxhyphen{}a} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]}{]}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}C}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i}{]} {[}\sphinxstylestrong{\sphinxhyphen{}t}{]} {[}\sphinxstylestrong{\sphinxhyphen{}K}{]}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}V}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d}{]}
{[}\sphinxstyleemphasis{cache\_name}|\sphinxstyleemphasis{keytab\_name}{]}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/klist:description}}
\sphinxAtStartPar
klist lists the Kerberos principal and Kerberos tickets held in a
credentials cache, or the keys held in a keytab file.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/klist:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e}}
\sphinxAtStartPar
Displays the encryption types of the session key and the ticket
for each credential in the credential cache, or each key in the
keytab file.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}l}}
\sphinxAtStartPar
If a cache collection is available, displays a table summarizing
the caches present in the collection.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}A}}
\sphinxAtStartPar
If a cache collection is available, displays the contents of all
of the caches in the collection.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c}}
\sphinxAtStartPar
List tickets held in a credentials cache. This is the default if
neither \sphinxstylestrong{\sphinxhyphen{}c} nor \sphinxstylestrong{\sphinxhyphen{}k} is specified.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}}
\sphinxAtStartPar
Shows the flags present in the credentials, using the following
abbreviations:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{F}    \PYG{n}{Forwardable}
\PYG{n}{f}    \PYG{n}{forwarded}
\PYG{n}{P}    \PYG{n}{Proxiable}
\PYG{n}{p}    \PYG{n}{proxy}
\PYG{n}{D}    \PYG{n}{postDateable}
\PYG{n}{d}    \PYG{n}{postdated}
\PYG{n}{R}    \PYG{n}{Renewable}
\PYG{n}{I}    \PYG{n}{Initial}
\PYG{n}{i}    \PYG{n}{invalid}
\PYG{n}{H}    \PYG{n}{Hardware} \PYG{n}{authenticated}
\PYG{n}{A}    \PYG{n}{preAuthenticated}
\PYG{n}{T}    \PYG{n}{Transit} \PYG{n}{policy} \PYG{n}{checked}
\PYG{n}{O}    \PYG{n}{Okay} \PYG{k}{as} \PYG{n}{delegate}
\PYG{n}{a}    \PYG{n}{anonymous}
\end{sphinxVerbatim}

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s}}
\sphinxAtStartPar
Causes klist to run silently (produce no output).  klist will exit
with status 1 if the credentials cache cannot be read or is
expired, and with status 0 otherwise.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}a}}
\sphinxAtStartPar
Display list of addresses in credentials.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}}
\sphinxAtStartPar
Show numeric addresses instead of reverse\sphinxhyphen{}resolving addresses.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}C}}
\sphinxAtStartPar
List configuration data that has been stored in the credentials
cache when klist encounters it.  By default, configuration data
is not listed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k}}
\sphinxAtStartPar
List keys held in a keytab file.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}i}}
\sphinxAtStartPar
In combination with \sphinxstylestrong{\sphinxhyphen{}k}, defaults to using the default client
keytab instead of the default acceptor keytab, if no name is
given.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}t}}
\sphinxAtStartPar
Display the time entry timestamps for each keytab entry in the
keytab file.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}K}}
\sphinxAtStartPar
Display the value of the encryption key in each keytab entry in
the keytab file.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d}}
\sphinxAtStartPar
Display the authdata types (if any) for each entry.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}V}}
\sphinxAtStartPar
Display the Kerberos version number and exit.

\end{description}

\sphinxAtStartPar
If \sphinxstyleemphasis{cache\_name} or \sphinxstyleemphasis{keytab\_name} is not specified, klist will display
the credentials in the default credentials cache or keytab file as
appropriate.  If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its
value is used to locate the default ticket cache.


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/klist:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{FILES}
\label{\detokenize{user/user_commands/klist:files}}\begin{description}
\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFCCNAME}}
\sphinxAtStartPar
Default location of Kerberos 5 credentials cache

\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFKTNAME}}
\sphinxAtStartPar
Default location for the local host’s keytab file.

\end{description}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/klist:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{kpasswd}
\label{\detokenize{user/user_commands/kpasswd:kpasswd}}\label{\detokenize{user/user_commands/kpasswd:kpasswd-1}}\label{\detokenize{user/user_commands/kpasswd::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/kpasswd:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kpasswd} {[}\sphinxstyleemphasis{principal}{]}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/kpasswd:description}}
\sphinxAtStartPar
The kpasswd command is used to change a Kerberos principal’s password.
kpasswd first prompts for the current Kerberos password, then prompts
the user twice for the new password, and the password is changed.

\sphinxAtStartPar
If the principal is governed by a policy that specifies the length
and/or number of character classes required in the new password, the
new password must conform to the policy.  (The five character classes
are lower case, upper case, numbers, punctuation, and all other
characters.)


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/kpasswd:options}}\begin{description}
\sphinxlineitem{\sphinxstyleemphasis{principal}}
\sphinxAtStartPar
Change the password for the Kerberos principal principal.
Otherwise, kpasswd uses the principal name from an existing ccache
if there is one; if not, the principal is derived from the
identity of the user invoking the kpasswd command.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/kpasswd:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/kpasswd:see-also}}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{krb5\sphinxhyphen{}config}
\label{\detokenize{user/user_commands/krb5-config:krb5-config}}\label{\detokenize{user/user_commands/krb5-config:krb5-config-1}}\label{\detokenize{user/user_commands/krb5-config::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/krb5-config:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{krb5\sphinxhyphen{}config}
{[}\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{libraries}{]}{]}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/krb5-config:description}}
\sphinxAtStartPar
krb5\sphinxhyphen{}config tells the application programmer what flags to use to compile
and link programs against the installed Kerberos libraries.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/krb5-config:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help}}
\sphinxAtStartPar
prints a usage message.  This is the default behavior when no options
are specified.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all}}
\sphinxAtStartPar
prints the version, vendor, prefix, and exec\sphinxhyphen{}prefix.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version}}
\sphinxAtStartPar
prints the version number of the Kerberos installation.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor}}
\sphinxAtStartPar
prints the name of the vendor of the Kerberos installation.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix}}
\sphinxAtStartPar
prints the prefix for which the Kerberos installation was built.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix}}
\sphinxAtStartPar
prints the prefix for executables for which the Kerberos installation
was built.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname}}
\sphinxAtStartPar
prints the built\sphinxhyphen{}in default credentials cache location.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname}}
\sphinxAtStartPar
prints the built\sphinxhyphen{}in default keytab location.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname}}
\sphinxAtStartPar
prints the built\sphinxhyphen{}in default client (initiator) keytab location.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags}}
\sphinxAtStartPar
prints the compilation flags used to build the Kerberos installation.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{library}{]}}
\sphinxAtStartPar
prints the compiler options needed to link against \sphinxstyleemphasis{library}.
Allowed values for \sphinxstyleemphasis{library} are:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
krb5
&
\sphinxAtStartPar
Kerberos 5 applications (default)
\\
\sphinxhline
\sphinxAtStartPar
gssapi
&
\sphinxAtStartPar
GSSAPI applications with Kerberos 5 bindings
\\
\sphinxhline
\sphinxAtStartPar
kadm\sphinxhyphen{}client
&
\sphinxAtStartPar
Kadmin client
\\
\sphinxhline
\sphinxAtStartPar
kadm\sphinxhyphen{}server
&
\sphinxAtStartPar
Kadmin server
\\
\sphinxhline
\sphinxAtStartPar
kdb
&
\sphinxAtStartPar
Applications that access the Kerberos database
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\end{description}


\subsection{EXAMPLES}
\label{\detokenize{user/user_commands/krb5-config:examples}}
\sphinxAtStartPar
krb5\sphinxhyphen{}config is particularly useful for compiling against a Kerberos
installation that was installed in a non\sphinxhyphen{}standard location.  For example,
a Kerberos installation that is installed in \sphinxcode{\sphinxupquote{/opt/krb5/}} but uses
libraries in \sphinxcode{\sphinxupquote{/usr/local/lib/}} for text localization would produce
the following output:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{config} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{libs} \PYG{n}{krb5}
\PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{\PYGZhy{}}\PYG{n}{rpath} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{lkrb5} \PYG{o}{\PYGZhy{}}\PYG{n}{lk5crypto} \PYG{o}{\PYGZhy{}}\PYG{n}{lcom\PYGZus{}err}
\end{sphinxVerbatim}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/krb5-config:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, cc(1)

\sphinxstepscope


\section{ksu}
\label{\detokenize{user/user_commands/ksu:ksu}}\label{\detokenize{user/user_commands/ksu:ksu-1}}\label{\detokenize{user/user_commands/ksu::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/ksu:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{ksu}
{[} \sphinxstyleemphasis{target\_user} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}k} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}r} time {]}
{[} \sphinxstylestrong{\sphinxhyphen{}p} | \sphinxstylestrong{\sphinxhyphen{}P}{]}
{[} \sphinxstylestrong{\sphinxhyphen{}f} | \sphinxstylestrong{\sphinxhyphen{}F}{]}
{[} \sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}z | Z} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}q} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[} args …  {]} {]} {[} \sphinxstylestrong{\sphinxhyphen{}a} {[} args …  {]} {]}


\subsection{REQUIREMENTS}
\label{\detokenize{user/user_commands/ksu:requirements}}
\sphinxAtStartPar
Must have Kerberos version 5 installed to compile ksu.  Must have a
Kerberos version 5 server running to use ksu.


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/ksu:description}}
\sphinxAtStartPar
ksu is a Kerberized version of the su program that has two missions:
one is to securely change the real and effective user ID to that of
the target user, and the other is to create a new security context.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
For the sake of clarity, all references to and attributes of
the user invoking the program will start with “source”
(e.g., “source user”, “source cache”, etc.).

\sphinxAtStartPar
Likewise, all references to and attributes of the target
account will start with “target”.
\end{sphinxadmonition}


\subsection{AUTHENTICATION}
\label{\detokenize{user/user_commands/ksu:authentication}}
\sphinxAtStartPar
To fulfill the first mission, ksu operates in two phases:
authentication and authorization.  Resolving the target principal name
is the first step in authentication.  The user can either specify his
principal name with the \sphinxstylestrong{\sphinxhyphen{}n} option (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}n jqpublic@USC.EDU}})
or a default principal name will be assigned using a heuristic
described in the OPTIONS section (see \sphinxstylestrong{\sphinxhyphen{}n} option).  The target user
name must be the first argument to ksu; if not specified root is the
default.  If \sphinxcode{\sphinxupquote{.}} is specified then the target user will be the
source user (e.g., \sphinxcode{\sphinxupquote{ksu .}}).  If the source user is root or the
target user is the source user, no authentication or authorization
takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
in the source cache.

\sphinxAtStartPar
The ticket can either be for the end\sphinxhyphen{}server or a ticket granting
ticket (TGT) for the target principal’s realm.  If the ticket for the
end\sphinxhyphen{}server is already in the cache, it’s decrypted and verified.  If
it’s not in the cache but the TGT is, the TGT is used to obtain the
ticket for the end\sphinxhyphen{}server.  The end\sphinxhyphen{}server ticket is then verified.
If neither ticket is in the cache, but ksu is compiled with the
\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a
Kerberos password which will then be used to get a TGT.  If the user
is logged in remotely and does not have a secure channel, the password
may be exposed.  If neither ticket is in the cache and
\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails.


\subsection{AUTHORIZATION}
\label{\detokenize{user/user_commands/ksu:authorization}}
\sphinxAtStartPar
This section describes authorization of the source user when ksu is
invoked without the \sphinxstylestrong{\sphinxhyphen{}e} option.  For a description of the \sphinxstylestrong{\sphinxhyphen{}e}
option, see the OPTIONS section.

\sphinxAtStartPar
Upon successful authentication, ksu checks whether the target
principal is authorized to access the target account.  In the target
user’s home directory, ksu attempts to access two authorization files:
{\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} and .k5users.  In the .k5login file each line
contains the name of a principal that is authorized to access the
account.

\sphinxAtStartPar
For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\sphinxAtStartPar
The format of .k5users is the same, except the principal name may be
followed by a list of commands that the principal is authorized to
execute (see the \sphinxstylestrong{\sphinxhyphen{}e} option in the OPTIONS section for details).

\sphinxAtStartPar
Thus if the target principal name is found in the .k5login file the
source user is authorized to access the target account.  Otherwise ksu
looks in the .k5users file.  If the target principal name is found
without any trailing commands or followed only by \sphinxcode{\sphinxupquote{*}} then the
source user is authorized.  If either .k5login or .k5users exist but
an appropriate entry for the target principal does not exist then
access is denied.  If neither file exists then the principal will be
granted access to the account according to the aname\sphinxhyphen{}\textgreater{}lname mapping
rules.  Otherwise, authorization fails.


\subsection{EXECUTION OF THE TARGET SHELL}
\label{\detokenize{user/user_commands/ksu:execution-of-the-target-shell}}
\sphinxAtStartPar
Upon successful authentication and authorization, ksu proceeds in a
similar fashion to su.  The environment is unmodified with the
exception of USER, HOME and SHELL variables.  If the target user is
not root, USER gets set to the target user name.  Otherwise USER
remains unchanged.  Both HOME and SHELL are set to the target login’s
default values.  In addition, the environment variable \sphinxstylestrong{KRB5CCNAME}
gets set to the name of the target cache.  The real and effective user
ID are changed to that of the target user.  The target user’s shell is
then invoked (the shell name is specified in the password file).  Upon
termination of the shell, ksu deletes the target cache (unless ksu is
invoked with the \sphinxstylestrong{\sphinxhyphen{}k} option).  This is implemented by first doing a
fork and then an exec, instead of just exec, as done by su.


\subsection{CREATING A NEW SECURITY CONTEXT}
\label{\detokenize{user/user_commands/ksu:creating-a-new-security-context}}
\sphinxAtStartPar
ksu can be used to create a new security context for the target
program (either the target shell, or command specified via the \sphinxstylestrong{\sphinxhyphen{}e}
option).  The target program inherits a set of credentials from the
source user.  By default, this set includes all of the credentials in
the source cache plus any additional credentials obtained during
authentication.  The source user is able to limit the credentials in
this set by using \sphinxstylestrong{\sphinxhyphen{}z} or \sphinxstylestrong{\sphinxhyphen{}Z} option.  \sphinxstylestrong{\sphinxhyphen{}z} restricts the copy
of tickets from the source cache to the target cache to only the
tickets where client == the target principal name.  The \sphinxstylestrong{\sphinxhyphen{}Z} option
provides the target user with a fresh target cache (no creds in the
cache).  Note that for security reasons, when the source user is root
and target user is non\sphinxhyphen{}root, \sphinxstylestrong{\sphinxhyphen{}z} option is the default mode of
operation.

\sphinxAtStartPar
While no authentication takes place if the source user is root or is
the same as the target user, additional tickets can still be obtained
for the target cache.  If \sphinxstylestrong{\sphinxhyphen{}n} is specified and no credentials can
be copied to the target cache, the source user is prompted for a
Kerberos password (unless \sphinxstylestrong{\sphinxhyphen{}Z} specified or \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}
is undefined).  If successful, a TGT is obtained from the Kerberos
server and stored in the target cache.  Otherwise, if a password is
not provided (user hit return) ksu continues in a normal mode of
operation (the target cache will not contain the desired TGT).  If the
wrong password is typed in, ksu fails.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
During authentication, only the tickets that could be
obtained without providing a password are cached in the
source cache.
\end{sphinxadmonition}


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/ksu:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name}}
\sphinxAtStartPar
Specify a Kerberos target principal name.  Used in authentication
and authorization phases of ksu.

\sphinxAtStartPar
If ksu is invoked without \sphinxstylestrong{\sphinxhyphen{}n}, a default principal name is
assigned via the following heuristic:
\begin{itemize}
\item {} 
\sphinxAtStartPar
Case 1: source user is non\sphinxhyphen{}root.

\sphinxAtStartPar
If the target user is the source user the default principal name
is set to the default principal of the source cache.  If the
cache does not exist then the default principal name is set to
\sphinxcode{\sphinxupquote{target\_user@local\_realm}}.  If the source and target users are
different and neither \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} nor
\sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5login}} exist then the default principal name
is \sphinxcode{\sphinxupquote{target\_user\_login\_name@local\_realm}}.  Otherwise, starting
with the first principal listed below, ksu checks if the
principal is authorized to access the target account and whether
there is a legitimate ticket for that principal in the source
cache.  If both conditions are met that principal becomes the
default target principal, otherwise go to the next principal.
\begin{enumerate}
\sphinxsetlistlabels{\alph}{enumi}{enumii}{}{)}%
\item {} 
\sphinxAtStartPar
default principal of the source cache

\item {} 
\sphinxAtStartPar
target\_user@local\_realm

\item {} 
\sphinxAtStartPar
source\_user@local\_realm

\end{enumerate}

\sphinxAtStartPar
If a\sphinxhyphen{}c fails try any principal for which there is a ticket in
the source cache and that is authorized to access the target
account.  If that fails select the first principal that is
authorized to access the target account from the above list.  If
none are authorized and ksu is configured with
\sphinxstylestrong{PRINC\_LOOK\_AHEAD} turned on, select the default principal as
follows:

\sphinxAtStartPar
For each candidate in the above list, select an authorized
principal that has the same realm name and first part of the
principal name equal to the prefix of the candidate.  For
example if candidate a) is \sphinxcode{\sphinxupquote{jqpublic@ISI.EDU}} and
\sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}} is authorized to access the target
account then the default principal is set to
\sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}}.

\item {} 
\sphinxAtStartPar
Case 2: source user is root.

\sphinxAtStartPar
If the target user is non\sphinxhyphen{}root then the default principal name
is \sphinxcode{\sphinxupquote{target\_user@local\_realm}}.  Else, if the source cache
exists the default principal name is set to the default
principal of the source cache.  If the source cache does not
exist, default principal name is set to \sphinxcode{\sphinxupquote{root\textbackslash{}@local\_realm}}.

\end{itemize}

\end{description}

\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name}
\begin{quote}

\sphinxAtStartPar
Specify source cache name (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}c FILE:/tmp/my\_cache}}).  If
\sphinxstylestrong{\sphinxhyphen{}c} option is not used then the name is obtained from
\sphinxstylestrong{KRB5CCNAME} environment variable.  If \sphinxstylestrong{KRB5CCNAME} is not
defined the source cache name is set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}source uid\textgreater{}}}.
The target cache name is automatically set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}target
uid\textgreater{}.(gen\_sym())}}, where gen\_sym generates a new number such that
the resulting cache does not already exist.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{krb5cc\PYGZus{}1984}\PYG{l+m+mf}{.2}
\end{sphinxVerbatim}
\end{quote}
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k}}
\sphinxAtStartPar
Do not delete the target cache upon termination of the target
shell or a command (\sphinxstylestrong{\sphinxhyphen{}e} command).  Without \sphinxstylestrong{\sphinxhyphen{}k}, ksu deletes
the target cache.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}z}}
\sphinxAtStartPar
Restrict the copy of tickets from the source cache to the target
cache to only the tickets where client == the target principal
name.  Use the \sphinxstylestrong{\sphinxhyphen{}n} option if you want the tickets for other then
the default principal.  Note that the \sphinxstylestrong{\sphinxhyphen{}z} option is mutually
exclusive with the \sphinxstylestrong{\sphinxhyphen{}Z} option.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}Z}}
\sphinxAtStartPar
Don’t copy any tickets from the source cache to the target cache.
Just create a fresh target cache, where the default principal name
of the cache is initialized to the target principal name.  Note
that the \sphinxstylestrong{\sphinxhyphen{}Z} option is mutually exclusive with the \sphinxstylestrong{\sphinxhyphen{}z}
option.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}}
\sphinxAtStartPar
Suppress the printing of status messages.

\end{description}

\sphinxAtStartPar
Ticket granting ticket options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} \sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstylestrong{\sphinxhyphen{}P} \sphinxstylestrong{\sphinxhyphen{}f} \sphinxstylestrong{\sphinxhyphen{}F}}
\sphinxAtStartPar
The ticket granting ticket options only apply to the case where
there are no appropriate tickets in the cache to authenticate the
source user.  In this case if ksu is configured to prompt users
for a Kerberos password (\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is defined), the
ticket granting ticket options that are specified will be used
when getting a ticket granting ticket from the Kerberos server.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Specifies the lifetime to be requested
for the ticket; if this option is not specified, the default ticket
lifetime (12 hours) is used instead.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Specifies that the \sphinxstylestrong{renewable} option
should be requested for the ticket, and specifies the desired
total lifetime of the ticket.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p}}
\sphinxAtStartPar
specifies that the \sphinxstylestrong{proxiable} option should be requested for
the ticket.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P}}
\sphinxAtStartPar
specifies that the \sphinxstylestrong{proxiable} option should not be requested
for the ticket, even if the default configuration is to ask for
proxiable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}}
\sphinxAtStartPar
option specifies that the \sphinxstylestrong{forwardable} option should be
requested for the ticket.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F}}
\sphinxAtStartPar
option specifies that the \sphinxstylestrong{forwardable} option should not be
requested for the ticket, even if the default configuration is to
ask for forwardable tickets.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{args} …{]}}
\sphinxAtStartPar
ksu proceeds exactly the same as if it was invoked without the
\sphinxstylestrong{\sphinxhyphen{}e} option, except instead of executing the target shell, ksu
executes the specified command. Example of usage:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{ksu} \PYG{n}{bob} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{ls} \PYG{o}{\PYGZhy{}}\PYG{n}{lag}
\end{sphinxVerbatim}

\sphinxAtStartPar
The authorization algorithm for \sphinxstylestrong{\sphinxhyphen{}e} is as follows:

\sphinxAtStartPar
If the source user is root or source user == target user, no
authorization takes place and the command is executed.  If source
user id != 0, and \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file does not exist,
authorization fails.  Otherwise, \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file
must have an appropriate entry for target principal to get
authorized.

\sphinxAtStartPar
The .k5users file format:

\sphinxAtStartPar
A single principal entry on each line that may be followed by a
list of commands that the principal is authorized to execute.  A
principal name followed by a \sphinxcode{\sphinxupquote{*}} means that the user is
authorized to execute any command.  Thus, in the following
example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ls} \PYG{n}{mail} \PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{klist}
\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*}
\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\sphinxAtStartPar
\sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is only authorized to execute \sphinxcode{\sphinxupquote{ls}},
\sphinxcode{\sphinxupquote{mail}} and \sphinxcode{\sphinxupquote{klist}} commands.  \sphinxcode{\sphinxupquote{jqpublic/secure@USC.EDU}} is
authorized to execute any command.  \sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is
not authorized to execute any command.  Note, that
\sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is authorized to execute the target
shell (regular ksu, without the \sphinxstylestrong{\sphinxhyphen{}e} option) but
\sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is not.

\sphinxAtStartPar
The commands listed after the principal name must be either a full
path names or just the program name.  In the second case,
\sphinxstylestrong{CMD\_PATH} specifying the location of authorized programs must
be defined at the compilation time of ksu.  Which command gets
executed?

\sphinxAtStartPar
If the source user is root or the target user is the source user
or the user is authorized to execute any command (\sphinxcode{\sphinxupquote{*}} entry)
then command can be either a full or a relative path leading to
the target program.  Otherwise, the user must specify either a
full path or just the program name.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{args}}
\sphinxAtStartPar
Specify arguments to be passed to the target shell.  Note that all
flags and parameters following \sphinxhyphen{}a will be passed to the shell,
thus all options intended for ksu must precede \sphinxstylestrong{\sphinxhyphen{}a}.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}a} option can be used to simulate the \sphinxstylestrong{\sphinxhyphen{}e} option if
used as follows:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{o}{\PYGZhy{}}\PYG{n}{a} \PYG{o}{\PYGZhy{}}\PYG{n}{c} \PYG{p}{[}\PYG{n}{command} \PYG{p}{[}\PYG{n}{arguments}\PYG{p}{]}\PYG{p}{]}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}c} is interpreted by the c\sphinxhyphen{}shell to execute the command.

\end{description}


\subsection{INSTALLATION INSTRUCTIONS}
\label{\detokenize{user/user_commands/ksu:installation-instructions}}
\sphinxAtStartPar
ksu can be compiled with the following four flags:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}}
\sphinxAtStartPar
In case no appropriate tickets are found in the source cache, the
user will be prompted for a Kerberos password.  The password is
then used to get a ticket granting ticket from the Kerberos
server.  The danger of configuring ksu with this macro is if the
source user is logged in remotely and does not have a secure
channel, the password may get exposed.

\sphinxlineitem{\sphinxstylestrong{PRINC\_LOOK\_AHEAD}}
\sphinxAtStartPar
During the resolution of the default principal name,
\sphinxstylestrong{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in
the .k5users file as described in the OPTIONS section
(see \sphinxstylestrong{\sphinxhyphen{}n} option).

\sphinxlineitem{\sphinxstylestrong{CMD\_PATH}}
\sphinxAtStartPar
Specifies a list of directories containing programs that users are
authorized to execute (via .k5users file).

\sphinxlineitem{\sphinxstylestrong{HAVE\_GETUSERSHELL}}
\sphinxAtStartPar
If the source user is non\sphinxhyphen{}root, ksu insists that the target user’s
shell to be invoked is a “legal shell”.  \sphinxstyleemphasis{getusershell(3)} is
called to obtain the names of “legal shells”.  Note that the
target user’s shell is obtained from the passwd file.

\end{description}

\sphinxAtStartPar
Sample configuration:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{KSU\PYGZus{}OPTS} \PYG{o}{=} \PYG{o}{\PYGZhy{}}\PYG{n}{DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD} \PYG{o}{\PYGZhy{}}\PYG{n}{DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD} \PYG{o}{\PYGZhy{}}\PYG{n}{DCMD\PYGZus{}PATH}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZdq{}}\PYG{l+s+s1}{/bin /usr/ucb /local/bin}\PYG{l+s+s1}{\PYGZdq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
ksu should be owned by root and have the set user id bit turned on.

\sphinxAtStartPar
ksu attempts to get a ticket for the end server just as Kerberized
telnet and rlogin.  Thus, there must be an entry for the server in the
Kerberos database (e.g., \sphinxcode{\sphinxupquote{host/nii.isi.edu@ISI.EDU}}).  The keytab
file must be in an appropriate location.


\subsection{SIDE EFFECTS}
\label{\detokenize{user/user_commands/ksu:side-effects}}
\sphinxAtStartPar
ksu deletes all expired tickets from the source cache.


\subsection{AUTHOR OF KSU}
\label{\detokenize{user/user_commands/ksu:author-of-ksu}}
\sphinxAtStartPar
GENNADY (ARI) MEDVINSKY


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/ksu:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/ksu:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}

\sphinxstepscope


\section{kswitch}
\label{\detokenize{user/user_commands/kswitch:kswitch}}\label{\detokenize{user/user_commands/kswitch:kswitch-1}}\label{\detokenize{user/user_commands/kswitch::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/kswitch:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kswitch}
\{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}|\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}\}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/kswitch:description}}
\sphinxAtStartPar
kswitch makes the specified credential cache the primary cache for the
collection, if a cache collection is available.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/kswitch:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}}
\sphinxAtStartPar
Directly specifies the credential cache to be made primary.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}
\sphinxAtStartPar
Causes the cache collection to be searched for a cache containing
credentials for \sphinxstyleemphasis{principal}.  If one is found, that collection is
made primary.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/kswitch:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{FILES}
\label{\detokenize{user/user_commands/kswitch:files}}\begin{description}
\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFCCNAME}}
\sphinxAtStartPar
Default location of Kerberos 5 credentials cache

\end{description}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/kswitch:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{kvno}
\label{\detokenize{user/user_commands/kvno:kvno}}\label{\detokenize{user/user_commands/kvno:kvno-1}}\label{\detokenize{user/user_commands/kvno::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/kvno:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kvno}
{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}q}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}u} | \sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P}{]}
{[}\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}{]}
{[}\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}{]}
{[}\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{cache}{]}
{[}{[}\{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file} | \{\sphinxstylestrong{\sphinxhyphen{}I} | \sphinxstylestrong{\sphinxhyphen{}U}\} \sphinxstyleemphasis{for\_user}\} {[}\sphinxstylestrong{\sphinxhyphen{}P}{]}{]} | \sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}{]}
\sphinxstyleemphasis{service1 service2} …


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/kvno:description}}
\sphinxAtStartPar
kvno acquires a service ticket for the specified Kerberos principals
and prints out the key version numbers of each.


\subsection{OPTIONS}
\label{\detokenize{user/user_commands/kvno:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}}
\sphinxAtStartPar
Specifies the name of a credentials cache to use (if not the
default)

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}}
\sphinxAtStartPar
Specifies the enctype which will be requested for the session key
of all the services named on the command line.  This is useful in
certain backward compatibility situations.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}}
\sphinxAtStartPar
Decrypt the acquired tickets using \sphinxstyleemphasis{keytab} to confirm their
validity.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}}
\sphinxAtStartPar
Suppress printing output when successful.  If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}u}}
\sphinxAtStartPar
Use the unknown name type in requested service principal names.
This option Cannot be used with \sphinxstyleemphasis{\sphinxhyphen{}S}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P}}
\sphinxAtStartPar
Specifies that the \sphinxstyleemphasis{service1 service2} …  arguments are to be
treated as services for which credentials should be acquired using
constrained delegation.  This option is only valid when used in
conjunction with protocol transition.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}}
\sphinxAtStartPar
Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are
interpreted as hostnames, and the service principals are to be
constructed from those hostnames and the service name \sphinxstyleemphasis{sname}.
The service hostnames will be canonicalized according to the usual
rules for constructing service principals.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{for\_user}}
\sphinxAtStartPar
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of \sphinxstyleemphasis{for\_user}.  If constrained
delegation is not requested, the service name must match the
credentials cache client principal.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}U} \sphinxstyleemphasis{for\_user}}
\sphinxAtStartPar
Same as \sphinxhyphen{}I, but treats \sphinxstyleemphasis{for\_user} as an enterprise name.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file}}
\sphinxAtStartPar
Specifies that protocol transition is to be used, identifying the
client principal with the X.509 certificate in \sphinxstyleemphasis{cert\_file}.  The
certificate file must be in PEM format.

\sphinxlineitem{\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}}
\sphinxAtStartPar
Only retrieve credentials already present in the cache, not from
the KDC.  (Added in release 1.19.)

\sphinxlineitem{\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}}
\sphinxAtStartPar
Do not store retrieved credentials in the cache.  If
\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} is also specified, credentials will still be
stored into the output credential cache.  (Added in release 1.19.)

\sphinxlineitem{\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{ccache}}
\sphinxAtStartPar
Initialize \sphinxstyleemphasis{ccache} and store all retrieved credentials into it.
Do not store acquired credentials in the input cache.  (Added in
release 1.19.)

\sphinxlineitem{\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}}
\sphinxAtStartPar
Requests a user\sphinxhyphen{}to\sphinxhyphen{}user ticket.  \sphinxstyleemphasis{ccache} must contain a local
krbtgt ticket for the server principal.  The reported version
number will typically be 0, as the resulting ticket is not
encrypted in the server’s long\sphinxhyphen{}term key.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/kvno:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{FILES}
\label{\detokenize{user/user_commands/kvno:files}}\begin{description}
\sphinxlineitem{\DUrole{xref,std,std-ref}{DEFCCNAME}}
\sphinxAtStartPar
Default location of the credentials cache

\end{description}


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/kvno:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}

\sphinxstepscope


\section{sclient}
\label{\detokenize{user/user_commands/sclient:sclient}}\label{\detokenize{user/user_commands/sclient:sclient-1}}\label{\detokenize{user/user_commands/sclient::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{user/user_commands/sclient:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{sclient} \sphinxstyleemphasis{remotehost}


\subsection{DESCRIPTION}
\label{\detokenize{user/user_commands/sclient:description}}
\sphinxAtStartPar
sclient is a sample application, primarily useful for testing
purposes.  It contacts a sample server \DUrole{xref,std,std-ref}{sserver(8)} and
authenticates to it using Kerberos version 5 tickets, then displays
the server’s response.


\subsection{ENVIRONMENT}
\label{\detokenize{user/user_commands/sclient:environment}}
\sphinxAtStartPar
See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{user/user_commands/sclient:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, \DUrole{xref,std,std-ref}{sserver(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}



\renewcommand{\indexname}{Index}
\printindex
\end{document}