"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/pdf/user.tex" (12 Feb 2020, 100735 Bytes) of package /linux/misc/krb5-1.18.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) TeX and LaTeX source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 %% Generated by Sphinx.
    2 \def\sphinxdocclass{report}
    3 \documentclass[letterpaper,10pt,english]{sphinxmanual}
    4 \ifdefined\pdfpxdimen
    5    \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
    6 \fi \sphinxpxdimen=.75bp\relax
    8 \usepackage[utf8]{inputenc}
    9 \ifdefined\DeclareUnicodeCharacter
   10  \ifdefined\DeclareUnicodeCharacterAsOptional
   11   \DeclareUnicodeCharacter{"00A0}{\nobreakspace}
   12   \DeclareUnicodeCharacter{"2500}{\sphinxunichar{2500}}
   13   \DeclareUnicodeCharacter{"2502}{\sphinxunichar{2502}}
   14   \DeclareUnicodeCharacter{"2514}{\sphinxunichar{2514}}
   15   \DeclareUnicodeCharacter{"251C}{\sphinxunichar{251C}}
   16   \DeclareUnicodeCharacter{"2572}{\textbackslash}
   17  \else
   18   \DeclareUnicodeCharacter{00A0}{\nobreakspace}
   19   \DeclareUnicodeCharacter{2500}{\sphinxunichar{2500}}
   20   \DeclareUnicodeCharacter{2502}{\sphinxunichar{2502}}
   21   \DeclareUnicodeCharacter{2514}{\sphinxunichar{2514}}
   22   \DeclareUnicodeCharacter{251C}{\sphinxunichar{251C}}
   23   \DeclareUnicodeCharacter{2572}{\textbackslash}
   24  \fi
   25 \fi
   26 \usepackage{cmap}
   27 \usepackage[T1]{fontenc}
   28 \usepackage{amsmath,amssymb,amstext}
   29 \usepackage{babel}
   30 \usepackage{times}
   31 \usepackage[Bjarne]{fncychap}
   32 \usepackage[dontkeepoldnames]{sphinx}
   34 \usepackage{geometry}
   36 % Include hyperref last.
   37 \usepackage{hyperref}
   38 % Fix anchor placement for figures with captions.
   39 \usepackage{hypcap}% it must be loaded after hyperref.
   40 % Set up styles of URL: it should be placed after hyperref.
   41 \urlstyle{same}
   43 \addto\captionsenglish{\renewcommand{\figurename}{Fig.}}
   44 \addto\captionsenglish{\renewcommand{\tablename}{Table}}
   45 \addto\captionsenglish{\renewcommand{\literalblockname}{Listing}}
   47 \addto\captionsenglish{\renewcommand{\literalblockcontinuedname}{continued from previous page}}
   48 \addto\captionsenglish{\renewcommand{\literalblockcontinuesname}{continues on next page}}
   50 \addto\extrasenglish{\def\pageautorefname{page}}
   52 \setcounter{tocdepth}{1}
   56 \title{Kerberos User Guide}
   57 \date{ }
   58 \release{1.18}
   59 \author{MIT}
   60 \newcommand{\sphinxlogo}{\vbox{}}
   61 \renewcommand{\releasename}{Release}
   62 \makeindex
   64 \begin{document}
   66 \maketitle
   67 \sphinxtableofcontents
   68 \phantomsection\label{\detokenize{user/index::doc}}
   72 \chapter{Password management}
   73 \label{\detokenize{user/pwd_mgmt:for-users}}\label{\detokenize{user/pwd_mgmt::doc}}\label{\detokenize{user/pwd_mgmt:password-management}}
   74 Your password is the only way Kerberos has of verifying your identity.
   75 If someone finds out your password, that person can masquerade as
   76 you—send email that comes from you, read, edit, or delete your files,
   77 or log into other hosts as you—and no one will be able to tell the
   78 difference.  For this reason, it is important that you choose a good
   79 password, and keep it secret.  If you need to give access to your
   80 account to someone else, you can do so through Kerberos (see
   81 {\hyperref[\detokenize{user/pwd_mgmt:grant-access}]{\sphinxcrossref{\DUrole{std,std-ref}{Granting access to your account}}}}).  You should never tell your password to anyone,
   82 including your system administrator, for any reason.  You should
   83 change your password frequently, particularly any time you think
   84 someone may have found out what it is.
   87 \section{Changing your password}
   88 \label{\detokenize{user/pwd_mgmt:changing-your-password}}
   89 To change your Kerberos password, use the {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}} command.
   90 It will ask you for your old password (to prevent someone else from
   91 walking up to your computer when you’re not there and changing your
   92 password), and then prompt you for the new one twice.  (The reason you
   93 have to type it twice is to make sure you have typed it correctly.)
   94 For example, user \sphinxcode{david} would do the following:
   96 \fvset{hllines={, ,}}%
   97 \begin{sphinxVerbatim}[commandchars=\\\{\}]
   98 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
   99 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  100 \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  101 \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password} \PYG{n}{again}\PYG{o}{.}
  102 \PYG{n}{Password} \PYG{n}{changed}\PYG{o}{.}
  103 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  104 \end{sphinxVerbatim}
  106 If \sphinxcode{david} typed the incorrect old password, he would get the
  107 following message:
  109 \fvset{hllines={, ,}}%
  110 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  111 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
  112 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{incorrect} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  113 \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{ticket}
  114 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  115 \end{sphinxVerbatim}
  117 If you make a mistake and don’t type the new password the same way
  118 twice, kpasswd will ask you to try again:
  120 \fvset{hllines={, ,}}%
  121 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  122 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
  123 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  124 \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  125 \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{a} \PYG{n}{different} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  126 \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{mismatch} \PYG{k}{while} \PYG{n}{reading} \PYG{n}{password}
  127 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  128 \end{sphinxVerbatim}
  130 Once you change your password, it takes some time for the change to
  131 propagate through the system.  Depending on how your system is set up,
  132 this might be anywhere from a few minutes to an hour or more.  If you
  133 need to get new Kerberos tickets shortly after changing your password,
  134 try the new password.  If the new password doesn’t work, try again
  135 using the old one.
  138 \section{Granting access to your account}
  139 \label{\detokenize{user/pwd_mgmt:grant-access}}\label{\detokenize{user/pwd_mgmt:granting-access-to-your-account}}
  140 If you need to give someone access to log into your account, you can
  141 do so through Kerberos, without telling the person your password.
  142 Simply create a file called {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} in your home directory.
  143 This file should contain the Kerberos principal of each person to whom
  144 you wish to give access.  Each principal must be on a separate line.
  145 Here is a sample .k5login file:
  147 \fvset{hllines={, ,}}%
  148 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  149 \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  150 \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  151 \end{sphinxVerbatim}
  153 This file would allow the users \sphinxcode{jennifer} and \sphinxcode{david} to use your
  154 user ID, provided that they had Kerberos tickets in their respective
  155 realms.  If you will be logging into other hosts across a network, you
  156 will want to include your own Kerberos principal in your .k5login file
  157 on each of these hosts.
  159 Using a .k5login file is much safer than giving out your password,
  160 because:
  161 \begin{itemize}
  162 \item {} 
  163 You can take access away any time simply by removing the principal
  164 from your .k5login file.
  166 \item {} 
  167 Although the user has full access to your account on one particular
  168 host (or set of hosts if your .k5login file is shared, e.g., over
  169 NFS), that user does not inherit your network privileges.
  171 \item {} 
  172 Kerberos keeps a log of who obtains tickets, so a system
  173 administrator could find out, if necessary, who was capable of using
  174 your user ID at a particular time.
  176 \end{itemize}
  178 One common application is to have a .k5login file in root’s home
  179 directory, giving root access to that machine to the Kerberos
  180 principals listed.  This allows system administrators to allow users
  181 to become root locally, or to log in remotely as root, without their
  182 having to give out the root password, and without anyone having to
  183 type the root password over the network.
  186 \section{Password quality verification}
  187 \label{\detokenize{user/pwd_mgmt:password-quality-verification}}
  188 TODO
  191 \chapter{Ticket management}
  192 \label{\detokenize{user/tkt_mgmt:ticket-management}}\label{\detokenize{user/tkt_mgmt::doc}}
  193 On many systems, Kerberos is built into the login program, and you get
  194 tickets automatically when you log in.  Other programs, such as ssh,
  195 can forward copies of your tickets to a remote host.  Most of these
  196 programs also automatically destroy your tickets when they exit.
  197 However, MIT recommends that you explicitly destroy your Kerberos
  198 tickets when you are through with them, just to be sure.  One way to
  199 help ensure that this happens is to add the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command
  200 to your .logout file.  Additionally, if you are going to be away from
  201 your machine and are concerned about an intruder using your
  202 permissions, it is safest to either destroy all copies of your
  203 tickets, or use a screensaver that locks the screen.
  206 \section{Kerberos ticket properties}
  207 \label{\detokenize{user/tkt_mgmt:kerberos-ticket-properties}}
  208 There are various properties that Kerberos tickets can have:
  210 If a ticket is \sphinxstylestrong{forwardable}, then the KDC can issue a new ticket
  211 (with a different network address, if necessary) based on the
  212 forwardable ticket.  This allows for authentication forwarding without
  213 requiring a password to be typed in again.  For example, if a user
  214 with a forwardable TGT logs into a remote system, the KDC could issue
  215 a new TGT for that user with the network address of the remote system,
  216 allowing authentication on that host to work as though the user were
  217 logged in locally.
  219 When the KDC creates a new ticket based on a forwardable ticket, it
  220 sets the \sphinxstylestrong{forwarded} flag on that new ticket.  Any tickets that are
  221 created based on a ticket with the forwarded flag set will also have
  222 their forwarded flags set.
  224 A \sphinxstylestrong{proxiable} ticket is similar to a forwardable ticket in that it
  225 allows a service to take on the identity of the client.  Unlike a
  226 forwardable ticket, however, a proxiable ticket is only issued for
  227 specific services.  In other words, a ticket-granting ticket cannot be
  228 issued based on a ticket that is proxiable but not forwardable.
  230 A \sphinxstylestrong{proxy} ticket is one that was issued based on a proxiable ticket.
  232 A \sphinxstylestrong{postdated} ticket is issued with the invalid flag set.  After the
  233 starting time listed on the ticket, it can be presented to the KDC to
  234 obtain valid tickets.
  236 Ticket-granting tickets with the \sphinxstylestrong{postdateable} flag set can be used
  237 to obtain postdated service tickets.
  239 \sphinxstylestrong{Renewable} tickets can be used to obtain new session keys without
  240 the user entering their password again.  A renewable ticket has two
  241 expiration times.  The first is the time at which this particular
  242 ticket expires.  The second is the latest possible expiration time for
  243 any ticket issued based on this renewable ticket.
  245 A ticket with the \sphinxstylestrong{initial flag} set was issued based on the
  246 authentication protocol, and not on a ticket-granting ticket.
  247 Application servers that wish to ensure that the user’s key has been
  248 recently presented for verification could specify that this flag must
  249 be set to accept the ticket.
  251 An \sphinxstylestrong{invalid} ticket must be rejected by application servers.
  252 Postdated tickets are usually issued with this flag set, and must be
  253 validated by the KDC before they can be used.
  255 A \sphinxstylestrong{preauthenticated} ticket is one that was only issued after the
  256 client requesting the ticket had authenticated itself to the KDC.
  258 The \sphinxstylestrong{hardware authentication} flag is set on a ticket which required
  259 the use of hardware for authentication.  The hardware is expected to
  260 be possessed only by the client which requested the tickets.
  262 If a ticket has the \sphinxstylestrong{transit policy} checked flag set, then the KDC
  263 that issued this ticket implements the transited-realm check policy
  264 and checked the transited-realms list on the ticket.  The
  265 transited-realms list contains a list of all intermediate realms
  266 between the realm of the KDC that issued the first ticket and that of
  267 the one that issued the current ticket.  If this flag is not set, then
  268 the application server must check the transited realms itself or else
  269 reject the ticket.
  271 The \sphinxstylestrong{okay as delegate} flag indicates that the server specified in
  272 the ticket is suitable as a delegate as determined by the policy of
  273 that realm.  Some client applications may use this flag to decide
  274 whether to forward tickets to a remote host, although many
  275 applications do not honor it.
  277 An \sphinxstylestrong{anonymous} ticket is one in which the named principal is a
  278 generic principal for that realm; it does not actually specify the
  279 individual that will be using the ticket.  This ticket is meant only
  280 to securely distribute a session key.
  283 \section{Obtaining tickets with kinit}
  284 \label{\detokenize{user/tkt_mgmt:obtaining-tickets-with-kinit}}\label{\detokenize{user/tkt_mgmt:obtain-tkt}}
  285 If your site has integrated Kerberos V5 with the login system, you
  286 will get Kerberos tickets automatically when you log in.  Otherwise,
  287 you may need to explicitly obtain your Kerberos tickets, using the
  288 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} program.  Similarly, if your Kerberos tickets expire,
  289 use the kinit program to obtain new ones.
  291 To use the kinit program, simply type \sphinxcode{kinit} and then type your
  292 password at the prompt. For example, Jennifer (whose username is
  293 \sphinxcode{jennifer}) works for Bleep, Inc. (a fictitious company with the
  294 domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU).  She would
  295 type:
  297 \fvset{hllines={, ,}}%
  298 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  299 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
  300 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{jennifer}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  301 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  302 \end{sphinxVerbatim}
  304 If you type your password incorrectly, kinit will give you the
  305 following error message:
  307 \fvset{hllines={, ,}}%
  308 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  309 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
  310 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{the} \PYG{n}{wrong} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
  311 \PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect}
  312 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  313 \end{sphinxVerbatim}
  315 and you won’t get Kerberos tickets.
  317 By default, kinit assumes you want tickets for your own username in
  318 your default realm.  Suppose Jennifer’s friend David is visiting, and
  319 he wants to borrow a window to check his mail.  David needs to get
  320 tickets for himself in his own realm, EXAMPLE.COM.  He would type:
  322 \fvset{hllines={, ,}}%
  323 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  324 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  325 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  326 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  327 \end{sphinxVerbatim}
  329 David would then have tickets which he could use to log onto his own
  330 machine.  Note that he typed his password locally on Jennifer’s
  331 machine, but it never went over the network.  Kerberos on the local
  332 host performed the authentication to the KDC in the other realm.
  334 If you want to be able to forward your tickets to another host, you
  335 need to request forwardable tickets.  You do this by specifying the
  336 \sphinxstylestrong{-f} option:
  338 \fvset{hllines={, ,}}%
  339 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  340 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  341 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{your} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
  342 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  343 \end{sphinxVerbatim}
  345 Note that kinit does not tell you that it obtained forwardable
  346 tickets; you can verify this using the {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command (see
  347 {\hyperref[\detokenize{user/tkt_mgmt:view-tkt}]{\sphinxcrossref{\DUrole{std,std-ref}{Viewing tickets with klist}}}}).
  349 Normally, your tickets are good for your system’s default ticket
  350 lifetime, which is ten hours on many systems.  You can specify a
  351 different ticket lifetime with the \sphinxstylestrong{-l} option.  Add the letter
  352 \sphinxstylestrong{s} to the value for seconds, \sphinxstylestrong{m} for minutes, \sphinxstylestrong{h} for hours, or
  353 \sphinxstylestrong{d} for days.  For example, to obtain forwardable tickets for
  354 \sphinxcode{david@EXAMPLE.COM} that would be good for three hours, you would
  355 type:
  357 \fvset{hllines={, ,}}%
  358 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  359 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3}\PYG{n}{h} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  360 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  361 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  362 \end{sphinxVerbatim}
  364 \begin{sphinxadmonition}{note}{Note:}
  365 You cannot mix units; specifying a lifetime of 3h30m would
  366 result in an error.  Note also that most systems specify a
  367 maximum ticket lifetime.  If you request a longer ticket
  368 lifetime, it will be automatically truncated to the maximum
  369 lifetime.
  370 \end{sphinxadmonition}
  373 \section{Viewing tickets with klist}
  374 \label{\detokenize{user/tkt_mgmt:viewing-tickets-with-klist}}\label{\detokenize{user/tkt_mgmt:view-tkt}}
  375 The {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command shows your tickets.  When you first obtain
  376 tickets, you will have only the ticket-granting ticket.  The listing
  377 would look like this:
  379 \fvset{hllines={, ,}}%
  380 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  381 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  382 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  383 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  385 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  386 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  387 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  388 \end{sphinxVerbatim}
  390 The ticket cache is the location of your ticket file. In the above
  391 example, this file is named \sphinxcode{/tmp/krb5cc\_ttypa}. The default
  392 principal is your Kerberos principal.
  394 The “valid starting” and “expires” fields describe the period of time
  395 during which the ticket is valid.  The “service principal” describes
  396 each ticket.  The ticket-granting ticket has a first component
  397 \sphinxcode{krbtgt}, and a second component which is the realm name.
  399 Now, if \sphinxcode{jennifer} connected to the machine \sphinxcode{daffodil.mit.edu},
  400 and then typed “klist” again, she would have gotten the following
  401 result:
  403 \fvset{hllines={, ,}}%
  404 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  405 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  406 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  407 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  409 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  410 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  411 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  412 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  413 \end{sphinxVerbatim}
  415 Here’s what happened: when \sphinxcode{jennifer} used ssh to connect to the
  416 host \sphinxcode{daffodil.mit.edu}, the ssh program presented her
  417 ticket-granting ticket to the KDC and requested a host ticket for the
  418 host \sphinxcode{daffodil.mit.edu}.  The KDC sent the host ticket, which ssh
  419 then presented to the host \sphinxcode{daffodil.mit.edu}, and she was allowed
  420 to log in without typing her password.
  422 Suppose your Kerberos tickets allow you to log into a host in another
  423 domain, such as \sphinxcode{trillium.example.com}, which is also in another
  424 Kerberos realm, \sphinxcode{EXAMPLE.COM}.  If you ssh to this host, you will
  425 receive a ticket-granting ticket for the realm \sphinxcode{EXAMPLE.COM}, plus
  426 the new host ticket for \sphinxcode{trillium.example.com}.  klist will now
  427 show:
  429 \fvset{hllines={, ,}}%
  430 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  431 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  432 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  433 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  435 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  436 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  437 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  438 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  439 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  440 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  441 \end{sphinxVerbatim}
  443 Depending on your host’s and realm’s configuration, you may also see a
  444 ticket with the service principal \sphinxcode{host/trillium.example.com@}.  If
  445 so, this means that your host did not know what realm
  446 trillium.example.com is in, so it asked the \sphinxcode{ATHENA.MIT.EDU} KDC for
  447 a referral.  The next time you connect to \sphinxcode{trillium.example.com},
  448 the odd-looking entry will be used to avoid needing to ask for a
  449 referral again.
  451 You can use the \sphinxstylestrong{-f} option to view the flags that apply to your
  452 tickets.  The flags are:
  455 \begin{savenotes}\sphinxattablestart
  456 \centering
  457 \begin{tabulary}{\linewidth}[t]{|T|T|}
  458 \hline
  460 F
  461 &
  462 Forwardable
  463 \\
  464 \hline
  465 f
  466 &
  467 forwarded
  468 \\
  469 \hline
  470 P
  471 &
  472 Proxiable
  473 \\
  474 \hline
  475 p
  476 &
  477 proxy
  478 \\
  479 \hline
  480 D
  481 &
  482 postDateable
  483 \\
  484 \hline
  485 d
  486 &
  487 postdated
  488 \\
  489 \hline
  490 R
  491 &
  492 Renewable
  493 \\
  494 \hline
  495 I
  496 &
  497 Initial
  498 \\
  499 \hline
  500 i
  501 &
  502 invalid
  503 \\
  504 \hline
  505 H
  506 &
  507 Hardware authenticated
  508 \\
  509 \hline
  510 A
  511 &
  512 preAuthenticated
  513 \\
  514 \hline
  515 T
  516 &
  517 Transit policy checked
  518 \\
  519 \hline
  520 O
  521 &
  522 Okay as delegate
  523 \\
  524 \hline
  525 a
  526 &
  527 anonymous
  528 \\
  529 \hline
  530 \end{tabulary}
  531 \par
  532 \sphinxattableend\end{savenotes}
  534 Here is a sample listing.  In this example, the user \sphinxstyleemphasis{jennifer}
  535 obtained her initial tickets (\sphinxstylestrong{I}), which are forwardable (\sphinxstylestrong{F})
  536 and postdated (\sphinxstylestrong{d}) but not yet validated (\sphinxstylestrong{i}):
  538 \fvset{hllines={, ,}}%
  539 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  540 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  541 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}320}
  542 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  544 \PYG{n}{Valid} \PYG{n}{starting}      \PYG{n}{Expires}             \PYG{n}{Service} \PYG{n}{principal}
  545 \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{06}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  546         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{FdiI}
  547 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  548 \end{sphinxVerbatim}
  550 In the following example, the user \sphinxstyleemphasis{david}’s tickets were forwarded
  551 (\sphinxstylestrong{f}) to this host from another host.  The tickets are reforwardable
  552 (\sphinxstylestrong{F}):
  554 \fvset{hllines={, ,}}%
  555 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  556 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  557 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}p11795}
  558 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  560 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  561 \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{52}\PYG{p}{:}\PYG{l+m+mi}{29}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  562         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
  563 \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{48}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  564         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
  565 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  566 \end{sphinxVerbatim}
  569 \section{Destroying tickets with kdestroy}
  570 \label{\detokenize{user/tkt_mgmt:destroying-tickets-with-kdestroy}}
  571 Your Kerberos tickets are proof that you are indeed yourself, and
  572 tickets could be stolen if someone gains access to a computer where
  573 they are stored.  If this happens, the person who has them can
  574 masquerade as you until they expire.  For this reason, you should
  575 destroy your Kerberos tickets when you are away from your computer.
  577 Destroying your tickets is easy.  Simply type kdestroy:
  579 \fvset{hllines={, ,}}%
  580 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  581 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
  582 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  583 \end{sphinxVerbatim}
  585 If {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} fails to destroy your tickets, it will beep and
  586 give an error message.  For example, if kdestroy can’t find any
  587 tickets to destroy, it will give the following message:
  589 \fvset{hllines={, ,}}%
  590 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  591 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
  592 \PYG{n}{kdestroy}\PYG{p}{:} \PYG{n}{No} \PYG{n}{credentials} \PYG{n}{cache} \PYG{n}{file} \PYG{n}{found} \PYG{k}{while} \PYG{n}{destroying} \PYG{n}{cache}
  593 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  594 \end{sphinxVerbatim}
  597 \chapter{User config files}
  598 \label{\detokenize{user/user_config/index::doc}}\label{\detokenize{user/user_config/index:user-config-files}}
  599 The following files in your home directory can be used to control the
  600 behavior of Kerberos as it applies to your account (unless they have
  601 been disabled by your host’s configuration):
  604 \section{kerberos}
  605 \label{\detokenize{user/user_config/kerberos:kerberos-7}}\label{\detokenize{user/user_config/kerberos:kerberos}}\label{\detokenize{user/user_config/kerberos::doc}}
  607 \subsection{DESCRIPTION}
  608 \label{\detokenize{user/user_config/kerberos:description}}
  609 The Kerberos system authenticates individual users in a network
  610 environment.  After authenticating yourself to Kerberos, you can use
  611 Kerberos-enabled programs without having to present passwords or
  612 certificates to those programs.
  614 If you receive the following response from {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}:
  616 kinit: Client not found in Kerberos database while getting initial
  617 credentials
  619 you haven’t been registered as a Kerberos user.  See your system
  620 administrator.
  622 A Kerberos name usually contains three parts.  The first is the
  623 \sphinxstylestrong{primary}, which is usually a user’s or service’s name.  The second
  624 is the \sphinxstylestrong{instance}, which in the case of a user is usually null.
  625 Some users may have privileged instances, however, such as \sphinxcode{root} or
  626 \sphinxcode{admin}.  In the case of a service, the instance is the fully
  627 qualified name of the machine on which it runs; i.e. there can be an
  628 ssh service running on the machine ABC (\sphinxhref{mailto:ssh/ABC@REALM}{ssh/ABC@REALM}), which is
  629 different from the ssh service running on the machine XYZ
  630 (\sphinxhref{mailto:ssh/XYZ@REALM}{ssh/XYZ@REALM}).  The third part of a Kerberos name is the \sphinxstylestrong{realm}.
  631 The realm corresponds to the Kerberos service providing authentication
  632 for the principal.  Realms are conventionally all-uppercase, and often
  633 match the end of hostnames in the realm (for instance, host01.example.com
  634 might be in realm EXAMPLE.COM).
  636 When writing a Kerberos name, the principal name is separated from the
  637 instance (if not null) by a slash, and the realm (if not the local
  638 realm) follows, preceded by an “@” sign.  The following are examples
  639 of valid Kerberos names:
  641 \fvset{hllines={, ,}}%
  642 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  643 \PYG{n}{david}
  644 \PYG{n}{jennifer}\PYG{o}{/}\PYG{n}{admin}
  645 \PYG{n}{joeuser}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  646 \PYG{n}{cbrown}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@FUBAR}\PYG{o}{.}\PYG{n}{ORG}
  647 \end{sphinxVerbatim}
  649 When you authenticate yourself with Kerberos you get an initial
  650 Kerberos \sphinxstylestrong{ticket}.  (A Kerberos ticket is an encrypted protocol
  651 message that provides authentication.)  Kerberos uses this ticket for
  652 network utilities such as ssh.  The ticket transactions are done
  653 transparently, so you don’t have to worry about their management.
  655 Note, however, that tickets expire.  Administrators may configure more
  656 privileged tickets, such as those with service or instance of \sphinxcode{root}
  657 or \sphinxcode{admin}, to expire in a few minutes, while tickets that carry
  658 more ordinary privileges may be good for several hours or a day.  If
  659 your login session extends beyond the time limit, you will have to
  660 re-authenticate yourself to Kerberos to get new tickets using the
  661 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} command.
  663 Some tickets are \sphinxstylestrong{renewable} beyond their initial lifetime.  This
  664 means that \sphinxcode{kinit -R} can extend their lifetime without requiring
  665 you to re-authenticate.
  667 If you wish to delete your local tickets, use the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}
  668 command.
  670 Kerberos tickets can be forwarded.  In order to forward tickets, you
  671 must request \sphinxstylestrong{forwardable} tickets when you kinit.  Once you have
  672 forwardable tickets, most Kerberos programs have a command line option
  673 to forward them to the remote host.  This can be useful for, e.g.,
  674 running kinit on your local machine and then sshing into another to do
  675 work.  Note that this should not be done on untrusted machines since
  676 they will then have your tickets.
  679 \subsection{ENVIRONMENT VARIABLES}
  680 \label{\detokenize{user/user_config/kerberos:environment-variables}}
  681 Several environment variables affect the operation of Kerberos-enabled
  682 programs.  These include:
  683 \begin{description}
  684 \item[{\sphinxstylestrong{KRB5CCNAME}}] \leavevmode
  685 Default name for the credentials cache file, in the form
  686 \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  The type of the default cache may determine
  687 the availability of a cache collection.  \sphinxcode{FILE} is not a
  688 collection type; \sphinxcode{KEYRING}, \sphinxcode{DIR}, and \sphinxcode{KCM} are.
  690 If not set, the value of \sphinxstylestrong{default\_ccache\_name} from
  691 configuration files (see \sphinxstylestrong{KRB5\_CONFIG}) will be used.  If that
  692 is also not set, the default \sphinxstyleemphasis{type} is \sphinxcode{FILE}, and the
  693 \sphinxstyleemphasis{residual} is the path /tmp/krb5cc\_*uid*, where \sphinxstyleemphasis{uid} is the
  694 decimal user ID of the user.
  696 \item[{\sphinxstylestrong{KRB5\_KTNAME}}] \leavevmode
  697 Specifies the location of the default keytab file, in the form
  698 \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  If no \sphinxstyleemphasis{type} is present, the \sphinxstylestrong{FILE} type is
  699 assumed and \sphinxstyleemphasis{residual} is the pathname of the keytab file.  If
  700 unset, \DUrole{xref,std,std-ref}{DEFKTNAME} will be used.
  702 \item[{\sphinxstylestrong{KRB5\_CONFIG}}] \leavevmode
  703 Specifies the location of the Kerberos configuration file.  The
  704 default is \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/krb5.conf}.  Multiple filenames can
  705 be specified, separated by a colon; all files which are present
  706 will be read.
  708 \item[{\sphinxstylestrong{KRB5\_KDC\_PROFILE}}] \leavevmode
  709 Specifies the location of the KDC configuration file, which
  710 contains additional configuration directives for the Key
  711 Distribution Center daemon and associated programs.  The default
  712 is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{/krb5kdc}\sphinxcode{/kdc.conf}.
  714 \item[{\sphinxstylestrong{KRB5RCACHENAME}}] \leavevmode
  715 (New in release 1.18) Specifies the location of the default replay
  716 cache, in the form \sphinxstyleemphasis{type}:\sphinxstyleemphasis{residual}.  The \sphinxcode{file2} type with a
  717 pathname residual specifies a replay cache file in the version-2
  718 format in the specified location.  The \sphinxcode{none} type (residual is
  719 ignored) disables the replay cache.  The \sphinxcode{dfl} type (residual is
  720 ignored) indicates the default, which uses a file2 replay cache in
  721 a temporary directory.  The default is \sphinxcode{dfl:}.
  723 \item[{\sphinxstylestrong{KRB5RCACHETYPE}}] \leavevmode
  724 Specifies the type of the default replay cache, if
  725 \sphinxstylestrong{KRB5RCACHENAME} is unspecified.  No residual can be specified,
  726 so \sphinxcode{none} and \sphinxcode{dfl} are the only useful types.
  728 \item[{\sphinxstylestrong{KRB5RCACHEDIR}}] \leavevmode
  729 Specifies the directory used by the \sphinxcode{dfl} replay cache type.
  730 The default is the value of the \sphinxstylestrong{TMPDIR} environment variable,
  731 or \sphinxcode{/var/tmp} if \sphinxstylestrong{TMPDIR} is not set.
  733 \item[{\sphinxstylestrong{KRB5\_TRACE}}] \leavevmode
  734 Specifies a filename to write trace log output to.  Trace logs can
  735 help illuminate decisions made internally by the Kerberos
  736 libraries.  For example, \sphinxcode{env KRB5\_TRACE=/dev/stderr kinit}
  737 would send tracing information for {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} to
  738 \sphinxcode{/dev/stderr}.  The default is not to write trace log output
  739 anywhere.
  741 \item[{\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}}] \leavevmode
  742 Default client keytab file name.  If unset, \DUrole{xref,std,std-ref}{DEFCKTNAME} will be
  743 used).
  745 \item[{\sphinxstylestrong{KPROP\_PORT}}] \leavevmode
  746 \DUrole{xref,std,std-ref}{kprop(8)} port to use.  Defaults to 754.
  748 \item[{\sphinxstylestrong{GSS\_MECH\_CONFIG}}] \leavevmode
  749 Specifies a filename containing GSSAPI mechanism module
  750 configuration.  The default is to read \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/gss/mech}
  751 and files with a \sphinxcode{.conf} suffix within the directory
  752 \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/gss/mech.d}.
  754 \end{description}
  756 Most environment variables are disabled for certain programs, such as
  757 login system programs and setuid programs, which are designed to be
  758 secure when run within an untrusted process environment.
  761 \subsection{SEE ALSO}
  762 \label{\detokenize{user/user_config/kerberos:see-also}}
  763 {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
  764 {\hyperref[\detokenize{user/user_commands/kswitch:kswitch-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kswitch}}}}, {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}}, {\hyperref[\detokenize{user/user_commands/ksu:ksu-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ksu}}}},
  765 \DUrole{xref,std,std-ref}{krb5.conf(5)}, \DUrole{xref,std,std-ref}{kdc.conf(5)}, \DUrole{xref,std,std-ref}{kadmin(1)},
  766 \DUrole{xref,std,std-ref}{kadmind(8)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{krb5kdc(8)}
  769 \subsection{BUGS}
  770 \label{\detokenize{user/user_config/kerberos:bugs}}
  772 \subsection{AUTHORS}
  773 \label{\detokenize{user/user_config/kerberos:authors}}
  774 \begin{DUlineblock}{0em}
  775 \item[] Steve Miller, MIT Project Athena/Digital Equipment Corporation
  776 \item[] Clifford Neuman, MIT Project Athena
  777 \item[] Greg Hudson, MIT Kerberos Consortium
  778 \item[] Robbie Harwood, Red Hat, Inc.
  779 \end{DUlineblock}
  782 \subsection{HISTORY}
  783 \label{\detokenize{user/user_config/kerberos:history}}
  784 The MIT Kerberos 5 implementation was developed at MIT, with
  785 contributions from many outside parties.  It is currently maintained
  786 by the MIT Kerberos Consortium.
  789 \subsection{RESTRICTIONS}
  790 \label{\detokenize{user/user_config/kerberos:restrictions}}
  791 Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts
  792 Institute of Technology
  795 \section{.k5login}
  796 \label{\detokenize{user/user_config/k5login:k5login-5}}\label{\detokenize{user/user_config/k5login:k5login}}\label{\detokenize{user/user_config/k5login::doc}}
  798 \subsection{DESCRIPTION}
  799 \label{\detokenize{user/user_config/k5login:description}}
  800 The .k5login file, which resides in a user’s home directory, contains
  801 a list of the Kerberos principals.  Anyone with valid tickets for a
  802 principal in the file is allowed host access with the UID of the user
  803 in whose home directory the file resides.  One common use is to place
  804 a .k5login file in root’s home directory, thereby granting system
  805 administrators remote root access to the host via Kerberos.
  808 \subsection{EXAMPLES}
  809 \label{\detokenize{user/user_config/k5login:examples}}
  810 Suppose the user \sphinxcode{alice} had a .k5login file in her home directory
  811 containing just the following line:
  813 \fvset{hllines={, ,}}%
  814 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  815 \PYG{n}{bob}\PYG{n+nd}{@FOOBAR}\PYG{o}{.}\PYG{n}{ORG}
  816 \end{sphinxVerbatim}
  818 This would allow \sphinxcode{bob} to use Kerberos network applications, such as
  819 ssh(1), to access \sphinxcode{alice}’s account, using \sphinxcode{bob}’s Kerberos
  820 tickets.  In a default configuration (with \sphinxstylestrong{k5login\_authoritative} set
  821 to true in \DUrole{xref,std,std-ref}{krb5.conf(5)}), this .k5login file would not let
  822 \sphinxcode{alice} use those network applications to access her account, since
  823 she is not listed!  With no .k5login file, or with \sphinxstylestrong{k5login\_authoritative}
  824 set to false, a default rule would permit the principal \sphinxcode{alice} in the
  825 machine’s default realm to access the \sphinxcode{alice} account.
  827 Let us further suppose that \sphinxcode{alice} is a system administrator.
  828 Alice and the other system administrators would have their principals
  829 in root’s .k5login file on each host:
  831 \fvset{hllines={, ,}}%
  832 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  833 \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  835 \PYG{n}{joeadmin}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  836 \end{sphinxVerbatim}
  838 This would allow either system administrator to log in to these hosts
  839 using their Kerberos tickets instead of having to type the root
  840 password.  Note that because \sphinxcode{bob} retains the Kerberos tickets for
  841 his own principal, \sphinxcode{bob@FOOBAR.ORG}, he would not have any of the
  842 privileges that require \sphinxcode{alice}’s tickets, such as root access to
  843 any of the site’s hosts, or the ability to change \sphinxcode{alice}’s
  844 password.
  847 \subsection{SEE ALSO}
  848 \label{\detokenize{user/user_config/k5login:see-also}}
  849 kerberos(1)
  852 \section{.k5identity}
  853 \label{\detokenize{user/user_config/k5identity:k5identity-5}}\label{\detokenize{user/user_config/k5identity:k5identity}}\label{\detokenize{user/user_config/k5identity::doc}}
  855 \subsection{DESCRIPTION}
  856 \label{\detokenize{user/user_config/k5identity:description}}
  857 The .k5identity file, which resides in a user’s home directory,
  858 contains a list of rules for selecting a client principals based on
  859 the server being accessed.  These rules are used to choose a
  860 credential cache within the cache collection when possible.
  862 Blank lines and lines beginning with \sphinxcode{\#} are ignored.  Each line has
  863 the form:
  864 \begin{quote}
  866 \sphinxstyleemphasis{principal} \sphinxstyleemphasis{field}=\sphinxstyleemphasis{value}
  867 \end{quote}
  869 If the server principal meets all of the field constraints, then
  870 principal is chosen as the client principal.  The following fields are
  871 recognized:
  872 \begin{description}
  873 \item[{\sphinxstylestrong{realm}}] \leavevmode
  874 If the realm of the server principal is known, it is matched
  875 against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards.
  876 For host-based server principals, the realm will generally only be
  877 known if there is a \DUrole{xref,std,std-ref}{domain\_realm} section in
  878 \DUrole{xref,std,std-ref}{krb5.conf(5)} with a mapping for the hostname.
  880 \item[{\sphinxstylestrong{service}}] \leavevmode
  881 If the server principal is a host-based principal, its service
  882 component is matched against \sphinxstyleemphasis{value}, which may be a pattern using
  883 shell wildcards.
  885 \item[{\sphinxstylestrong{host}}] \leavevmode
  886 If the server principal is a host-based principal, its hostname
  887 component is converted to lower case and matched against \sphinxstyleemphasis{value},
  888 which may be a pattern using shell wildcards.
  890 If the server principal matches the constraints of multiple lines
  891 in the .k5identity file, the principal from the first matching
  892 line is used.  If no line matches, credentials will be selected
  893 some other way, such as the realm heuristic or the current primary
  894 cache.
  896 \end{description}
  899 \subsection{EXAMPLE}
  900 \label{\detokenize{user/user_config/k5identity:example}}
  901 The following example .k5identity file selects the client principal
  902 \sphinxcode{alice@KRBTEST.COM} if the server principal is within that realm,
  903 the principal \sphinxcode{alice/root@EXAMPLE.COM} if the server host is within
  904 a servers subdomain, and the principal \sphinxcode{alice/mail@EXAMPLE.COM} when
  905 accessing the IMAP service on \sphinxcode{mail.example.com}:
  907 \fvset{hllines={, ,}}%
  908 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  909 \PYG{n}{alice}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}       \PYG{n}{realm}\PYG{o}{=}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}
  910 \PYG{n}{alice}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{o}{*}\PYG{o}{.}\PYG{n}{servers}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
  911 \PYG{n}{alice}\PYG{o}{/}\PYG{n}{mail}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{n}{mail}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{service}\PYG{o}{=}\PYG{n}{imap}
  912 \end{sphinxVerbatim}
  915 \subsection{SEE ALSO}
  916 \label{\detokenize{user/user_config/k5identity:see-also}}
  917 kerberos(1), \DUrole{xref,std,std-ref}{krb5.conf(5)}
  920 \chapter{User commands}
  921 \label{\detokenize{user/user_commands/index::doc}}\label{\detokenize{user/user_commands/index:user-commands}}\label{\detokenize{user/user_commands/index:id1}}
  923 \section{kdestroy}
  924 \label{\detokenize{user/user_commands/kdestroy:kdestroy}}\label{\detokenize{user/user_commands/kdestroy::doc}}\label{\detokenize{user/user_commands/kdestroy:kdestroy-1}}
  926 \subsection{SYNOPSIS}
  927 \label{\detokenize{user/user_commands/kdestroy:synopsis}}
  928 \sphinxstylestrong{kdestroy}
  929 {[}\sphinxstylestrong{-A}{]}
  930 {[}\sphinxstylestrong{-q}{]}
  931 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}
  934 \subsection{DESCRIPTION}
  935 \label{\detokenize{user/user_commands/kdestroy:description}}
  936 The kdestroy utility destroys the user’s active Kerberos authorization
  937 tickets by overwriting and deleting the credentials cache that
  938 contains them.  If the credentials cache is not specified, the default
  939 credentials cache is destroyed.
  942 \subsection{OPTIONS}
  943 \label{\detokenize{user/user_commands/kdestroy:options}}\begin{description}
  944 \item[{\sphinxstylestrong{-A}}] \leavevmode
  945 Destroys all caches in the collection, if a cache collection is
  946 available.  May be used with the \sphinxstylestrong{-c} option to specify the
  947 collection to be destroyed.
  949 \item[{\sphinxstylestrong{-q}}] \leavevmode
  950 Run quietly.  Normally kdestroy beeps if it fails to destroy the
  951 user’s tickets.  The \sphinxstylestrong{-q} flag suppresses this behavior.
  953 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}}] \leavevmode
  954 Use \sphinxstyleemphasis{cache\_name} as the credentials (ticket) cache name and
  955 location; if this option is not used, the default cache name and
  956 location are used.
  958 The default credentials cache may vary between systems.  If the
  959 \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
  960 name the default ticket cache.
  962 \item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{princ\_name}}] \leavevmode
  963 If a cache collection is available, destroy the cache for
  964 \sphinxstyleemphasis{princ\_name} instead of the primary cache.  May be used with the
  965 \sphinxstylestrong{-c} option to specify the collection to be searched.
  967 \end{description}
  970 \subsection{NOTE}
  971 \label{\detokenize{user/user_commands/kdestroy:note}}
  972 Most installations recommend that you place the kdestroy command in
  973 your .logout file, so that your tickets are destroyed automatically
  974 when you log out.
  977 \subsection{ENVIRONMENT}
  978 \label{\detokenize{user/user_commands/kdestroy:environment}}
  979 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
  980 variables.
  983 \subsection{FILES}
  984 \label{\detokenize{user/user_commands/kdestroy:files}}\begin{description}
  985 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
  986 Default location of Kerberos 5 credentials cache
  988 \end{description}
  991 \subsection{SEE ALSO}
  992 \label{\detokenize{user/user_commands/kdestroy:see-also}}
  993 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
  996 \section{kinit}
  997 \label{\detokenize{user/user_commands/kinit:kinit-1}}\label{\detokenize{user/user_commands/kinit:kinit}}\label{\detokenize{user/user_commands/kinit::doc}}
  999 \subsection{SYNOPSIS}
 1000 \label{\detokenize{user/user_commands/kinit:synopsis}}
 1001 \sphinxstylestrong{kinit}
 1002 {[}\sphinxstylestrong{-V}{]}
 1003 {[}\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}{]}
 1004 {[}\sphinxstylestrong{-s} \sphinxstyleemphasis{start\_time}{]}
 1005 {[}\sphinxstylestrong{-r} \sphinxstyleemphasis{renewable\_life}{]}
 1006 {[}\sphinxstylestrong{-p} \textbar{} -\sphinxstylestrong{P}{]}
 1007 {[}\sphinxstylestrong{-f} \textbar{} -\sphinxstylestrong{F}{]}
 1008 {[}\sphinxstylestrong{-a}{]}
 1009 {[}\sphinxstylestrong{-A}{]}
 1010 {[}\sphinxstylestrong{-C}{]}
 1011 {[}\sphinxstylestrong{-E}{]}
 1012 {[}\sphinxstylestrong{-v}{]}
 1013 {[}\sphinxstylestrong{-R}{]}
 1014 {[}\sphinxstylestrong{-k} {[}-\sphinxstylestrong{t} \sphinxstyleemphasis{keytab\_file}{]}{]}
 1015 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}
 1016 {[}\sphinxstylestrong{-n}{]}
 1017 {[}\sphinxstylestrong{-S} \sphinxstyleemphasis{service\_name}{]}
 1018 {[}\sphinxstylestrong{-I} \sphinxstyleemphasis{input\_ccache}{]}
 1019 {[}\sphinxstylestrong{-T} \sphinxstyleemphasis{armor\_ccache}{]}
 1020 {[}\sphinxstylestrong{-X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}{]}
 1021 {[}\sphinxstyleemphasis{principal}{]}
 1024 \subsection{DESCRIPTION}
 1025 \label{\detokenize{user/user_commands/kinit:description}}
 1026 kinit obtains and caches an initial ticket-granting ticket for
 1027 \sphinxstyleemphasis{principal}.  If \sphinxstyleemphasis{principal} is absent, kinit chooses an appropriate
 1028 principal name based on existing credential cache contents or the
 1029 local username of the user invoking kinit.  Some options modify the
 1030 choice of principal name.
 1033 \subsection{OPTIONS}
 1034 \label{\detokenize{user/user_commands/kinit:options}}\begin{description}
 1035 \item[{\sphinxstylestrong{-V}}] \leavevmode
 1036 display verbose output.
 1038 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}}] \leavevmode
 1039 (\DUrole{xref,std,std-ref}{duration} string.)  Requests a ticket with the lifetime
 1040 \sphinxstyleemphasis{lifetime}.
 1042 For example, \sphinxcode{kinit -l 5:30} or \sphinxcode{kinit -l 5h30m}.
 1044 If the \sphinxstylestrong{-l} option is not specified, the default ticket lifetime
 1045 (configured by each site) is used.  Specifying a ticket lifetime
 1046 longer than the maximum ticket lifetime (configured by each site)
 1047 will not override the configured maximum ticket lifetime.
 1049 \item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{start\_time}}] \leavevmode
 1050 (\DUrole{xref,std,std-ref}{duration} string.)  Requests a postdated ticket.  Postdated
 1051 tickets are issued with the \sphinxstylestrong{invalid} flag set, and need to be
 1052 resubmitted to the KDC for validation before use.
 1054 \sphinxstyleemphasis{start\_time} specifies the duration of the delay before the ticket
 1055 can become valid.
 1057 \item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{renewable\_life}}] \leavevmode
 1058 (\DUrole{xref,std,std-ref}{duration} string.)  Requests renewable tickets, with a total
 1059 lifetime of \sphinxstyleemphasis{renewable\_life}.
 1061 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1062 requests forwardable tickets.
 1064 \item[{\sphinxstylestrong{-F}}] \leavevmode
 1065 requests non-forwardable tickets.
 1067 \item[{\sphinxstylestrong{-p}}] \leavevmode
 1068 requests proxiable tickets.
 1070 \item[{\sphinxstylestrong{-P}}] \leavevmode
 1071 requests non-proxiable tickets.
 1073 \item[{\sphinxstylestrong{-a}}] \leavevmode
 1074 requests tickets restricted to the host’s local address{[}es{]}.
 1076 \item[{\sphinxstylestrong{-A}}] \leavevmode
 1077 requests tickets not restricted by address.
 1079 \item[{\sphinxstylestrong{-C}}] \leavevmode
 1080 requests canonicalization of the principal name, and allows the
 1081 KDC to reply with a different client principal from the one
 1082 requested.
 1084 \item[{\sphinxstylestrong{-E}}] \leavevmode
 1085 treats the principal name as an enterprise name.
 1087 \item[{\sphinxstylestrong{-v}}] \leavevmode
 1088 requests that the ticket-granting ticket in the cache (with the
 1089 \sphinxstylestrong{invalid} flag set) be passed to the KDC for validation.  If the
 1090 ticket is within its requested time range, the cache is replaced
 1091 with the validated ticket.
 1093 \item[{\sphinxstylestrong{-R}}] \leavevmode
 1094 requests renewal of the ticket-granting ticket.  Note that an
 1095 expired ticket cannot be renewed, even if the ticket is still
 1096 within its renewable life.
 1098 Note that renewable tickets that have expired as reported by
 1099 {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} may sometimes be renewed using this option,
 1100 because the KDC applies a grace period to account for client-KDC
 1101 clock skew.  See \DUrole{xref,std,std-ref}{krb5.conf(5)} \sphinxstylestrong{clockskew} setting.
 1103 \item[{\sphinxstylestrong{-k} {[}\sphinxstylestrong{-i} \textbar{} \sphinxstylestrong{-t} \sphinxstyleemphasis{keytab\_file}{]}}] \leavevmode
 1104 requests a ticket, obtained from a key in the local host’s keytab.
 1105 The location of the keytab may be specified with the \sphinxstylestrong{-t}
 1106 \sphinxstyleemphasis{keytab\_file} option, or with the \sphinxstylestrong{-i} option to specify the use
 1107 of the default client keytab; otherwise the default keytab will be
 1108 used.  By default, a host ticket for the local host is requested,
 1109 but any principal may be specified.  On a KDC, the special keytab
 1110 location \sphinxcode{KDB:} can be used to indicate that kinit should open
 1111 the KDC database and look up the key directly.  This permits an
 1112 administrator to obtain tickets as any principal that supports
 1113 authentication based on the key.
 1115 \item[{\sphinxstylestrong{-n}}] \leavevmode
 1116 Requests anonymous processing.  Two types of anonymous principals
 1117 are supported.
 1119 For fully anonymous Kerberos, configure pkinit on the KDC and
 1120 configure \sphinxstylestrong{pkinit\_anchors} in the client’s \DUrole{xref,std,std-ref}{krb5.conf(5)}.
 1121 Then use the \sphinxstylestrong{-n} option with a principal of the form \sphinxcode{@REALM}
 1122 (an empty principal name followed by the at-sign and a realm
 1123 name).  If permitted by the KDC, an anonymous ticket will be
 1124 returned.
 1126 A second form of anonymous tickets is supported; these
 1127 realm-exposed tickets hide the identity of the client but not the
 1128 client’s realm.  For this mode, use \sphinxcode{kinit -n} with a normal
 1129 principal name.  If supported by the KDC, the principal (but not
 1130 realm) will be replaced by the anonymous principal.
 1132 As of release 1.8, the MIT Kerberos KDC only supports fully
 1133 anonymous operation.
 1135 \end{description}
 1137 \sphinxstylestrong{-I} \sphinxstyleemphasis{input\_ccache}
 1138 \begin{quote}
 1140 Specifies the name of a credentials cache that already contains a
 1141 ticket.  When obtaining that ticket, if information about how that
 1142 ticket was obtained was also stored to the cache, that information
 1143 will be used to affect how new credentials are obtained, including
 1144 preselecting the same methods of authenticating to the KDC.
 1145 \end{quote}
 1146 \begin{description}
 1147 \item[{\sphinxstylestrong{-T} \sphinxstyleemphasis{armor\_ccache}}] \leavevmode
 1148 Specifies the name of a credentials cache that already contains a
 1149 ticket.  If supported by the KDC, this cache will be used to armor
 1150 the request, preventing offline dictionary attacks and allowing
 1151 the use of additional preauthentication mechanisms.  Armoring also
 1152 makes sure that the response from the KDC is not modified in
 1153 transit.
 1155 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}}] \leavevmode
 1156 use \sphinxstyleemphasis{cache\_name} as the Kerberos 5 credentials (ticket) cache
 1157 location.  If this option is not used, the default cache location
 1158 is used.
 1160 The default cache location may vary between systems.  If the
 1161 \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
 1162 locate the default cache.  If a principal name is specified and
 1163 the type of the default cache supports a collection (such as the
 1164 DIR type), an existing cache containing credentials for the
 1165 principal is selected or a new one is created and becomes the new
 1166 primary cache.  Otherwise, any existing contents of the default
 1167 cache are destroyed by kinit.
 1169 \item[{\sphinxstylestrong{-S} \sphinxstyleemphasis{service\_name}}] \leavevmode
 1170 specify an alternate service name to use when getting initial
 1171 tickets.
 1173 \item[{\sphinxstylestrong{-X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}}] \leavevmode
 1174 specify a pre-authentication \sphinxstyleemphasis{attribute} and \sphinxstyleemphasis{value} to be
 1175 interpreted by pre-authentication modules.  The acceptable
 1176 attribute and value values vary from module to module.  This
 1177 option may be specified multiple times to specify multiple
 1178 attributes.  If no value is specified, it is assumed to be “yes”.
 1180 The following attributes are recognized by the PKINIT
 1181 pre-authentication mechanism:
 1182 \begin{description}
 1183 \item[{\sphinxstylestrong{X509\_user\_identity}=\sphinxstyleemphasis{value}}] \leavevmode
 1184 specify where to find user’s X509 identity information
 1186 \item[{\sphinxstylestrong{X509\_anchors}=\sphinxstyleemphasis{value}}] \leavevmode
 1187 specify where to find trusted X509 anchor information
 1189 \item[{\sphinxstylestrong{flag\_RSA\_PROTOCOL}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode
 1190 specify use of RSA, rather than the default Diffie-Hellman
 1191 protocol
 1193 \item[{\sphinxstylestrong{disable\_freshness}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode
 1194 disable sending freshness tokens (for testing purposes only)
 1196 \end{description}
 1198 \end{description}
 1201 \subsection{ENVIRONMENT}
 1202 \label{\detokenize{user/user_commands/kinit:environment}}
 1203 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1204 variables.
 1207 \subsection{FILES}
 1208 \label{\detokenize{user/user_commands/kinit:files}}\begin{description}
 1209 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1210 default location of Kerberos 5 credentials cache
 1212 \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode
 1213 default location for the local host’s keytab.
 1215 \end{description}
 1218 \subsection{SEE ALSO}
 1219 \label{\detokenize{user/user_commands/kinit:see-also}}
 1220 {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1223 \section{klist}
 1224 \label{\detokenize{user/user_commands/klist:klist}}\label{\detokenize{user/user_commands/klist::doc}}\label{\detokenize{user/user_commands/klist:klist-1}}
 1226 \subsection{SYNOPSIS}
 1227 \label{\detokenize{user/user_commands/klist:synopsis}}
 1228 \sphinxstylestrong{klist}
 1229 {[}\sphinxstylestrong{-e}{]}
 1230 {[}{[}\sphinxstylestrong{-c}{]} {[}\sphinxstylestrong{-l}{]} {[}\sphinxstylestrong{-A}{]} {[}\sphinxstylestrong{-f}{]} {[}\sphinxstylestrong{-s}{]} {[}\sphinxstylestrong{-a} {[}\sphinxstylestrong{-n}{]}{]}{]}
 1231 {[}\sphinxstylestrong{-C}{]}
 1232 {[}\sphinxstylestrong{-k} {[}\sphinxstylestrong{-t}{]} {[}\sphinxstylestrong{-K}{]}{]}
 1233 {[}\sphinxstylestrong{-V}{]}
 1234 {[}\sphinxstyleemphasis{cache\_name}\textbar{}\sphinxstyleemphasis{keytab\_name}{]}
 1237 \subsection{DESCRIPTION}
 1238 \label{\detokenize{user/user_commands/klist:description}}
 1239 klist lists the Kerberos principal and Kerberos tickets held in a
 1240 credentials cache, or the keys held in a keytab file.
 1243 \subsection{OPTIONS}
 1244 \label{\detokenize{user/user_commands/klist:options}}\begin{description}
 1245 \item[{\sphinxstylestrong{-e}}] \leavevmode
 1246 Displays the encryption types of the session key and the ticket
 1247 for each credential in the credential cache, or each key in the
 1248 keytab file.
 1250 \item[{\sphinxstylestrong{-l}}] \leavevmode
 1251 If a cache collection is available, displays a table summarizing
 1252 the caches present in the collection.
 1254 \item[{\sphinxstylestrong{-A}}] \leavevmode
 1255 If a cache collection is available, displays the contents of all
 1256 of the caches in the collection.
 1258 \item[{\sphinxstylestrong{-c}}] \leavevmode
 1259 List tickets held in a credentials cache. This is the default if
 1260 neither \sphinxstylestrong{-c} nor \sphinxstylestrong{-k} is specified.
 1262 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1263 Shows the flags present in the credentials, using the following
 1264 abbreviations:
 1266 \fvset{hllines={, ,}}%
 1267 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1268 \PYG{n}{F}    \PYG{n}{Forwardable}
 1269 \PYG{n}{f}    \PYG{n}{forwarded}
 1270 \PYG{n}{P}    \PYG{n}{Proxiable}
 1271 \PYG{n}{p}    \PYG{n}{proxy}
 1272 \PYG{n}{D}    \PYG{n}{postDateable}
 1273 \PYG{n}{d}    \PYG{n}{postdated}
 1274 \PYG{n}{R}    \PYG{n}{Renewable}
 1275 \PYG{n}{I}    \PYG{n}{Initial}
 1276 \PYG{n}{i}    \PYG{n}{invalid}
 1277 \PYG{n}{H}    \PYG{n}{Hardware} \PYG{n}{authenticated}
 1278 \PYG{n}{A}    \PYG{n}{preAuthenticated}
 1279 \PYG{n}{T}    \PYG{n}{Transit} \PYG{n}{policy} \PYG{n}{checked}
 1280 \PYG{n}{O}    \PYG{n}{Okay} \PYG{k}{as} \PYG{n}{delegate}
 1281 \PYG{n}{a}    \PYG{n}{anonymous}
 1282 \end{sphinxVerbatim}
 1284 \item[{\sphinxstylestrong{-s}}] \leavevmode
 1285 Causes klist to run silently (produce no output).  klist will exit
 1286 with status 1 if the credentials cache cannot be read or is
 1287 expired, and with status 0 otherwise.
 1289 \item[{\sphinxstylestrong{-a}}] \leavevmode
 1290 Display list of addresses in credentials.
 1292 \item[{\sphinxstylestrong{-n}}] \leavevmode
 1293 Show numeric addresses instead of reverse-resolving addresses.
 1295 \item[{\sphinxstylestrong{-C}}] \leavevmode
 1296 List configuration data that has been stored in the credentials
 1297 cache when klist encounters it.  By default, configuration data
 1298 is not listed.
 1300 \item[{\sphinxstylestrong{-k}}] \leavevmode
 1301 List keys held in a keytab file.
 1303 \item[{\sphinxstylestrong{-i}}] \leavevmode
 1304 In combination with \sphinxstylestrong{-k}, defaults to using the default client
 1305 keytab instead of the default acceptor keytab, if no name is
 1306 given.
 1308 \item[{\sphinxstylestrong{-t}}] \leavevmode
 1309 Display the time entry timestamps for each keytab entry in the
 1310 keytab file.
 1312 \item[{\sphinxstylestrong{-K}}] \leavevmode
 1313 Display the value of the encryption key in each keytab entry in
 1314 the keytab file.
 1316 \item[{\sphinxstylestrong{-V}}] \leavevmode
 1317 Display the Kerberos version number and exit.
 1319 \end{description}
 1321 If \sphinxstyleemphasis{cache\_name} or \sphinxstyleemphasis{keytab\_name} is not specified, klist will display
 1322 the credentials in the default credentials cache or keytab file as
 1323 appropriate.  If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its
 1324 value is used to locate the default ticket cache.
 1327 \subsection{ENVIRONMENT}
 1328 \label{\detokenize{user/user_commands/klist:environment}}
 1329 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1330 variables.
 1333 \subsection{FILES}
 1334 \label{\detokenize{user/user_commands/klist:files}}\begin{description}
 1335 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1336 Default location of Kerberos 5 credentials cache
 1338 \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode
 1339 Default location for the local host’s keytab file.
 1341 \end{description}
 1344 \subsection{SEE ALSO}
 1345 \label{\detokenize{user/user_commands/klist:see-also}}
 1346 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1349 \section{kpasswd}
 1350 \label{\detokenize{user/user_commands/kpasswd:kpasswd}}\label{\detokenize{user/user_commands/kpasswd::doc}}\label{\detokenize{user/user_commands/kpasswd:kpasswd-1}}
 1352 \subsection{SYNOPSIS}
 1353 \label{\detokenize{user/user_commands/kpasswd:synopsis}}
 1354 \sphinxstylestrong{kpasswd} {[}\sphinxstyleemphasis{principal}{]}
 1357 \subsection{DESCRIPTION}
 1358 \label{\detokenize{user/user_commands/kpasswd:description}}
 1359 The kpasswd command is used to change a Kerberos principal’s password.
 1360 kpasswd first prompts for the current Kerberos password, then prompts
 1361 the user twice for the new password, and the password is changed.
 1363 If the principal is governed by a policy that specifies the length
 1364 and/or number of character classes required in the new password, the
 1365 new password must conform to the policy.  (The five character classes
 1366 are lower case, upper case, numbers, punctuation, and all other
 1367 characters.)
 1370 \subsection{OPTIONS}
 1371 \label{\detokenize{user/user_commands/kpasswd:options}}\begin{description}
 1372 \item[{\sphinxstyleemphasis{principal}}] \leavevmode
 1373 Change the password for the Kerberos principal principal.
 1374 Otherwise, kpasswd uses the principal name from an existing ccache
 1375 if there is one; if not, the principal is derived from the
 1376 identity of the user invoking the kpasswd command.
 1378 \end{description}
 1381 \subsection{ENVIRONMENT}
 1382 \label{\detokenize{user/user_commands/kpasswd:environment}}
 1383 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1384 variables.
 1387 \subsection{SEE ALSO}
 1388 \label{\detokenize{user/user_commands/kpasswd:see-also}}
 1389 \DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1392 \section{krb5-config}
 1393 \label{\detokenize{user/user_commands/krb5-config:krb5-config-1}}\label{\detokenize{user/user_commands/krb5-config:krb5-config}}\label{\detokenize{user/user_commands/krb5-config::doc}}
 1395 \subsection{SYNOPSIS}
 1396 \label{\detokenize{user/user_commands/krb5-config:synopsis}}
 1397 \sphinxstylestrong{krb5-config}
 1398 {[}\sphinxstylestrong{-}\sphinxstylestrong{-help} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-all} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-version} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-vendor} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-prefix} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-exec-prefix} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defccname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defktname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defcktname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-cflags} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-libs} {[}\sphinxstyleemphasis{libraries}{]}{]}
 1401 \subsection{DESCRIPTION}
 1402 \label{\detokenize{user/user_commands/krb5-config:description}}
 1403 krb5-config tells the application programmer what flags to use to compile
 1404 and link programs against the installed Kerberos libraries.
 1407 \subsection{OPTIONS}
 1408 \label{\detokenize{user/user_commands/krb5-config:options}}\begin{description}
 1409 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-help}}] \leavevmode
 1410 prints a usage message.  This is the default behavior when no options
 1411 are specified.
 1413 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-all}}] \leavevmode
 1414 prints the version, vendor, prefix, and exec-prefix.
 1416 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-version}}] \leavevmode
 1417 prints the version number of the Kerberos installation.
 1419 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-vendor}}] \leavevmode
 1420 prints the name of the vendor of the Kerberos installation.
 1422 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-prefix}}] \leavevmode
 1423 prints the prefix for which the Kerberos installation was built.
 1425 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-exec-prefix}}] \leavevmode
 1426 prints the prefix for executables for which the Kerberos installation
 1427 was built.
 1429 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defccname}}] \leavevmode
 1430 prints the built-in default credentials cache location.
 1432 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defktname}}] \leavevmode
 1433 prints the built-in default keytab location.
 1435 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defcktname}}] \leavevmode
 1436 prints the built-in default client (initiator) keytab location.
 1438 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-cflags}}] \leavevmode
 1439 prints the compilation flags used to build the Kerberos installation.
 1441 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-libs} {[}\sphinxstyleemphasis{library}{]}}] \leavevmode
 1442 prints the compiler options needed to link against \sphinxstyleemphasis{library}.
 1443 Allowed values for \sphinxstyleemphasis{library} are:
 1446 \begin{savenotes}\sphinxattablestart
 1447 \centering
 1448 \begin{tabulary}{\linewidth}[t]{|T|T|}
 1449 \hline
 1451 krb5
 1452 &
 1453 Kerberos 5 applications (default)
 1454 \\
 1455 \hline
 1456 gssapi
 1457 &
 1458 GSSAPI applications with Kerberos 5 bindings
 1459 \\
 1460 \hline
 1461 kadm-client
 1462 &
 1463 Kadmin client
 1464 \\
 1465 \hline
 1466 kadm-server
 1467 &
 1468 Kadmin server
 1469 \\
 1470 \hline
 1471 kdb
 1472 &
 1473 Applications that access the Kerberos database
 1474 \\
 1475 \hline
 1476 \end{tabulary}
 1477 \par
 1478 \sphinxattableend\end{savenotes}
 1480 \end{description}
 1483 \subsection{EXAMPLES}
 1484 \label{\detokenize{user/user_commands/krb5-config:examples}}
 1485 krb5-config is particularly useful for compiling against a Kerberos
 1486 installation that was installed in a non-standard location.  For example,
 1487 a Kerberos installation that is installed in \sphinxcode{/opt/krb5/} but uses
 1488 libraries in \sphinxcode{/usr/local/lib/} for text localization would produce
 1489 the following output:
 1491 \fvset{hllines={, ,}}%
 1492 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1493 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{config} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{libs} \PYG{n}{krb5}
 1494 \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{\PYGZhy{}}\PYG{n}{rpath} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{lkrb5} \PYG{o}{\PYGZhy{}}\PYG{n}{lk5crypto} \PYG{o}{\PYGZhy{}}\PYG{n}{lcom\PYGZus{}err}
 1495 \end{sphinxVerbatim}
 1498 \subsection{SEE ALSO}
 1499 \label{\detokenize{user/user_commands/krb5-config:see-also}}
 1500 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, cc(1)
 1503 \section{ksu}
 1504 \label{\detokenize{user/user_commands/ksu:ksu-1}}\label{\detokenize{user/user_commands/ksu:ksu}}\label{\detokenize{user/user_commands/ksu::doc}}
 1506 \subsection{SYNOPSIS}
 1507 \label{\detokenize{user/user_commands/ksu:synopsis}}
 1508 \sphinxstylestrong{ksu}
 1509 {[} \sphinxstyleemphasis{target\_user} {]}
 1510 {[} \sphinxstylestrong{-n} \sphinxstyleemphasis{target\_principal\_name} {]}
 1511 {[} \sphinxstylestrong{-c} \sphinxstyleemphasis{source\_cache\_name} {]}
 1512 {[} \sphinxstylestrong{-k} {]}
 1513 {[} \sphinxstylestrong{-r} time {]}
 1514 {[} \sphinxstylestrong{-p} \textbar{} \sphinxstylestrong{-P}{]}
 1515 {[} \sphinxstylestrong{-f} \textbar{} \sphinxstylestrong{-F}{]}
 1516 {[} \sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime} {]}
 1517 {[} \sphinxstylestrong{-z \textbar{} Z} {]}
 1518 {[} \sphinxstylestrong{-q} {]}
 1519 {[} \sphinxstylestrong{-e} \sphinxstyleemphasis{command} {[} args …  {]} {]} {[} \sphinxstylestrong{-a} {[} args …  {]} {]}
 1522 \subsection{REQUIREMENTS}
 1523 \label{\detokenize{user/user_commands/ksu:requirements}}
 1524 Must have Kerberos version 5 installed to compile ksu.  Must have a
 1525 Kerberos version 5 server running to use ksu.
 1528 \subsection{DESCRIPTION}
 1529 \label{\detokenize{user/user_commands/ksu:description}}
 1530 ksu is a Kerberized version of the su program that has two missions:
 1531 one is to securely change the real and effective user ID to that of
 1532 the target user, and the other is to create a new security context.
 1534 \begin{sphinxadmonition}{note}{Note:}
 1535 For the sake of clarity, all references to and attributes of
 1536 the user invoking the program will start with “source”
 1537 (e.g., “source user”, “source cache”, etc.).
 1539 Likewise, all references to and attributes of the target
 1540 account will start with “target”.
 1541 \end{sphinxadmonition}
 1544 \subsection{AUTHENTICATION}
 1545 \label{\detokenize{user/user_commands/ksu:authentication}}
 1546 To fulfill the first mission, ksu operates in two phases:
 1547 authentication and authorization.  Resolving the target principal name
 1548 is the first step in authentication.  The user can either specify his
 1549 principal name with the \sphinxstylestrong{-n} option (e.g., \sphinxcode{-n jqpublic@USC.EDU})
 1550 or a default principal name will be assigned using a heuristic
 1551 described in the OPTIONS section (see \sphinxstylestrong{-n} option).  The target user
 1552 name must be the first argument to ksu; if not specified root is the
 1553 default.  If \sphinxcode{.} is specified then the target user will be the
 1554 source user (e.g., \sphinxcode{ksu .}).  If the source user is root or the
 1555 target user is the source user, no authentication or authorization
 1556 takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
 1557 in the source cache.
 1559 The ticket can either be for the end-server or a ticket granting
 1560 ticket (TGT) for the target principal’s realm.  If the ticket for the
 1561 end-server is already in the cache, it’s decrypted and verified.  If
 1562 it’s not in the cache but the TGT is, the TGT is used to obtain the
 1563 ticket for the end-server.  The end-server ticket is then verified.
 1564 If neither ticket is in the cache, but ksu is compiled with the
 1565 \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a
 1566 Kerberos password which will then be used to get a TGT.  If the user
 1567 is logged in remotely and does not have a secure channel, the password
 1568 may be exposed.  If neither ticket is in the cache and
 1569 \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails.
 1572 \subsection{AUTHORIZATION}
 1573 \label{\detokenize{user/user_commands/ksu:authorization}}
 1574 This section describes authorization of the source user when ksu is
 1575 invoked without the \sphinxstylestrong{-e} option.  For a description of the \sphinxstylestrong{-e}
 1576 option, see the OPTIONS section.
 1578 Upon successful authentication, ksu checks whether the target
 1579 principal is authorized to access the target account.  In the target
 1580 user’s home directory, ksu attempts to access two authorization files:
 1581 {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} and .k5users.  In the .k5login file each line
 1582 contains the name of a principal that is authorized to access the
 1583 account.
 1585 For example:
 1587 \fvset{hllines={, ,}}%
 1588 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1589 \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1590 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1591 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1592 \end{sphinxVerbatim}
 1594 The format of .k5users is the same, except the principal name may be
 1595 followed by a list of commands that the principal is authorized to
 1596 execute (see the \sphinxstylestrong{-e} option in the OPTIONS section for details).
 1598 Thus if the target principal name is found in the .k5login file the
 1599 source user is authorized to access the target account.  Otherwise ksu
 1600 looks in the .k5users file.  If the target principal name is found
 1601 without any trailing commands or followed only by \sphinxcode{*} then the
 1602 source user is authorized.  If either .k5login or .k5users exist but
 1603 an appropriate entry for the target principal does not exist then
 1604 access is denied.  If neither file exists then the principal will be
 1605 granted access to the account according to the aname-\textgreater{}lname mapping
 1606 rules.  Otherwise, authorization fails.
 1610 \label{\detokenize{user/user_commands/ksu:execution-of-the-target-shell}}
 1611 Upon successful authentication and authorization, ksu proceeds in a
 1612 similar fashion to su.  The environment is unmodified with the
 1613 exception of USER, HOME and SHELL variables.  If the target user is
 1614 not root, USER gets set to the target user name.  Otherwise USER
 1615 remains unchanged.  Both HOME and SHELL are set to the target login’s
 1616 default values.  In addition, the environment variable \sphinxstylestrong{KRB5CCNAME}
 1617 gets set to the name of the target cache.  The real and effective user
 1618 ID are changed to that of the target user.  The target user’s shell is
 1619 then invoked (the shell name is specified in the password file).  Upon
 1620 termination of the shell, ksu deletes the target cache (unless ksu is
 1621 invoked with the \sphinxstylestrong{-k} option).  This is implemented by first doing a
 1622 fork and then an exec, instead of just exec, as done by su.
 1626 \label{\detokenize{user/user_commands/ksu:creating-a-new-security-context}}
 1627 ksu can be used to create a new security context for the target
 1628 program (either the target shell, or command specified via the \sphinxstylestrong{-e}
 1629 option).  The target program inherits a set of credentials from the
 1630 source user.  By default, this set includes all of the credentials in
 1631 the source cache plus any additional credentials obtained during
 1632 authentication.  The source user is able to limit the credentials in
 1633 this set by using \sphinxstylestrong{-z} or \sphinxstylestrong{-Z} option.  \sphinxstylestrong{-z} restricts the copy
 1634 of tickets from the source cache to the target cache to only the
 1635 tickets where client == the target principal name.  The \sphinxstylestrong{-Z} option
 1636 provides the target user with a fresh target cache (no creds in the
 1637 cache).  Note that for security reasons, when the source user is root
 1638 and target user is non-root, \sphinxstylestrong{-z} option is the default mode of
 1639 operation.
 1641 While no authentication takes place if the source user is root or is
 1642 the same as the target user, additional tickets can still be obtained
 1643 for the target cache.  If \sphinxstylestrong{-n} is specified and no credentials can
 1644 be copied to the target cache, the source user is prompted for a
 1645 Kerberos password (unless \sphinxstylestrong{-Z} specified or \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}
 1646 is undefined).  If successful, a TGT is obtained from the Kerberos
 1647 server and stored in the target cache.  Otherwise, if a password is
 1648 not provided (user hit return) ksu continues in a normal mode of
 1649 operation (the target cache will not contain the desired TGT).  If the
 1650 wrong password is typed in, ksu fails.
 1652 \begin{sphinxadmonition}{note}{Note:}
 1653 During authentication, only the tickets that could be
 1654 obtained without providing a password are cached in in the
 1655 source cache.
 1656 \end{sphinxadmonition}
 1659 \subsection{OPTIONS}
 1660 \label{\detokenize{user/user_commands/ksu:options}}\begin{description}
 1661 \item[{\sphinxstylestrong{-n} \sphinxstyleemphasis{target\_principal\_name}}] \leavevmode
 1662 Specify a Kerberos target principal name.  Used in authentication
 1663 and authorization phases of ksu.
 1665 If ksu is invoked without \sphinxstylestrong{-n}, a default principal name is
 1666 assigned via the following heuristic:
 1667 \begin{itemize}
 1668 \item {} 
 1669 Case 1: source user is non-root.
 1671 If the target user is the source user the default principal name
 1672 is set to the default principal of the source cache.  If the
 1673 cache does not exist then the default principal name is set to
 1674 \sphinxcode{target\_user@local\_realm}.  If the source and target users are
 1675 different and neither \sphinxcode{\textasciitilde{}target\_user/.k5users} nor
 1676 \sphinxcode{\textasciitilde{}target\_user/.k5login} exist then the default principal name
 1677 is \sphinxcode{target\_user\_login\_name@local\_realm}.  Otherwise, starting
 1678 with the first principal listed below, ksu checks if the
 1679 principal is authorized to access the target account and whether
 1680 there is a legitimate ticket for that principal in the source
 1681 cache.  If both conditions are met that principal becomes the
 1682 default target principal, otherwise go to the next principal.
 1683 \begin{enumerate}
 1684 \item {} 
 1685 default principal of the source cache
 1687 \item {} 
 1688 target\_user@local\_realm
 1690 \item {} 
 1691 source\_user@local\_realm
 1693 \end{enumerate}
 1695 If a-c fails try any principal for which there is a ticket in
 1696 the source cache and that is authorized to access the target
 1697 account.  If that fails select the first principal that is
 1698 authorized to access the target account from the above list.  If
 1699 none are authorized and ksu is configured with
 1700 \sphinxstylestrong{PRINC\_LOOK\_AHEAD} turned on, select the default principal as
 1701 follows:
 1703 For each candidate in the above list, select an authorized
 1704 principal that has the same realm name and first part of the
 1705 principal name equal to the prefix of the candidate.  For
 1706 example if candidate a) is \sphinxcode{jqpublic@ISI.EDU} and
 1707 \sphinxcode{jqpublic/secure@ISI.EDU} is authorized to access the target
 1708 account then the default principal is set to
 1709 \sphinxcode{jqpublic/secure@ISI.EDU}.
 1711 \item {} 
 1712 Case 2: source user is root.
 1714 If the target user is non-root then the default principal name
 1715 is \sphinxcode{target\_user@local\_realm}.  Else, if the source cache
 1716 exists the default principal name is set to the default
 1717 principal of the source cache.  If the source cache does not
 1718 exist, default principal name is set to \sphinxcode{root\textbackslash{}@local\_realm}.
 1720 \end{itemize}
 1722 \end{description}
 1724 \sphinxstylestrong{-c} \sphinxstyleemphasis{source\_cache\_name}
 1725 \begin{quote}
 1727 Specify source cache name (e.g., \sphinxcode{-c FILE:/tmp/my\_cache}).  If
 1728 \sphinxstylestrong{-c} option is not used then the name is obtained from
 1729 \sphinxstylestrong{KRB5CCNAME} environment variable.  If \sphinxstylestrong{KRB5CCNAME} is not
 1730 defined the source cache name is set to \sphinxcode{krb5cc\_\textless{}source uid\textgreater{}}.
 1731 The target cache name is automatically set to \sphinxcode{krb5cc\_\textless{}target
 1732 uid\textgreater{}.(gen\_sym())}, where gen\_sym generates a new number such that
 1733 the resulting cache does not already exist.  For example:
 1735 \fvset{hllines={, ,}}%
 1736 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1737 \PYG{n}{krb5cc\PYGZus{}1984}\PYG{o}{.}\PYG{l+m+mi}{2}
 1738 \end{sphinxVerbatim}
 1739 \end{quote}
 1740 \begin{description}
 1741 \item[{\sphinxstylestrong{-k}}] \leavevmode
 1742 Do not delete the target cache upon termination of the target
 1743 shell or a command (\sphinxstylestrong{-e} command).  Without \sphinxstylestrong{-k}, ksu deletes
 1744 the target cache.
 1746 \item[{\sphinxstylestrong{-z}}] \leavevmode
 1747 Restrict the copy of tickets from the source cache to the target
 1748 cache to only the tickets where client == the target principal
 1749 name.  Use the \sphinxstylestrong{-n} option if you want the tickets for other then
 1750 the default principal.  Note that the \sphinxstylestrong{-z} option is mutually
 1751 exclusive with the \sphinxstylestrong{-Z} option.
 1753 \item[{\sphinxstylestrong{-Z}}] \leavevmode
 1754 Don’t copy any tickets from the source cache to the target cache.
 1755 Just create a fresh target cache, where the default principal name
 1756 of the cache is initialized to the target principal name.  Note
 1757 that the \sphinxstylestrong{-Z} option is mutually exclusive with the \sphinxstylestrong{-z}
 1758 option.
 1760 \item[{\sphinxstylestrong{-q}}] \leavevmode
 1761 Suppress the printing of status messages.
 1763 \end{description}
 1765 Ticket granting ticket options:
 1766 \begin{description}
 1767 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime} \sphinxstylestrong{-r} \sphinxstyleemphasis{time} \sphinxstylestrong{-p} \sphinxstylestrong{-P} \sphinxstylestrong{-f} \sphinxstylestrong{-F}}] \leavevmode
 1768 The ticket granting ticket options only apply to the case where
 1769 there are no appropriate tickets in the cache to authenticate the
 1770 source user.  In this case if ksu is configured to prompt users
 1771 for a Kerberos password (\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is defined), the
 1772 ticket granting ticket options that are specified will be used
 1773 when getting a ticket granting ticket from the Kerberos server.
 1775 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}}] \leavevmode
 1776 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies the lifetime to be requested
 1777 for the ticket; if this option is not specified, the default ticket
 1778 lifetime (12 hours) is used instead.
 1780 \item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{time}}] \leavevmode
 1781 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies that the \sphinxstylestrong{renewable} option
 1782 should be requested for the ticket, and specifies the desired
 1783 total lifetime of the ticket.
 1785 \item[{\sphinxstylestrong{-p}}] \leavevmode
 1786 specifies that the \sphinxstylestrong{proxiable} option should be requested for
 1787 the ticket.
 1789 \item[{\sphinxstylestrong{-P}}] \leavevmode
 1790 specifies that the \sphinxstylestrong{proxiable} option should not be requested
 1791 for the ticket, even if the default configuration is to ask for
 1792 proxiable tickets.
 1794 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1795 option specifies that the \sphinxstylestrong{forwardable} option should be
 1796 requested for the ticket.
 1798 \item[{\sphinxstylestrong{-F}}] \leavevmode
 1799 option specifies that the \sphinxstylestrong{forwardable} option should not be
 1800 requested for the ticket, even if the default configuration is to
 1801 ask for forwardable tickets.
 1803 \item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{args}{]}}] \leavevmode
 1804 ksu proceeds exactly the same as if it was invoked without the
 1805 \sphinxstylestrong{-e} option, except instead of executing the target shell, ksu
 1806 executes the specified command. Example of usage:
 1808 \fvset{hllines={, ,}}%
 1809 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1810 \PYG{n}{ksu} \PYG{n}{bob} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{ls} \PYG{o}{\PYGZhy{}}\PYG{n}{lag}
 1811 \end{sphinxVerbatim}
 1813 The authorization algorithm for \sphinxstylestrong{-e} is as follows:
 1815 If the source user is root or source user == target user, no
 1816 authorization takes place and the command is executed.  If source
 1817 user id != 0, and \sphinxcode{\textasciitilde{}target\_user/.k5users} file does not exist,
 1818 authorization fails.  Otherwise, \sphinxcode{\textasciitilde{}target\_user/.k5users} file
 1819 must have an appropriate entry for target principal to get
 1820 authorized.
 1822 The .k5users file format:
 1824 A single principal entry on each line that may be followed by a
 1825 list of commands that the principal is authorized to execute.  A
 1826 principal name followed by a \sphinxcode{*} means that the user is
 1827 authorized to execute any command.  Thus, in the following
 1828 example:
 1830 \fvset{hllines={, ,}}%
 1831 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1832 \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ls} \PYG{n}{mail} \PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{klist}
 1833 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*}
 1834 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1835 \end{sphinxVerbatim}
 1837 \sphinxcode{jqpublic@USC.EDU} is only authorized to execute \sphinxcode{ls},
 1838 \sphinxcode{mail} and \sphinxcode{klist} commands.  \sphinxcode{jqpublic/secure@USC.EDU} is
 1839 authorized to execute any command.  \sphinxcode{jqpublic/admin@USC.EDU} is
 1840 not authorized to execute any command.  Note, that
 1841 \sphinxcode{jqpublic/admin@USC.EDU} is authorized to execute the target
 1842 shell (regular ksu, without the \sphinxstylestrong{-e} option) but
 1843 \sphinxcode{jqpublic@USC.EDU} is not.
 1845 The commands listed after the principal name must be either a full
 1846 path names or just the program name.  In the second case,
 1847 \sphinxstylestrong{CMD\_PATH} specifying the location of authorized programs must
 1848 be defined at the compilation time of ksu.  Which command gets
 1849 executed?
 1851 If the source user is root or the target user is the source user
 1852 or the user is authorized to execute any command (\sphinxcode{*} entry)
 1853 then command can be either a full or a relative path leading to
 1854 the target program.  Otherwise, the user must specify either a
 1855 full path or just the program name.
 1857 \item[{\sphinxstylestrong{-a} \sphinxstyleemphasis{args}}] \leavevmode
 1858 Specify arguments to be passed to the target shell.  Note that all
 1859 flags and parameters following -a will be passed to the shell,
 1860 thus all options intended for ksu must precede \sphinxstylestrong{-a}.
 1862 The \sphinxstylestrong{-a} option can be used to simulate the \sphinxstylestrong{-e} option if
 1863 used as follows:
 1865 \fvset{hllines={, ,}}%
 1866 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1867 \PYG{o}{\PYGZhy{}}\PYG{n}{a} \PYG{o}{\PYGZhy{}}\PYG{n}{c} \PYG{p}{[}\PYG{n}{command} \PYG{p}{[}\PYG{n}{arguments}\PYG{p}{]}\PYG{p}{]}\PYG{o}{.}
 1868 \end{sphinxVerbatim}
 1870 \sphinxstylestrong{-c} is interpreted by the c-shell to execute the command.
 1872 \end{description}
 1876 \label{\detokenize{user/user_commands/ksu:installation-instructions}}
 1877 ksu can be compiled with the following four flags:
 1878 \begin{description}
 1879 \item[{\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}}] \leavevmode
 1880 In case no appropriate tickets are found in the source cache, the
 1881 user will be prompted for a Kerberos password.  The password is
 1882 then used to get a ticket granting ticket from the Kerberos
 1883 server.  The danger of configuring ksu with this macro is if the
 1884 source user is logged in remotely and does not have a secure
 1885 channel, the password may get exposed.
 1887 \item[{\sphinxstylestrong{PRINC\_LOOK\_AHEAD}}] \leavevmode
 1888 During the resolution of the default principal name,
 1889 \sphinxstylestrong{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in
 1890 the .k5users file as described in the OPTIONS section
 1891 (see \sphinxstylestrong{-n} option).
 1893 \item[{\sphinxstylestrong{CMD\_PATH}}] \leavevmode
 1894 Specifies a list of directories containing programs that users are
 1895 authorized to execute (via .k5users file).
 1897 \item[{\sphinxstylestrong{HAVE\_GETUSERSHELL}}] \leavevmode
 1898 If the source user is non-root, ksu insists that the target user’s
 1899 shell to be invoked is a “legal shell”.  \sphinxstyleemphasis{getusershell(3)} is
 1900 called to obtain the names of “legal shells”.  Note that the
 1901 target user’s shell is obtained from the passwd file.
 1903 \end{description}
 1905 Sample configuration:
 1907 \fvset{hllines={, ,}}%
 1908 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1909 \PYG{n}{KSU\PYGZus{}OPTS} \PYG{o}{=} \PYG{o}{\PYGZhy{}}\PYG{n}{DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD} \PYG{o}{\PYGZhy{}}\PYG{n}{DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD} \PYG{o}{\PYGZhy{}}\PYG{n}{DCMD\PYGZus{}PATH}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZdq{}}\PYG{l+s+s1}{/bin /usr/ucb /local/bin}\PYG{l+s+s1}{\PYGZdq{}}
 1910 \end{sphinxVerbatim}
 1912 ksu should be owned by root and have the set user id bit turned on.
 1914 ksu attempts to get a ticket for the end server just as Kerberized
 1915 telnet and rlogin.  Thus, there must be an entry for the server in the
 1916 Kerberos database (e.g., \sphinxcode{host/nii.isi.edu@ISI.EDU}).  The keytab
 1917 file must be in an appropriate location.
 1920 \subsection{SIDE EFFECTS}
 1921 \label{\detokenize{user/user_commands/ksu:side-effects}}
 1922 ksu deletes all expired tickets from the source cache.
 1925 \subsection{AUTHOR OF KSU}
 1926 \label{\detokenize{user/user_commands/ksu:author-of-ksu}}
 1930 \subsection{ENVIRONMENT}
 1931 \label{\detokenize{user/user_commands/ksu:environment}}
 1932 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1933 variables.
 1936 \subsection{SEE ALSO}
 1937 \label{\detokenize{user/user_commands/ksu:see-also}}
 1938 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}
 1941 \section{kswitch}
 1942 \label{\detokenize{user/user_commands/kswitch:kswitch-1}}\label{\detokenize{user/user_commands/kswitch:kswitch}}\label{\detokenize{user/user_commands/kswitch::doc}}
 1944 \subsection{SYNOPSIS}
 1945 \label{\detokenize{user/user_commands/kswitch:synopsis}}
 1946 \sphinxstylestrong{kswitch}
 1947 \{\sphinxstylestrong{-c} \sphinxstyleemphasis{cachename}\textbar{}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}\}
 1950 \subsection{DESCRIPTION}
 1951 \label{\detokenize{user/user_commands/kswitch:description}}
 1952 kswitch makes the specified credential cache the primary cache for the
 1953 collection, if a cache collection is available.
 1956 \subsection{OPTIONS}
 1957 \label{\detokenize{user/user_commands/kswitch:options}}\begin{description}
 1958 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cachename}}] \leavevmode
 1959 Directly specifies the credential cache to be made primary.
 1961 \item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}}] \leavevmode
 1962 Causes the cache collection to be searched for a cache containing
 1963 credentials for \sphinxstyleemphasis{principal}.  If one is found, that collection is
 1964 made primary.
 1966 \end{description}
 1969 \subsection{ENVIRONMENT}
 1970 \label{\detokenize{user/user_commands/kswitch:environment}}
 1971 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1972 variables.
 1975 \subsection{FILES}
 1976 \label{\detokenize{user/user_commands/kswitch:files}}\begin{description}
 1977 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1978 Default location of Kerberos 5 credentials cache
 1980 \end{description}
 1983 \subsection{SEE ALSO}
 1984 \label{\detokenize{user/user_commands/kswitch:see-also}}
 1985 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
 1986 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1989 \section{kvno}
 1990 \label{\detokenize{user/user_commands/kvno:kvno-1}}\label{\detokenize{user/user_commands/kvno::doc}}\label{\detokenize{user/user_commands/kvno:kvno}}
 1992 \subsection{SYNOPSIS}
 1993 \label{\detokenize{user/user_commands/kvno:synopsis}}
 1994 \sphinxstylestrong{kvno}
 1995 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{ccache}{]}
 1996 {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{etype}{]}
 1997 {[}\sphinxstylestrong{-q}{]}
 1998 {[}\sphinxstylestrong{-h}{]}
 1999 {[}\sphinxstylestrong{-P}{]}
 2000 {[}\sphinxstylestrong{-S} \sphinxstyleemphasis{sname}{]}
 2001 {[}\sphinxstylestrong{-I} \sphinxstyleemphasis{for\_user}{]}
 2002 {[}\sphinxstylestrong{-U} \sphinxstyleemphasis{for\_user}{]}
 2003 {[}\sphinxstylestrong{-F} \sphinxstyleemphasis{cert\_file}{]}
 2004 {[}\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}{]}
 2005 \sphinxstyleemphasis{service1 service2}
 2008 \subsection{DESCRIPTION}
 2009 \label{\detokenize{user/user_commands/kvno:description}}
 2010 kvno acquires a service ticket for the specified Kerberos principals
 2011 and prints out the key version numbers of each.
 2014 \subsection{OPTIONS}
 2015 \label{\detokenize{user/user_commands/kvno:options}}\begin{description}
 2016 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{ccache}}] \leavevmode
 2017 Specifies the name of a credentials cache to use (if not the
 2018 default)
 2020 \item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{etype}}] \leavevmode
 2021 Specifies the enctype which will be requested for the session key
 2022 of all the services named on the command line.  This is useful in
 2023 certain backward compatibility situations.
 2025 \item[{\sphinxstylestrong{-q}}] \leavevmode
 2026 Suppress printing output when successful.  If a service ticket
 2027 cannot be obtained, an error message will still be printed and
 2028 kvno will exit with nonzero status.
 2030 \item[{\sphinxstylestrong{-h}}] \leavevmode
 2031 Prints a usage statement and exits.
 2033 \item[{\sphinxstylestrong{-P}}] \leavevmode
 2034 Specifies that the \sphinxstyleemphasis{service1 service2} …  arguments are to be
 2035 treated as services for which credentials should be acquired using
 2036 constrained delegation.  This option is only valid when used in
 2037 conjunction with protocol transition.
 2039 \item[{\sphinxstylestrong{-S} \sphinxstyleemphasis{sname}}] \leavevmode
 2040 Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are
 2041 interpreted as hostnames, and the service principals are to be
 2042 constructed from those hostnames and the service name \sphinxstyleemphasis{sname}.
 2043 The service hostnames will be canonicalized according to the usual
 2044 rules for constructing service principals.
 2046 \item[{\sphinxstylestrong{-I} \sphinxstyleemphasis{for\_user}}] \leavevmode
 2047 Specifies that protocol transition (S4U2Self) is to be used to
 2048 acquire a ticket on behalf of \sphinxstyleemphasis{for\_user}.  If constrained
 2049 delegation is not requested, the service name must match the
 2050 credentials cache client principal.
 2052 \item[{\sphinxstylestrong{-U} \sphinxstyleemphasis{for\_user}}] \leavevmode
 2053 Same as -I, but treats \sphinxstyleemphasis{for\_user} as an enterprise name.
 2055 \item[{\sphinxstylestrong{-F} \sphinxstyleemphasis{cert\_file}}] \leavevmode
 2056 Specifies that protocol transition is to be used, identifying the
 2057 client principal with the X.509 certificate in \sphinxstyleemphasis{cert\_file}.  The
 2058 certificate file must be in PEM format.
 2060 \item[{\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}}] \leavevmode
 2061 Requests a user-to-user ticket.  \sphinxstyleemphasis{ccache} must contain a local
 2062 krbtgt ticket for the server principal.  The reported version
 2063 number will typically be 0, as the resulting ticket is not
 2064 encrypted in the server’s long-term key.
 2066 \end{description}
 2069 \subsection{ENVIRONMENT}
 2070 \label{\detokenize{user/user_commands/kvno:environment}}
 2071 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 2072 variables.
 2075 \subsection{FILES}
 2076 \label{\detokenize{user/user_commands/kvno:files}}\begin{description}
 2077 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 2078 Default location of the credentials cache
 2080 \end{description}
 2083 \subsection{SEE ALSO}
 2084 \label{\detokenize{user/user_commands/kvno:see-also}}
 2085 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 2088 \section{sclient}
 2089 \label{\detokenize{user/user_commands/sclient:sclient}}\label{\detokenize{user/user_commands/sclient::doc}}\label{\detokenize{user/user_commands/sclient:sclient-1}}
 2091 \subsection{SYNOPSIS}
 2092 \label{\detokenize{user/user_commands/sclient:synopsis}}
 2093 \sphinxstylestrong{sclient} \sphinxstyleemphasis{remotehost}
 2096 \subsection{DESCRIPTION}
 2097 \label{\detokenize{user/user_commands/sclient:description}}
 2098 sclient is a sample application, primarily useful for testing
 2099 purposes.  It contacts a sample server \DUrole{xref,std,std-ref}{sserver(8)} and
 2100 authenticates to it using Kerberos version 5 tickets, then displays
 2101 the server’s response.
 2104 \subsection{ENVIRONMENT}
 2105 \label{\detokenize{user/user_commands/sclient:environment}}
 2106 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 2107 variables.
 2110 \subsection{SEE ALSO}
 2111 \label{\detokenize{user/user_commands/sclient:see-also}}
 2112 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, \DUrole{xref,std,std-ref}{sserver(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 2116 \renewcommand{\indexname}{Index}
 2117 \printindex
 2118 \end{document}