"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/pdf/user.tex" (12 Feb 2020, 100735 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) TeX and LaTeX source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 %% Generated by Sphinx.
    2 \def\sphinxdocclass{report}
    3 \documentclass[letterpaper,10pt,english]{sphinxmanual}
    4 \ifdefined\pdfpxdimen
    5    \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
    6 \fi \sphinxpxdimen=.75bp\relax
    7 
    8 \usepackage[utf8]{inputenc}
    9 \ifdefined\DeclareUnicodeCharacter
   10  \ifdefined\DeclareUnicodeCharacterAsOptional
   11   \DeclareUnicodeCharacter{"00A0}{\nobreakspace}
   12   \DeclareUnicodeCharacter{"2500}{\sphinxunichar{2500}}
   13   \DeclareUnicodeCharacter{"2502}{\sphinxunichar{2502}}
   14   \DeclareUnicodeCharacter{"2514}{\sphinxunichar{2514}}
   15   \DeclareUnicodeCharacter{"251C}{\sphinxunichar{251C}}
   16   \DeclareUnicodeCharacter{"2572}{\textbackslash}
   17  \else
   18   \DeclareUnicodeCharacter{00A0}{\nobreakspace}
   19   \DeclareUnicodeCharacter{2500}{\sphinxunichar{2500}}
   20   \DeclareUnicodeCharacter{2502}{\sphinxunichar{2502}}
   21   \DeclareUnicodeCharacter{2514}{\sphinxunichar{2514}}
   22   \DeclareUnicodeCharacter{251C}{\sphinxunichar{251C}}
   23   \DeclareUnicodeCharacter{2572}{\textbackslash}
   24  \fi
   25 \fi
   26 \usepackage{cmap}
   27 \usepackage[T1]{fontenc}
   28 \usepackage{amsmath,amssymb,amstext}
   29 \usepackage{babel}
   30 \usepackage{times}
   31 \usepackage[Bjarne]{fncychap}
   32 \usepackage[dontkeepoldnames]{sphinx}
   33 
   34 \usepackage{geometry}
   35 
   36 % Include hyperref last.
   37 \usepackage{hyperref}
   38 % Fix anchor placement for figures with captions.
   39 \usepackage{hypcap}% it must be loaded after hyperref.
   40 % Set up styles of URL: it should be placed after hyperref.
   41 \urlstyle{same}
   42 
   43 \addto\captionsenglish{\renewcommand{\figurename}{Fig.}}
   44 \addto\captionsenglish{\renewcommand{\tablename}{Table}}
   45 \addto\captionsenglish{\renewcommand{\literalblockname}{Listing}}
   46 
   47 \addto\captionsenglish{\renewcommand{\literalblockcontinuedname}{continued from previous page}}
   48 \addto\captionsenglish{\renewcommand{\literalblockcontinuesname}{continues on next page}}
   49 
   50 \addto\extrasenglish{\def\pageautorefname{page}}
   51 
   52 \setcounter{tocdepth}{1}
   53 
   54 
   55 
   56 \title{Kerberos User Guide}
   57 \date{ }
   58 \release{1.18}
   59 \author{MIT}
   60 \newcommand{\sphinxlogo}{\vbox{}}
   61 \renewcommand{\releasename}{Release}
   62 \makeindex
   63 
   64 \begin{document}
   65 
   66 \maketitle
   67 \sphinxtableofcontents
   68 \phantomsection\label{\detokenize{user/index::doc}}
   69 
   70 
   71 
   72 \chapter{Password management}
   73 \label{\detokenize{user/pwd_mgmt:for-users}}\label{\detokenize{user/pwd_mgmt::doc}}\label{\detokenize{user/pwd_mgmt:password-management}}
   74 Your password is the only way Kerberos has of verifying your identity.
   75 If someone finds out your password, that person can masquerade as
   76 you—send email that comes from you, read, edit, or delete your files,
   77 or log into other hosts as you—and no one will be able to tell the
   78 difference.  For this reason, it is important that you choose a good
   79 password, and keep it secret.  If you need to give access to your
   80 account to someone else, you can do so through Kerberos (see
   81 {\hyperref[\detokenize{user/pwd_mgmt:grant-access}]{\sphinxcrossref{\DUrole{std,std-ref}{Granting access to your account}}}}).  You should never tell your password to anyone,
   82 including your system administrator, for any reason.  You should
   83 change your password frequently, particularly any time you think
   84 someone may have found out what it is.
   85 
   86 
   87 \section{Changing your password}
   88 \label{\detokenize{user/pwd_mgmt:changing-your-password}}
   89 To change your Kerberos password, use the {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}} command.
   90 It will ask you for your old password (to prevent someone else from
   91 walking up to your computer when you’re not there and changing your
   92 password), and then prompt you for the new one twice.  (The reason you
   93 have to type it twice is to make sure you have typed it correctly.)
   94 For example, user \sphinxcode{david} would do the following:
   95 
   96 \fvset{hllines={, ,}}%
   97 \begin{sphinxVerbatim}[commandchars=\\\{\}]
   98 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
   99 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  100 \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}    \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  101 \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password} \PYG{n}{again}\PYG{o}{.}
  102 \PYG{n}{Password} \PYG{n}{changed}\PYG{o}{.}
  103 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  104 \end{sphinxVerbatim}
  105 
  106 If \sphinxcode{david} typed the incorrect old password, he would get the
  107 following message:
  108 
  109 \fvset{hllines={, ,}}%
  110 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  111 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
  112 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{incorrect} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  113 \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{ticket}
  114 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  115 \end{sphinxVerbatim}
  116 
  117 If you make a mistake and don’t type the new password the same way
  118 twice, kpasswd will ask you to try again:
  119 
  120 \fvset{hllines={, ,}}%
  121 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  122 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd}
  123 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.}
  124 \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  125 \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{a} \PYG{n}{different} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.}
  126 \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{mismatch} \PYG{k}{while} \PYG{n}{reading} \PYG{n}{password}
  127 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  128 \end{sphinxVerbatim}
  129 
  130 Once you change your password, it takes some time for the change to
  131 propagate through the system.  Depending on how your system is set up,
  132 this might be anywhere from a few minutes to an hour or more.  If you
  133 need to get new Kerberos tickets shortly after changing your password,
  134 try the new password.  If the new password doesn’t work, try again
  135 using the old one.
  136 
  137 
  138 \section{Granting access to your account}
  139 \label{\detokenize{user/pwd_mgmt:grant-access}}\label{\detokenize{user/pwd_mgmt:granting-access-to-your-account}}
  140 If you need to give someone access to log into your account, you can
  141 do so through Kerberos, without telling the person your password.
  142 Simply create a file called {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} in your home directory.
  143 This file should contain the Kerberos principal of each person to whom
  144 you wish to give access.  Each principal must be on a separate line.
  145 Here is a sample .k5login file:
  146 
  147 \fvset{hllines={, ,}}%
  148 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  149 \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  150 \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  151 \end{sphinxVerbatim}
  152 
  153 This file would allow the users \sphinxcode{jennifer} and \sphinxcode{david} to use your
  154 user ID, provided that they had Kerberos tickets in their respective
  155 realms.  If you will be logging into other hosts across a network, you
  156 will want to include your own Kerberos principal in your .k5login file
  157 on each of these hosts.
  158 
  159 Using a .k5login file is much safer than giving out your password,
  160 because:
  161 \begin{itemize}
  162 \item {} 
  163 You can take access away any time simply by removing the principal
  164 from your .k5login file.
  165 
  166 \item {} 
  167 Although the user has full access to your account on one particular
  168 host (or set of hosts if your .k5login file is shared, e.g., over
  169 NFS), that user does not inherit your network privileges.
  170 
  171 \item {} 
  172 Kerberos keeps a log of who obtains tickets, so a system
  173 administrator could find out, if necessary, who was capable of using
  174 your user ID at a particular time.
  175 
  176 \end{itemize}
  177 
  178 One common application is to have a .k5login file in root’s home
  179 directory, giving root access to that machine to the Kerberos
  180 principals listed.  This allows system administrators to allow users
  181 to become root locally, or to log in remotely as root, without their
  182 having to give out the root password, and without anyone having to
  183 type the root password over the network.
  184 
  185 
  186 \section{Password quality verification}
  187 \label{\detokenize{user/pwd_mgmt:password-quality-verification}}
  188 TODO
  189 
  190 
  191 \chapter{Ticket management}
  192 \label{\detokenize{user/tkt_mgmt:ticket-management}}\label{\detokenize{user/tkt_mgmt::doc}}
  193 On many systems, Kerberos is built into the login program, and you get
  194 tickets automatically when you log in.  Other programs, such as ssh,
  195 can forward copies of your tickets to a remote host.  Most of these
  196 programs also automatically destroy your tickets when they exit.
  197 However, MIT recommends that you explicitly destroy your Kerberos
  198 tickets when you are through with them, just to be sure.  One way to
  199 help ensure that this happens is to add the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command
  200 to your .logout file.  Additionally, if you are going to be away from
  201 your machine and are concerned about an intruder using your
  202 permissions, it is safest to either destroy all copies of your
  203 tickets, or use a screensaver that locks the screen.
  204 
  205 
  206 \section{Kerberos ticket properties}
  207 \label{\detokenize{user/tkt_mgmt:kerberos-ticket-properties}}
  208 There are various properties that Kerberos tickets can have:
  209 
  210 If a ticket is \sphinxstylestrong{forwardable}, then the KDC can issue a new ticket
  211 (with a different network address, if necessary) based on the
  212 forwardable ticket.  This allows for authentication forwarding without
  213 requiring a password to be typed in again.  For example, if a user
  214 with a forwardable TGT logs into a remote system, the KDC could issue
  215 a new TGT for that user with the network address of the remote system,
  216 allowing authentication on that host to work as though the user were
  217 logged in locally.
  218 
  219 When the KDC creates a new ticket based on a forwardable ticket, it
  220 sets the \sphinxstylestrong{forwarded} flag on that new ticket.  Any tickets that are
  221 created based on a ticket with the forwarded flag set will also have
  222 their forwarded flags set.
  223 
  224 A \sphinxstylestrong{proxiable} ticket is similar to a forwardable ticket in that it
  225 allows a service to take on the identity of the client.  Unlike a
  226 forwardable ticket, however, a proxiable ticket is only issued for
  227 specific services.  In other words, a ticket-granting ticket cannot be
  228 issued based on a ticket that is proxiable but not forwardable.
  229 
  230 A \sphinxstylestrong{proxy} ticket is one that was issued based on a proxiable ticket.
  231 
  232 A \sphinxstylestrong{postdated} ticket is issued with the invalid flag set.  After the
  233 starting time listed on the ticket, it can be presented to the KDC to
  234 obtain valid tickets.
  235 
  236 Ticket-granting tickets with the \sphinxstylestrong{postdateable} flag set can be used
  237 to obtain postdated service tickets.
  238 
  239 \sphinxstylestrong{Renewable} tickets can be used to obtain new session keys without
  240 the user entering their password again.  A renewable ticket has two
  241 expiration times.  The first is the time at which this particular
  242 ticket expires.  The second is the latest possible expiration time for
  243 any ticket issued based on this renewable ticket.
  244 
  245 A ticket with the \sphinxstylestrong{initial flag} set was issued based on the
  246 authentication protocol, and not on a ticket-granting ticket.
  247 Application servers that wish to ensure that the user’s key has been
  248 recently presented for verification could specify that this flag must
  249 be set to accept the ticket.
  250 
  251 An \sphinxstylestrong{invalid} ticket must be rejected by application servers.
  252 Postdated tickets are usually issued with this flag set, and must be
  253 validated by the KDC before they can be used.
  254 
  255 A \sphinxstylestrong{preauthenticated} ticket is one that was only issued after the
  256 client requesting the ticket had authenticated itself to the KDC.
  257 
  258 The \sphinxstylestrong{hardware authentication} flag is set on a ticket which required
  259 the use of hardware for authentication.  The hardware is expected to
  260 be possessed only by the client which requested the tickets.
  261 
  262 If a ticket has the \sphinxstylestrong{transit policy} checked flag set, then the KDC
  263 that issued this ticket implements the transited-realm check policy
  264 and checked the transited-realms list on the ticket.  The
  265 transited-realms list contains a list of all intermediate realms
  266 between the realm of the KDC that issued the first ticket and that of
  267 the one that issued the current ticket.  If this flag is not set, then
  268 the application server must check the transited realms itself or else
  269 reject the ticket.
  270 
  271 The \sphinxstylestrong{okay as delegate} flag indicates that the server specified in
  272 the ticket is suitable as a delegate as determined by the policy of
  273 that realm.  Some client applications may use this flag to decide
  274 whether to forward tickets to a remote host, although many
  275 applications do not honor it.
  276 
  277 An \sphinxstylestrong{anonymous} ticket is one in which the named principal is a
  278 generic principal for that realm; it does not actually specify the
  279 individual that will be using the ticket.  This ticket is meant only
  280 to securely distribute a session key.
  281 
  282 
  283 \section{Obtaining tickets with kinit}
  284 \label{\detokenize{user/tkt_mgmt:obtaining-tickets-with-kinit}}\label{\detokenize{user/tkt_mgmt:obtain-tkt}}
  285 If your site has integrated Kerberos V5 with the login system, you
  286 will get Kerberos tickets automatically when you log in.  Otherwise,
  287 you may need to explicitly obtain your Kerberos tickets, using the
  288 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} program.  Similarly, if your Kerberos tickets expire,
  289 use the kinit program to obtain new ones.
  290 
  291 To use the kinit program, simply type \sphinxcode{kinit} and then type your
  292 password at the prompt. For example, Jennifer (whose username is
  293 \sphinxcode{jennifer}) works for Bleep, Inc. (a fictitious company with the
  294 domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU).  She would
  295 type:
  296 
  297 \fvset{hllines={, ,}}%
  298 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  299 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
  300 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{jennifer}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  301 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  302 \end{sphinxVerbatim}
  303 
  304 If you type your password incorrectly, kinit will give you the
  305 following error message:
  306 
  307 \fvset{hllines={, ,}}%
  308 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  309 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit}
  310 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{the} \PYG{n}{wrong} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
  311 \PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect}
  312 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  313 \end{sphinxVerbatim}
  314 
  315 and you won’t get Kerberos tickets.
  316 
  317 By default, kinit assumes you want tickets for your own username in
  318 your default realm.  Suppose Jennifer’s friend David is visiting, and
  319 he wants to borrow a window to check his mail.  David needs to get
  320 tickets for himself in his own realm, EXAMPLE.COM.  He would type:
  321 
  322 \fvset{hllines={, ,}}%
  323 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  324 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  325 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  326 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  327 \end{sphinxVerbatim}
  328 
  329 David would then have tickets which he could use to log onto his own
  330 machine.  Note that he typed his password locally on Jennifer’s
  331 machine, but it never went over the network.  Kerberos on the local
  332 host performed the authentication to the KDC in the other realm.
  333 
  334 If you want to be able to forward your tickets to another host, you
  335 need to request forwardable tickets.  You do this by specifying the
  336 \sphinxstylestrong{-f} option:
  337 
  338 \fvset{hllines={, ,}}%
  339 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  340 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  341 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{your} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]}
  342 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  343 \end{sphinxVerbatim}
  344 
  345 Note that kinit does not tell you that it obtained forwardable
  346 tickets; you can verify this using the {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command (see
  347 {\hyperref[\detokenize{user/tkt_mgmt:view-tkt}]{\sphinxcrossref{\DUrole{std,std-ref}{Viewing tickets with klist}}}}).
  348 
  349 Normally, your tickets are good for your system’s default ticket
  350 lifetime, which is ten hours on many systems.  You can specify a
  351 different ticket lifetime with the \sphinxstylestrong{-l} option.  Add the letter
  352 \sphinxstylestrong{s} to the value for seconds, \sphinxstylestrong{m} for minutes, \sphinxstylestrong{h} for hours, or
  353 \sphinxstylestrong{d} for days.  For example, to obtain forwardable tickets for
  354 \sphinxcode{david@EXAMPLE.COM} that would be good for three hours, you would
  355 type:
  356 
  357 \fvset{hllines={, ,}}%
  358 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  359 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3}\PYG{n}{h} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  360 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]}
  361 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  362 \end{sphinxVerbatim}
  363 
  364 \begin{sphinxadmonition}{note}{Note:}
  365 You cannot mix units; specifying a lifetime of 3h30m would
  366 result in an error.  Note also that most systems specify a
  367 maximum ticket lifetime.  If you request a longer ticket
  368 lifetime, it will be automatically truncated to the maximum
  369 lifetime.
  370 \end{sphinxadmonition}
  371 
  372 
  373 \section{Viewing tickets with klist}
  374 \label{\detokenize{user/tkt_mgmt:viewing-tickets-with-klist}}\label{\detokenize{user/tkt_mgmt:view-tkt}}
  375 The {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command shows your tickets.  When you first obtain
  376 tickets, you will have only the ticket-granting ticket.  The listing
  377 would look like this:
  378 
  379 \fvset{hllines={, ,}}%
  380 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  381 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  382 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  383 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  384 
  385 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  386 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  387 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  388 \end{sphinxVerbatim}
  389 
  390 The ticket cache is the location of your ticket file. In the above
  391 example, this file is named \sphinxcode{/tmp/krb5cc\_ttypa}. The default
  392 principal is your Kerberos principal.
  393 
  394 The “valid starting” and “expires” fields describe the period of time
  395 during which the ticket is valid.  The “service principal” describes
  396 each ticket.  The ticket-granting ticket has a first component
  397 \sphinxcode{krbtgt}, and a second component which is the realm name.
  398 
  399 Now, if \sphinxcode{jennifer} connected to the machine \sphinxcode{daffodil.mit.edu},
  400 and then typed “klist” again, she would have gotten the following
  401 result:
  402 
  403 \fvset{hllines={, ,}}%
  404 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  405 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  406 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  407 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  408 
  409 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  410 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  411 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  412 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  413 \end{sphinxVerbatim}
  414 
  415 Here’s what happened: when \sphinxcode{jennifer} used ssh to connect to the
  416 host \sphinxcode{daffodil.mit.edu}, the ssh program presented her
  417 ticket-granting ticket to the KDC and requested a host ticket for the
  418 host \sphinxcode{daffodil.mit.edu}.  The KDC sent the host ticket, which ssh
  419 then presented to the host \sphinxcode{daffodil.mit.edu}, and she was allowed
  420 to log in without typing her password.
  421 
  422 Suppose your Kerberos tickets allow you to log into a host in another
  423 domain, such as \sphinxcode{trillium.example.com}, which is also in another
  424 Kerberos realm, \sphinxcode{EXAMPLE.COM}.  If you ssh to this host, you will
  425 receive a ticket-granting ticket for the realm \sphinxcode{EXAMPLE.COM}, plus
  426 the new host ticket for \sphinxcode{trillium.example.com}.  klist will now
  427 show:
  428 
  429 \fvset{hllines={, ,}}%
  430 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  431 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist}
  432 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa}
  433 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  434 
  435 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  436 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  437 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  438 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  439 \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18}  \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  440 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  441 \end{sphinxVerbatim}
  442 
  443 Depending on your host’s and realm’s configuration, you may also see a
  444 ticket with the service principal \sphinxcode{host/trillium.example.com@}.  If
  445 so, this means that your host did not know what realm
  446 trillium.example.com is in, so it asked the \sphinxcode{ATHENA.MIT.EDU} KDC for
  447 a referral.  The next time you connect to \sphinxcode{trillium.example.com},
  448 the odd-looking entry will be used to avoid needing to ask for a
  449 referral again.
  450 
  451 You can use the \sphinxstylestrong{-f} option to view the flags that apply to your
  452 tickets.  The flags are:
  453 
  454 
  455 \begin{savenotes}\sphinxattablestart
  456 \centering
  457 \begin{tabulary}{\linewidth}[t]{|T|T|}
  458 \hline
  459 
  460 F
  461 &
  462 Forwardable
  463 \\
  464 \hline
  465 f
  466 &
  467 forwarded
  468 \\
  469 \hline
  470 P
  471 &
  472 Proxiable
  473 \\
  474 \hline
  475 p
  476 &
  477 proxy
  478 \\
  479 \hline
  480 D
  481 &
  482 postDateable
  483 \\
  484 \hline
  485 d
  486 &
  487 postdated
  488 \\
  489 \hline
  490 R
  491 &
  492 Renewable
  493 \\
  494 \hline
  495 I
  496 &
  497 Initial
  498 \\
  499 \hline
  500 i
  501 &
  502 invalid
  503 \\
  504 \hline
  505 H
  506 &
  507 Hardware authenticated
  508 \\
  509 \hline
  510 A
  511 &
  512 preAuthenticated
  513 \\
  514 \hline
  515 T
  516 &
  517 Transit policy checked
  518 \\
  519 \hline
  520 O
  521 &
  522 Okay as delegate
  523 \\
  524 \hline
  525 a
  526 &
  527 anonymous
  528 \\
  529 \hline
  530 \end{tabulary}
  531 \par
  532 \sphinxattableend\end{savenotes}
  533 
  534 Here is a sample listing.  In this example, the user \sphinxstyleemphasis{jennifer}
  535 obtained her initial tickets (\sphinxstylestrong{I}), which are forwardable (\sphinxstylestrong{F})
  536 and postdated (\sphinxstylestrong{d}) but not yet validated (\sphinxstylestrong{i}):
  537 
  538 \fvset{hllines={, ,}}%
  539 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  540 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  541 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}320}
  542 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  543 
  544 \PYG{n}{Valid} \PYG{n}{starting}      \PYG{n}{Expires}             \PYG{n}{Service} \PYG{n}{principal}
  545 \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{06}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{25}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  546         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{FdiI}
  547 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  548 \end{sphinxVerbatim}
  549 
  550 In the following example, the user \sphinxstyleemphasis{david}’s tickets were forwarded
  551 (\sphinxstylestrong{f}) to this host from another host.  The tickets are reforwardable
  552 (\sphinxstylestrong{F}):
  553 
  554 \fvset{hllines={, ,}}%
  555 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  556 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f}
  557 \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}p11795}
  558 \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  559 
  560 \PYG{n}{Valid} \PYG{n}{starting}     \PYG{n}{Expires}            \PYG{n}{Service} \PYG{n}{principal}
  561 \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{52}\PYG{p}{:}\PYG{l+m+mi}{29}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  562         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
  563 \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{48}  \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23}  \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
  564         \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff}
  565 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  566 \end{sphinxVerbatim}
  567 
  568 
  569 \section{Destroying tickets with kdestroy}
  570 \label{\detokenize{user/tkt_mgmt:destroying-tickets-with-kdestroy}}
  571 Your Kerberos tickets are proof that you are indeed yourself, and
  572 tickets could be stolen if someone gains access to a computer where
  573 they are stored.  If this happens, the person who has them can
  574 masquerade as you until they expire.  For this reason, you should
  575 destroy your Kerberos tickets when you are away from your computer.
  576 
  577 Destroying your tickets is easy.  Simply type kdestroy:
  578 
  579 \fvset{hllines={, ,}}%
  580 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  581 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
  582 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  583 \end{sphinxVerbatim}
  584 
  585 If {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} fails to destroy your tickets, it will beep and
  586 give an error message.  For example, if kdestroy can’t find any
  587 tickets to destroy, it will give the following message:
  588 
  589 \fvset{hllines={, ,}}%
  590 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  591 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy}
  592 \PYG{n}{kdestroy}\PYG{p}{:} \PYG{n}{No} \PYG{n}{credentials} \PYG{n}{cache} \PYG{n}{file} \PYG{n}{found} \PYG{k}{while} \PYG{n}{destroying} \PYG{n}{cache}
  593 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  594 \end{sphinxVerbatim}
  595 
  596 
  597 \chapter{User config files}
  598 \label{\detokenize{user/user_config/index::doc}}\label{\detokenize{user/user_config/index:user-config-files}}
  599 The following files in your home directory can be used to control the
  600 behavior of Kerberos as it applies to your account (unless they have
  601 been disabled by your host’s configuration):
  602 
  603 
  604 \section{kerberos}
  605 \label{\detokenize{user/user_config/kerberos:kerberos-7}}\label{\detokenize{user/user_config/kerberos:kerberos}}\label{\detokenize{user/user_config/kerberos::doc}}
  606 
  607 \subsection{DESCRIPTION}
  608 \label{\detokenize{user/user_config/kerberos:description}}
  609 The Kerberos system authenticates individual users in a network
  610 environment.  After authenticating yourself to Kerberos, you can use
  611 Kerberos-enabled programs without having to present passwords or
  612 certificates to those programs.
  613 
  614 If you receive the following response from {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}:
  615 
  616 kinit: Client not found in Kerberos database while getting initial
  617 credentials
  618 
  619 you haven’t been registered as a Kerberos user.  See your system
  620 administrator.
  621 
  622 A Kerberos name usually contains three parts.  The first is the
  623 \sphinxstylestrong{primary}, which is usually a user’s or service’s name.  The second
  624 is the \sphinxstylestrong{instance}, which in the case of a user is usually null.
  625 Some users may have privileged instances, however, such as \sphinxcode{root} or
  626 \sphinxcode{admin}.  In the case of a service, the instance is the fully
  627 qualified name of the machine on which it runs; i.e. there can be an
  628 ssh service running on the machine ABC (\sphinxhref{mailto:ssh/ABC@REALM}{ssh/ABC@REALM}), which is
  629 different from the ssh service running on the machine XYZ
  630 (\sphinxhref{mailto:ssh/XYZ@REALM}{ssh/XYZ@REALM}).  The third part of a Kerberos name is the \sphinxstylestrong{realm}.
  631 The realm corresponds to the Kerberos service providing authentication
  632 for the principal.  Realms are conventionally all-uppercase, and often
  633 match the end of hostnames in the realm (for instance, host01.example.com
  634 might be in realm EXAMPLE.COM).
  635 
  636 When writing a Kerberos name, the principal name is separated from the
  637 instance (if not null) by a slash, and the realm (if not the local
  638 realm) follows, preceded by an “@” sign.  The following are examples
  639 of valid Kerberos names:
  640 
  641 \fvset{hllines={, ,}}%
  642 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  643 \PYG{n}{david}
  644 \PYG{n}{jennifer}\PYG{o}{/}\PYG{n}{admin}
  645 \PYG{n}{joeuser}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  646 \PYG{n}{cbrown}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@FUBAR}\PYG{o}{.}\PYG{n}{ORG}
  647 \end{sphinxVerbatim}
  648 
  649 When you authenticate yourself with Kerberos you get an initial
  650 Kerberos \sphinxstylestrong{ticket}.  (A Kerberos ticket is an encrypted protocol
  651 message that provides authentication.)  Kerberos uses this ticket for
  652 network utilities such as ssh.  The ticket transactions are done
  653 transparently, so you don’t have to worry about their management.
  654 
  655 Note, however, that tickets expire.  Administrators may configure more
  656 privileged tickets, such as those with service or instance of \sphinxcode{root}
  657 or \sphinxcode{admin}, to expire in a few minutes, while tickets that carry
  658 more ordinary privileges may be good for several hours or a day.  If
  659 your login session extends beyond the time limit, you will have to
  660 re-authenticate yourself to Kerberos to get new tickets using the
  661 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} command.
  662 
  663 Some tickets are \sphinxstylestrong{renewable} beyond their initial lifetime.  This
  664 means that \sphinxcode{kinit -R} can extend their lifetime without requiring
  665 you to re-authenticate.
  666 
  667 If you wish to delete your local tickets, use the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}
  668 command.
  669 
  670 Kerberos tickets can be forwarded.  In order to forward tickets, you
  671 must request \sphinxstylestrong{forwardable} tickets when you kinit.  Once you have
  672 forwardable tickets, most Kerberos programs have a command line option
  673 to forward them to the remote host.  This can be useful for, e.g.,
  674 running kinit on your local machine and then sshing into another to do
  675 work.  Note that this should not be done on untrusted machines since
  676 they will then have your tickets.
  677 
  678 
  679 \subsection{ENVIRONMENT VARIABLES}
  680 \label{\detokenize{user/user_config/kerberos:environment-variables}}
  681 Several environment variables affect the operation of Kerberos-enabled
  682 programs.  These include:
  683 \begin{description}
  684 \item[{\sphinxstylestrong{KRB5CCNAME}}] \leavevmode
  685 Default name for the credentials cache file, in the form
  686 \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  The type of the default cache may determine
  687 the availability of a cache collection.  \sphinxcode{FILE} is not a
  688 collection type; \sphinxcode{KEYRING}, \sphinxcode{DIR}, and \sphinxcode{KCM} are.
  689 
  690 If not set, the value of \sphinxstylestrong{default\_ccache\_name} from
  691 configuration files (see \sphinxstylestrong{KRB5\_CONFIG}) will be used.  If that
  692 is also not set, the default \sphinxstyleemphasis{type} is \sphinxcode{FILE}, and the
  693 \sphinxstyleemphasis{residual} is the path /tmp/krb5cc\_*uid*, where \sphinxstyleemphasis{uid} is the
  694 decimal user ID of the user.
  695 
  696 \item[{\sphinxstylestrong{KRB5\_KTNAME}}] \leavevmode
  697 Specifies the location of the default keytab file, in the form
  698 \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}.  If no \sphinxstyleemphasis{type} is present, the \sphinxstylestrong{FILE} type is
  699 assumed and \sphinxstyleemphasis{residual} is the pathname of the keytab file.  If
  700 unset, \DUrole{xref,std,std-ref}{DEFKTNAME} will be used.
  701 
  702 \item[{\sphinxstylestrong{KRB5\_CONFIG}}] \leavevmode
  703 Specifies the location of the Kerberos configuration file.  The
  704 default is \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/krb5.conf}.  Multiple filenames can
  705 be specified, separated by a colon; all files which are present
  706 will be read.
  707 
  708 \item[{\sphinxstylestrong{KRB5\_KDC\_PROFILE}}] \leavevmode
  709 Specifies the location of the KDC configuration file, which
  710 contains additional configuration directives for the Key
  711 Distribution Center daemon and associated programs.  The default
  712 is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{/krb5kdc}\sphinxcode{/kdc.conf}.
  713 
  714 \item[{\sphinxstylestrong{KRB5RCACHENAME}}] \leavevmode
  715 (New in release 1.18) Specifies the location of the default replay
  716 cache, in the form \sphinxstyleemphasis{type}:\sphinxstyleemphasis{residual}.  The \sphinxcode{file2} type with a
  717 pathname residual specifies a replay cache file in the version-2
  718 format in the specified location.  The \sphinxcode{none} type (residual is
  719 ignored) disables the replay cache.  The \sphinxcode{dfl} type (residual is
  720 ignored) indicates the default, which uses a file2 replay cache in
  721 a temporary directory.  The default is \sphinxcode{dfl:}.
  722 
  723 \item[{\sphinxstylestrong{KRB5RCACHETYPE}}] \leavevmode
  724 Specifies the type of the default replay cache, if
  725 \sphinxstylestrong{KRB5RCACHENAME} is unspecified.  No residual can be specified,
  726 so \sphinxcode{none} and \sphinxcode{dfl} are the only useful types.
  727 
  728 \item[{\sphinxstylestrong{KRB5RCACHEDIR}}] \leavevmode
  729 Specifies the directory used by the \sphinxcode{dfl} replay cache type.
  730 The default is the value of the \sphinxstylestrong{TMPDIR} environment variable,
  731 or \sphinxcode{/var/tmp} if \sphinxstylestrong{TMPDIR} is not set.
  732 
  733 \item[{\sphinxstylestrong{KRB5\_TRACE}}] \leavevmode
  734 Specifies a filename to write trace log output to.  Trace logs can
  735 help illuminate decisions made internally by the Kerberos
  736 libraries.  For example, \sphinxcode{env KRB5\_TRACE=/dev/stderr kinit}
  737 would send tracing information for {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} to
  738 \sphinxcode{/dev/stderr}.  The default is not to write trace log output
  739 anywhere.
  740 
  741 \item[{\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}}] \leavevmode
  742 Default client keytab file name.  If unset, \DUrole{xref,std,std-ref}{DEFCKTNAME} will be
  743 used).
  744 
  745 \item[{\sphinxstylestrong{KPROP\_PORT}}] \leavevmode
  746 \DUrole{xref,std,std-ref}{kprop(8)} port to use.  Defaults to 754.
  747 
  748 \item[{\sphinxstylestrong{GSS\_MECH\_CONFIG}}] \leavevmode
  749 Specifies a filename containing GSSAPI mechanism module
  750 configuration.  The default is to read \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/gss/mech}
  751 and files with a \sphinxcode{.conf} suffix within the directory
  752 \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{/gss/mech.d}.
  753 
  754 \end{description}
  755 
  756 Most environment variables are disabled for certain programs, such as
  757 login system programs and setuid programs, which are designed to be
  758 secure when run within an untrusted process environment.
  759 
  760 
  761 \subsection{SEE ALSO}
  762 \label{\detokenize{user/user_config/kerberos:see-also}}
  763 {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
  764 {\hyperref[\detokenize{user/user_commands/kswitch:kswitch-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kswitch}}}}, {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}}, {\hyperref[\detokenize{user/user_commands/ksu:ksu-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ksu}}}},
  765 \DUrole{xref,std,std-ref}{krb5.conf(5)}, \DUrole{xref,std,std-ref}{kdc.conf(5)}, \DUrole{xref,std,std-ref}{kadmin(1)},
  766 \DUrole{xref,std,std-ref}{kadmind(8)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{krb5kdc(8)}
  767 
  768 
  769 \subsection{BUGS}
  770 \label{\detokenize{user/user_config/kerberos:bugs}}
  771 
  772 \subsection{AUTHORS}
  773 \label{\detokenize{user/user_config/kerberos:authors}}
  774 \begin{DUlineblock}{0em}
  775 \item[] Steve Miller, MIT Project Athena/Digital Equipment Corporation
  776 \item[] Clifford Neuman, MIT Project Athena
  777 \item[] Greg Hudson, MIT Kerberos Consortium
  778 \item[] Robbie Harwood, Red Hat, Inc.
  779 \end{DUlineblock}
  780 
  781 
  782 \subsection{HISTORY}
  783 \label{\detokenize{user/user_config/kerberos:history}}
  784 The MIT Kerberos 5 implementation was developed at MIT, with
  785 contributions from many outside parties.  It is currently maintained
  786 by the MIT Kerberos Consortium.
  787 
  788 
  789 \subsection{RESTRICTIONS}
  790 \label{\detokenize{user/user_config/kerberos:restrictions}}
  791 Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts
  792 Institute of Technology
  793 
  794 
  795 \section{.k5login}
  796 \label{\detokenize{user/user_config/k5login:k5login-5}}\label{\detokenize{user/user_config/k5login:k5login}}\label{\detokenize{user/user_config/k5login::doc}}
  797 
  798 \subsection{DESCRIPTION}
  799 \label{\detokenize{user/user_config/k5login:description}}
  800 The .k5login file, which resides in a user’s home directory, contains
  801 a list of the Kerberos principals.  Anyone with valid tickets for a
  802 principal in the file is allowed host access with the UID of the user
  803 in whose home directory the file resides.  One common use is to place
  804 a .k5login file in root’s home directory, thereby granting system
  805 administrators remote root access to the host via Kerberos.
  806 
  807 
  808 \subsection{EXAMPLES}
  809 \label{\detokenize{user/user_config/k5login:examples}}
  810 Suppose the user \sphinxcode{alice} had a .k5login file in her home directory
  811 containing just the following line:
  812 
  813 \fvset{hllines={, ,}}%
  814 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  815 \PYG{n}{bob}\PYG{n+nd}{@FOOBAR}\PYG{o}{.}\PYG{n}{ORG}
  816 \end{sphinxVerbatim}
  817 
  818 This would allow \sphinxcode{bob} to use Kerberos network applications, such as
  819 ssh(1), to access \sphinxcode{alice}’s account, using \sphinxcode{bob}’s Kerberos
  820 tickets.  In a default configuration (with \sphinxstylestrong{k5login\_authoritative} set
  821 to true in \DUrole{xref,std,std-ref}{krb5.conf(5)}), this .k5login file would not let
  822 \sphinxcode{alice} use those network applications to access her account, since
  823 she is not listed!  With no .k5login file, or with \sphinxstylestrong{k5login\_authoritative}
  824 set to false, a default rule would permit the principal \sphinxcode{alice} in the
  825 machine’s default realm to access the \sphinxcode{alice} account.
  826 
  827 Let us further suppose that \sphinxcode{alice} is a system administrator.
  828 Alice and the other system administrators would have their principals
  829 in root’s .k5login file on each host:
  830 
  831 \fvset{hllines={, ,}}%
  832 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  833 \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  834 
  835 \PYG{n}{joeadmin}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
  836 \end{sphinxVerbatim}
  837 
  838 This would allow either system administrator to log in to these hosts
  839 using their Kerberos tickets instead of having to type the root
  840 password.  Note that because \sphinxcode{bob} retains the Kerberos tickets for
  841 his own principal, \sphinxcode{bob@FOOBAR.ORG}, he would not have any of the
  842 privileges that require \sphinxcode{alice}’s tickets, such as root access to
  843 any of the site’s hosts, or the ability to change \sphinxcode{alice}’s
  844 password.
  845 
  846 
  847 \subsection{SEE ALSO}
  848 \label{\detokenize{user/user_config/k5login:see-also}}
  849 kerberos(1)
  850 
  851 
  852 \section{.k5identity}
  853 \label{\detokenize{user/user_config/k5identity:k5identity-5}}\label{\detokenize{user/user_config/k5identity:k5identity}}\label{\detokenize{user/user_config/k5identity::doc}}
  854 
  855 \subsection{DESCRIPTION}
  856 \label{\detokenize{user/user_config/k5identity:description}}
  857 The .k5identity file, which resides in a user’s home directory,
  858 contains a list of rules for selecting a client principals based on
  859 the server being accessed.  These rules are used to choose a
  860 credential cache within the cache collection when possible.
  861 
  862 Blank lines and lines beginning with \sphinxcode{\#} are ignored.  Each line has
  863 the form:
  864 \begin{quote}
  865 
  866 \sphinxstyleemphasis{principal} \sphinxstyleemphasis{field}=\sphinxstyleemphasis{value}
  867 \end{quote}
  868 
  869 If the server principal meets all of the field constraints, then
  870 principal is chosen as the client principal.  The following fields are
  871 recognized:
  872 \begin{description}
  873 \item[{\sphinxstylestrong{realm}}] \leavevmode
  874 If the realm of the server principal is known, it is matched
  875 against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards.
  876 For host-based server principals, the realm will generally only be
  877 known if there is a \DUrole{xref,std,std-ref}{domain\_realm} section in
  878 \DUrole{xref,std,std-ref}{krb5.conf(5)} with a mapping for the hostname.
  879 
  880 \item[{\sphinxstylestrong{service}}] \leavevmode
  881 If the server principal is a host-based principal, its service
  882 component is matched against \sphinxstyleemphasis{value}, which may be a pattern using
  883 shell wildcards.
  884 
  885 \item[{\sphinxstylestrong{host}}] \leavevmode
  886 If the server principal is a host-based principal, its hostname
  887 component is converted to lower case and matched against \sphinxstyleemphasis{value},
  888 which may be a pattern using shell wildcards.
  889 
  890 If the server principal matches the constraints of multiple lines
  891 in the .k5identity file, the principal from the first matching
  892 line is used.  If no line matches, credentials will be selected
  893 some other way, such as the realm heuristic or the current primary
  894 cache.
  895 
  896 \end{description}
  897 
  898 
  899 \subsection{EXAMPLE}
  900 \label{\detokenize{user/user_config/k5identity:example}}
  901 The following example .k5identity file selects the client principal
  902 \sphinxcode{alice@KRBTEST.COM} if the server principal is within that realm,
  903 the principal \sphinxcode{alice/root@EXAMPLE.COM} if the server host is within
  904 a servers subdomain, and the principal \sphinxcode{alice/mail@EXAMPLE.COM} when
  905 accessing the IMAP service on \sphinxcode{mail.example.com}:
  906 
  907 \fvset{hllines={, ,}}%
  908 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  909 \PYG{n}{alice}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}       \PYG{n}{realm}\PYG{o}{=}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}
  910 \PYG{n}{alice}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{o}{*}\PYG{o}{.}\PYG{n}{servers}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
  911 \PYG{n}{alice}\PYG{o}{/}\PYG{n}{mail}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{host}\PYG{o}{=}\PYG{n}{mail}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{service}\PYG{o}{=}\PYG{n}{imap}
  912 \end{sphinxVerbatim}
  913 
  914 
  915 \subsection{SEE ALSO}
  916 \label{\detokenize{user/user_config/k5identity:see-also}}
  917 kerberos(1), \DUrole{xref,std,std-ref}{krb5.conf(5)}
  918 
  919 
  920 \chapter{User commands}
  921 \label{\detokenize{user/user_commands/index::doc}}\label{\detokenize{user/user_commands/index:user-commands}}\label{\detokenize{user/user_commands/index:id1}}
  922 
  923 \section{kdestroy}
  924 \label{\detokenize{user/user_commands/kdestroy:kdestroy}}\label{\detokenize{user/user_commands/kdestroy::doc}}\label{\detokenize{user/user_commands/kdestroy:kdestroy-1}}
  925 
  926 \subsection{SYNOPSIS}
  927 \label{\detokenize{user/user_commands/kdestroy:synopsis}}
  928 \sphinxstylestrong{kdestroy}
  929 {[}\sphinxstylestrong{-A}{]}
  930 {[}\sphinxstylestrong{-q}{]}
  931 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}
  932 
  933 
  934 \subsection{DESCRIPTION}
  935 \label{\detokenize{user/user_commands/kdestroy:description}}
  936 The kdestroy utility destroys the user’s active Kerberos authorization
  937 tickets by overwriting and deleting the credentials cache that
  938 contains them.  If the credentials cache is not specified, the default
  939 credentials cache is destroyed.
  940 
  941 
  942 \subsection{OPTIONS}
  943 \label{\detokenize{user/user_commands/kdestroy:options}}\begin{description}
  944 \item[{\sphinxstylestrong{-A}}] \leavevmode
  945 Destroys all caches in the collection, if a cache collection is
  946 available.  May be used with the \sphinxstylestrong{-c} option to specify the
  947 collection to be destroyed.
  948 
  949 \item[{\sphinxstylestrong{-q}}] \leavevmode
  950 Run quietly.  Normally kdestroy beeps if it fails to destroy the
  951 user’s tickets.  The \sphinxstylestrong{-q} flag suppresses this behavior.
  952 
  953 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}}] \leavevmode
  954 Use \sphinxstyleemphasis{cache\_name} as the credentials (ticket) cache name and
  955 location; if this option is not used, the default cache name and
  956 location are used.
  957 
  958 The default credentials cache may vary between systems.  If the
  959 \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
  960 name the default ticket cache.
  961 
  962 \item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{princ\_name}}] \leavevmode
  963 If a cache collection is available, destroy the cache for
  964 \sphinxstyleemphasis{princ\_name} instead of the primary cache.  May be used with the
  965 \sphinxstylestrong{-c} option to specify the collection to be searched.
  966 
  967 \end{description}
  968 
  969 
  970 \subsection{NOTE}
  971 \label{\detokenize{user/user_commands/kdestroy:note}}
  972 Most installations recommend that you place the kdestroy command in
  973 your .logout file, so that your tickets are destroyed automatically
  974 when you log out.
  975 
  976 
  977 \subsection{ENVIRONMENT}
  978 \label{\detokenize{user/user_commands/kdestroy:environment}}
  979 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
  980 variables.
  981 
  982 
  983 \subsection{FILES}
  984 \label{\detokenize{user/user_commands/kdestroy:files}}\begin{description}
  985 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
  986 Default location of Kerberos 5 credentials cache
  987 
  988 \end{description}
  989 
  990 
  991 \subsection{SEE ALSO}
  992 \label{\detokenize{user/user_commands/kdestroy:see-also}}
  993 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
  994 
  995 
  996 \section{kinit}
  997 \label{\detokenize{user/user_commands/kinit:kinit-1}}\label{\detokenize{user/user_commands/kinit:kinit}}\label{\detokenize{user/user_commands/kinit::doc}}
  998 
  999 \subsection{SYNOPSIS}
 1000 \label{\detokenize{user/user_commands/kinit:synopsis}}
 1001 \sphinxstylestrong{kinit}
 1002 {[}\sphinxstylestrong{-V}{]}
 1003 {[}\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}{]}
 1004 {[}\sphinxstylestrong{-s} \sphinxstyleemphasis{start\_time}{]}
 1005 {[}\sphinxstylestrong{-r} \sphinxstyleemphasis{renewable\_life}{]}
 1006 {[}\sphinxstylestrong{-p} \textbar{} -\sphinxstylestrong{P}{]}
 1007 {[}\sphinxstylestrong{-f} \textbar{} -\sphinxstylestrong{F}{]}
 1008 {[}\sphinxstylestrong{-a}{]}
 1009 {[}\sphinxstylestrong{-A}{]}
 1010 {[}\sphinxstylestrong{-C}{]}
 1011 {[}\sphinxstylestrong{-E}{]}
 1012 {[}\sphinxstylestrong{-v}{]}
 1013 {[}\sphinxstylestrong{-R}{]}
 1014 {[}\sphinxstylestrong{-k} {[}-\sphinxstylestrong{t} \sphinxstyleemphasis{keytab\_file}{]}{]}
 1015 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}
 1016 {[}\sphinxstylestrong{-n}{]}
 1017 {[}\sphinxstylestrong{-S} \sphinxstyleemphasis{service\_name}{]}
 1018 {[}\sphinxstylestrong{-I} \sphinxstyleemphasis{input\_ccache}{]}
 1019 {[}\sphinxstylestrong{-T} \sphinxstyleemphasis{armor\_ccache}{]}
 1020 {[}\sphinxstylestrong{-X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}{]}
 1021 {[}\sphinxstyleemphasis{principal}{]}
 1022 
 1023 
 1024 \subsection{DESCRIPTION}
 1025 \label{\detokenize{user/user_commands/kinit:description}}
 1026 kinit obtains and caches an initial ticket-granting ticket for
 1027 \sphinxstyleemphasis{principal}.  If \sphinxstyleemphasis{principal} is absent, kinit chooses an appropriate
 1028 principal name based on existing credential cache contents or the
 1029 local username of the user invoking kinit.  Some options modify the
 1030 choice of principal name.
 1031 
 1032 
 1033 \subsection{OPTIONS}
 1034 \label{\detokenize{user/user_commands/kinit:options}}\begin{description}
 1035 \item[{\sphinxstylestrong{-V}}] \leavevmode
 1036 display verbose output.
 1037 
 1038 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}}] \leavevmode
 1039 (\DUrole{xref,std,std-ref}{duration} string.)  Requests a ticket with the lifetime
 1040 \sphinxstyleemphasis{lifetime}.
 1041 
 1042 For example, \sphinxcode{kinit -l 5:30} or \sphinxcode{kinit -l 5h30m}.
 1043 
 1044 If the \sphinxstylestrong{-l} option is not specified, the default ticket lifetime
 1045 (configured by each site) is used.  Specifying a ticket lifetime
 1046 longer than the maximum ticket lifetime (configured by each site)
 1047 will not override the configured maximum ticket lifetime.
 1048 
 1049 \item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{start\_time}}] \leavevmode
 1050 (\DUrole{xref,std,std-ref}{duration} string.)  Requests a postdated ticket.  Postdated
 1051 tickets are issued with the \sphinxstylestrong{invalid} flag set, and need to be
 1052 resubmitted to the KDC for validation before use.
 1053 
 1054 \sphinxstyleemphasis{start\_time} specifies the duration of the delay before the ticket
 1055 can become valid.
 1056 
 1057 \item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{renewable\_life}}] \leavevmode
 1058 (\DUrole{xref,std,std-ref}{duration} string.)  Requests renewable tickets, with a total
 1059 lifetime of \sphinxstyleemphasis{renewable\_life}.
 1060 
 1061 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1062 requests forwardable tickets.
 1063 
 1064 \item[{\sphinxstylestrong{-F}}] \leavevmode
 1065 requests non-forwardable tickets.
 1066 
 1067 \item[{\sphinxstylestrong{-p}}] \leavevmode
 1068 requests proxiable tickets.
 1069 
 1070 \item[{\sphinxstylestrong{-P}}] \leavevmode
 1071 requests non-proxiable tickets.
 1072 
 1073 \item[{\sphinxstylestrong{-a}}] \leavevmode
 1074 requests tickets restricted to the host’s local address{[}es{]}.
 1075 
 1076 \item[{\sphinxstylestrong{-A}}] \leavevmode
 1077 requests tickets not restricted by address.
 1078 
 1079 \item[{\sphinxstylestrong{-C}}] \leavevmode
 1080 requests canonicalization of the principal name, and allows the
 1081 KDC to reply with a different client principal from the one
 1082 requested.
 1083 
 1084 \item[{\sphinxstylestrong{-E}}] \leavevmode
 1085 treats the principal name as an enterprise name.
 1086 
 1087 \item[{\sphinxstylestrong{-v}}] \leavevmode
 1088 requests that the ticket-granting ticket in the cache (with the
 1089 \sphinxstylestrong{invalid} flag set) be passed to the KDC for validation.  If the
 1090 ticket is within its requested time range, the cache is replaced
 1091 with the validated ticket.
 1092 
 1093 \item[{\sphinxstylestrong{-R}}] \leavevmode
 1094 requests renewal of the ticket-granting ticket.  Note that an
 1095 expired ticket cannot be renewed, even if the ticket is still
 1096 within its renewable life.
 1097 
 1098 Note that renewable tickets that have expired as reported by
 1099 {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} may sometimes be renewed using this option,
 1100 because the KDC applies a grace period to account for client-KDC
 1101 clock skew.  See \DUrole{xref,std,std-ref}{krb5.conf(5)} \sphinxstylestrong{clockskew} setting.
 1102 
 1103 \item[{\sphinxstylestrong{-k} {[}\sphinxstylestrong{-i} \textbar{} \sphinxstylestrong{-t} \sphinxstyleemphasis{keytab\_file}{]}}] \leavevmode
 1104 requests a ticket, obtained from a key in the local host’s keytab.
 1105 The location of the keytab may be specified with the \sphinxstylestrong{-t}
 1106 \sphinxstyleemphasis{keytab\_file} option, or with the \sphinxstylestrong{-i} option to specify the use
 1107 of the default client keytab; otherwise the default keytab will be
 1108 used.  By default, a host ticket for the local host is requested,
 1109 but any principal may be specified.  On a KDC, the special keytab
 1110 location \sphinxcode{KDB:} can be used to indicate that kinit should open
 1111 the KDC database and look up the key directly.  This permits an
 1112 administrator to obtain tickets as any principal that supports
 1113 authentication based on the key.
 1114 
 1115 \item[{\sphinxstylestrong{-n}}] \leavevmode
 1116 Requests anonymous processing.  Two types of anonymous principals
 1117 are supported.
 1118 
 1119 For fully anonymous Kerberos, configure pkinit on the KDC and
 1120 configure \sphinxstylestrong{pkinit\_anchors} in the client’s \DUrole{xref,std,std-ref}{krb5.conf(5)}.
 1121 Then use the \sphinxstylestrong{-n} option with a principal of the form \sphinxcode{@REALM}
 1122 (an empty principal name followed by the at-sign and a realm
 1123 name).  If permitted by the KDC, an anonymous ticket will be
 1124 returned.
 1125 
 1126 A second form of anonymous tickets is supported; these
 1127 realm-exposed tickets hide the identity of the client but not the
 1128 client’s realm.  For this mode, use \sphinxcode{kinit -n} with a normal
 1129 principal name.  If supported by the KDC, the principal (but not
 1130 realm) will be replaced by the anonymous principal.
 1131 
 1132 As of release 1.8, the MIT Kerberos KDC only supports fully
 1133 anonymous operation.
 1134 
 1135 \end{description}
 1136 
 1137 \sphinxstylestrong{-I} \sphinxstyleemphasis{input\_ccache}
 1138 \begin{quote}
 1139 
 1140 Specifies the name of a credentials cache that already contains a
 1141 ticket.  When obtaining that ticket, if information about how that
 1142 ticket was obtained was also stored to the cache, that information
 1143 will be used to affect how new credentials are obtained, including
 1144 preselecting the same methods of authenticating to the KDC.
 1145 \end{quote}
 1146 \begin{description}
 1147 \item[{\sphinxstylestrong{-T} \sphinxstyleemphasis{armor\_ccache}}] \leavevmode
 1148 Specifies the name of a credentials cache that already contains a
 1149 ticket.  If supported by the KDC, this cache will be used to armor
 1150 the request, preventing offline dictionary attacks and allowing
 1151 the use of additional preauthentication mechanisms.  Armoring also
 1152 makes sure that the response from the KDC is not modified in
 1153 transit.
 1154 
 1155 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}}] \leavevmode
 1156 use \sphinxstyleemphasis{cache\_name} as the Kerberos 5 credentials (ticket) cache
 1157 location.  If this option is not used, the default cache location
 1158 is used.
 1159 
 1160 The default cache location may vary between systems.  If the
 1161 \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to
 1162 locate the default cache.  If a principal name is specified and
 1163 the type of the default cache supports a collection (such as the
 1164 DIR type), an existing cache containing credentials for the
 1165 principal is selected or a new one is created and becomes the new
 1166 primary cache.  Otherwise, any existing contents of the default
 1167 cache are destroyed by kinit.
 1168 
 1169 \item[{\sphinxstylestrong{-S} \sphinxstyleemphasis{service\_name}}] \leavevmode
 1170 specify an alternate service name to use when getting initial
 1171 tickets.
 1172 
 1173 \item[{\sphinxstylestrong{-X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}}] \leavevmode
 1174 specify a pre-authentication \sphinxstyleemphasis{attribute} and \sphinxstyleemphasis{value} to be
 1175 interpreted by pre-authentication modules.  The acceptable
 1176 attribute and value values vary from module to module.  This
 1177 option may be specified multiple times to specify multiple
 1178 attributes.  If no value is specified, it is assumed to be “yes”.
 1179 
 1180 The following attributes are recognized by the PKINIT
 1181 pre-authentication mechanism:
 1182 \begin{description}
 1183 \item[{\sphinxstylestrong{X509\_user\_identity}=\sphinxstyleemphasis{value}}] \leavevmode
 1184 specify where to find user’s X509 identity information
 1185 
 1186 \item[{\sphinxstylestrong{X509\_anchors}=\sphinxstyleemphasis{value}}] \leavevmode
 1187 specify where to find trusted X509 anchor information
 1188 
 1189 \item[{\sphinxstylestrong{flag\_RSA\_PROTOCOL}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode
 1190 specify use of RSA, rather than the default Diffie-Hellman
 1191 protocol
 1192 
 1193 \item[{\sphinxstylestrong{disable\_freshness}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode
 1194 disable sending freshness tokens (for testing purposes only)
 1195 
 1196 \end{description}
 1197 
 1198 \end{description}
 1199 
 1200 
 1201 \subsection{ENVIRONMENT}
 1202 \label{\detokenize{user/user_commands/kinit:environment}}
 1203 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1204 variables.
 1205 
 1206 
 1207 \subsection{FILES}
 1208 \label{\detokenize{user/user_commands/kinit:files}}\begin{description}
 1209 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1210 default location of Kerberos 5 credentials cache
 1211 
 1212 \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode
 1213 default location for the local host’s keytab.
 1214 
 1215 \end{description}
 1216 
 1217 
 1218 \subsection{SEE ALSO}
 1219 \label{\detokenize{user/user_commands/kinit:see-also}}
 1220 {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1221 
 1222 
 1223 \section{klist}
 1224 \label{\detokenize{user/user_commands/klist:klist}}\label{\detokenize{user/user_commands/klist::doc}}\label{\detokenize{user/user_commands/klist:klist-1}}
 1225 
 1226 \subsection{SYNOPSIS}
 1227 \label{\detokenize{user/user_commands/klist:synopsis}}
 1228 \sphinxstylestrong{klist}
 1229 {[}\sphinxstylestrong{-e}{]}
 1230 {[}{[}\sphinxstylestrong{-c}{]} {[}\sphinxstylestrong{-l}{]} {[}\sphinxstylestrong{-A}{]} {[}\sphinxstylestrong{-f}{]} {[}\sphinxstylestrong{-s}{]} {[}\sphinxstylestrong{-a} {[}\sphinxstylestrong{-n}{]}{]}{]}
 1231 {[}\sphinxstylestrong{-C}{]}
 1232 {[}\sphinxstylestrong{-k} {[}\sphinxstylestrong{-t}{]} {[}\sphinxstylestrong{-K}{]}{]}
 1233 {[}\sphinxstylestrong{-V}{]}
 1234 {[}\sphinxstyleemphasis{cache\_name}\textbar{}\sphinxstyleemphasis{keytab\_name}{]}
 1235 
 1236 
 1237 \subsection{DESCRIPTION}
 1238 \label{\detokenize{user/user_commands/klist:description}}
 1239 klist lists the Kerberos principal and Kerberos tickets held in a
 1240 credentials cache, or the keys held in a keytab file.
 1241 
 1242 
 1243 \subsection{OPTIONS}
 1244 \label{\detokenize{user/user_commands/klist:options}}\begin{description}
 1245 \item[{\sphinxstylestrong{-e}}] \leavevmode
 1246 Displays the encryption types of the session key and the ticket
 1247 for each credential in the credential cache, or each key in the
 1248 keytab file.
 1249 
 1250 \item[{\sphinxstylestrong{-l}}] \leavevmode
 1251 If a cache collection is available, displays a table summarizing
 1252 the caches present in the collection.
 1253 
 1254 \item[{\sphinxstylestrong{-A}}] \leavevmode
 1255 If a cache collection is available, displays the contents of all
 1256 of the caches in the collection.
 1257 
 1258 \item[{\sphinxstylestrong{-c}}] \leavevmode
 1259 List tickets held in a credentials cache. This is the default if
 1260 neither \sphinxstylestrong{-c} nor \sphinxstylestrong{-k} is specified.
 1261 
 1262 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1263 Shows the flags present in the credentials, using the following
 1264 abbreviations:
 1265 
 1266 \fvset{hllines={, ,}}%
 1267 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1268 \PYG{n}{F}    \PYG{n}{Forwardable}
 1269 \PYG{n}{f}    \PYG{n}{forwarded}
 1270 \PYG{n}{P}    \PYG{n}{Proxiable}
 1271 \PYG{n}{p}    \PYG{n}{proxy}
 1272 \PYG{n}{D}    \PYG{n}{postDateable}
 1273 \PYG{n}{d}    \PYG{n}{postdated}
 1274 \PYG{n}{R}    \PYG{n}{Renewable}
 1275 \PYG{n}{I}    \PYG{n}{Initial}
 1276 \PYG{n}{i}    \PYG{n}{invalid}
 1277 \PYG{n}{H}    \PYG{n}{Hardware} \PYG{n}{authenticated}
 1278 \PYG{n}{A}    \PYG{n}{preAuthenticated}
 1279 \PYG{n}{T}    \PYG{n}{Transit} \PYG{n}{policy} \PYG{n}{checked}
 1280 \PYG{n}{O}    \PYG{n}{Okay} \PYG{k}{as} \PYG{n}{delegate}
 1281 \PYG{n}{a}    \PYG{n}{anonymous}
 1282 \end{sphinxVerbatim}
 1283 
 1284 \item[{\sphinxstylestrong{-s}}] \leavevmode
 1285 Causes klist to run silently (produce no output).  klist will exit
 1286 with status 1 if the credentials cache cannot be read or is
 1287 expired, and with status 0 otherwise.
 1288 
 1289 \item[{\sphinxstylestrong{-a}}] \leavevmode
 1290 Display list of addresses in credentials.
 1291 
 1292 \item[{\sphinxstylestrong{-n}}] \leavevmode
 1293 Show numeric addresses instead of reverse-resolving addresses.
 1294 
 1295 \item[{\sphinxstylestrong{-C}}] \leavevmode
 1296 List configuration data that has been stored in the credentials
 1297 cache when klist encounters it.  By default, configuration data
 1298 is not listed.
 1299 
 1300 \item[{\sphinxstylestrong{-k}}] \leavevmode
 1301 List keys held in a keytab file.
 1302 
 1303 \item[{\sphinxstylestrong{-i}}] \leavevmode
 1304 In combination with \sphinxstylestrong{-k}, defaults to using the default client
 1305 keytab instead of the default acceptor keytab, if no name is
 1306 given.
 1307 
 1308 \item[{\sphinxstylestrong{-t}}] \leavevmode
 1309 Display the time entry timestamps for each keytab entry in the
 1310 keytab file.
 1311 
 1312 \item[{\sphinxstylestrong{-K}}] \leavevmode
 1313 Display the value of the encryption key in each keytab entry in
 1314 the keytab file.
 1315 
 1316 \item[{\sphinxstylestrong{-V}}] \leavevmode
 1317 Display the Kerberos version number and exit.
 1318 
 1319 \end{description}
 1320 
 1321 If \sphinxstyleemphasis{cache\_name} or \sphinxstyleemphasis{keytab\_name} is not specified, klist will display
 1322 the credentials in the default credentials cache or keytab file as
 1323 appropriate.  If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its
 1324 value is used to locate the default ticket cache.
 1325 
 1326 
 1327 \subsection{ENVIRONMENT}
 1328 \label{\detokenize{user/user_commands/klist:environment}}
 1329 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1330 variables.
 1331 
 1332 
 1333 \subsection{FILES}
 1334 \label{\detokenize{user/user_commands/klist:files}}\begin{description}
 1335 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1336 Default location of Kerberos 5 credentials cache
 1337 
 1338 \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode
 1339 Default location for the local host’s keytab file.
 1340 
 1341 \end{description}
 1342 
 1343 
 1344 \subsection{SEE ALSO}
 1345 \label{\detokenize{user/user_commands/klist:see-also}}
 1346 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1347 
 1348 
 1349 \section{kpasswd}
 1350 \label{\detokenize{user/user_commands/kpasswd:kpasswd}}\label{\detokenize{user/user_commands/kpasswd::doc}}\label{\detokenize{user/user_commands/kpasswd:kpasswd-1}}
 1351 
 1352 \subsection{SYNOPSIS}
 1353 \label{\detokenize{user/user_commands/kpasswd:synopsis}}
 1354 \sphinxstylestrong{kpasswd} {[}\sphinxstyleemphasis{principal}{]}
 1355 
 1356 
 1357 \subsection{DESCRIPTION}
 1358 \label{\detokenize{user/user_commands/kpasswd:description}}
 1359 The kpasswd command is used to change a Kerberos principal’s password.
 1360 kpasswd first prompts for the current Kerberos password, then prompts
 1361 the user twice for the new password, and the password is changed.
 1362 
 1363 If the principal is governed by a policy that specifies the length
 1364 and/or number of character classes required in the new password, the
 1365 new password must conform to the policy.  (The five character classes
 1366 are lower case, upper case, numbers, punctuation, and all other
 1367 characters.)
 1368 
 1369 
 1370 \subsection{OPTIONS}
 1371 \label{\detokenize{user/user_commands/kpasswd:options}}\begin{description}
 1372 \item[{\sphinxstyleemphasis{principal}}] \leavevmode
 1373 Change the password for the Kerberos principal principal.
 1374 Otherwise, kpasswd uses the principal name from an existing ccache
 1375 if there is one; if not, the principal is derived from the
 1376 identity of the user invoking the kpasswd command.
 1377 
 1378 \end{description}
 1379 
 1380 
 1381 \subsection{ENVIRONMENT}
 1382 \label{\detokenize{user/user_commands/kpasswd:environment}}
 1383 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1384 variables.
 1385 
 1386 
 1387 \subsection{SEE ALSO}
 1388 \label{\detokenize{user/user_commands/kpasswd:see-also}}
 1389 \DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1390 
 1391 
 1392 \section{krb5-config}
 1393 \label{\detokenize{user/user_commands/krb5-config:krb5-config-1}}\label{\detokenize{user/user_commands/krb5-config:krb5-config}}\label{\detokenize{user/user_commands/krb5-config::doc}}
 1394 
 1395 \subsection{SYNOPSIS}
 1396 \label{\detokenize{user/user_commands/krb5-config:synopsis}}
 1397 \sphinxstylestrong{krb5-config}
 1398 {[}\sphinxstylestrong{-}\sphinxstylestrong{-help} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-all} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-version} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-vendor} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-prefix} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-exec-prefix} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defccname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defktname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-defcktname} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-cflags} \textbar{} \sphinxstylestrong{-}\sphinxstylestrong{-libs} {[}\sphinxstyleemphasis{libraries}{]}{]}
 1399 
 1400 
 1401 \subsection{DESCRIPTION}
 1402 \label{\detokenize{user/user_commands/krb5-config:description}}
 1403 krb5-config tells the application programmer what flags to use to compile
 1404 and link programs against the installed Kerberos libraries.
 1405 
 1406 
 1407 \subsection{OPTIONS}
 1408 \label{\detokenize{user/user_commands/krb5-config:options}}\begin{description}
 1409 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-help}}] \leavevmode
 1410 prints a usage message.  This is the default behavior when no options
 1411 are specified.
 1412 
 1413 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-all}}] \leavevmode
 1414 prints the version, vendor, prefix, and exec-prefix.
 1415 
 1416 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-version}}] \leavevmode
 1417 prints the version number of the Kerberos installation.
 1418 
 1419 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-vendor}}] \leavevmode
 1420 prints the name of the vendor of the Kerberos installation.
 1421 
 1422 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-prefix}}] \leavevmode
 1423 prints the prefix for which the Kerberos installation was built.
 1424 
 1425 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-exec-prefix}}] \leavevmode
 1426 prints the prefix for executables for which the Kerberos installation
 1427 was built.
 1428 
 1429 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defccname}}] \leavevmode
 1430 prints the built-in default credentials cache location.
 1431 
 1432 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defktname}}] \leavevmode
 1433 prints the built-in default keytab location.
 1434 
 1435 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-defcktname}}] \leavevmode
 1436 prints the built-in default client (initiator) keytab location.
 1437 
 1438 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-cflags}}] \leavevmode
 1439 prints the compilation flags used to build the Kerberos installation.
 1440 
 1441 \item[{\sphinxstylestrong{-}\sphinxstylestrong{-libs} {[}\sphinxstyleemphasis{library}{]}}] \leavevmode
 1442 prints the compiler options needed to link against \sphinxstyleemphasis{library}.
 1443 Allowed values for \sphinxstyleemphasis{library} are:
 1444 
 1445 
 1446 \begin{savenotes}\sphinxattablestart
 1447 \centering
 1448 \begin{tabulary}{\linewidth}[t]{|T|T|}
 1449 \hline
 1450 
 1451 krb5
 1452 &
 1453 Kerberos 5 applications (default)
 1454 \\
 1455 \hline
 1456 gssapi
 1457 &
 1458 GSSAPI applications with Kerberos 5 bindings
 1459 \\
 1460 \hline
 1461 kadm-client
 1462 &
 1463 Kadmin client
 1464 \\
 1465 \hline
 1466 kadm-server
 1467 &
 1468 Kadmin server
 1469 \\
 1470 \hline
 1471 kdb
 1472 &
 1473 Applications that access the Kerberos database
 1474 \\
 1475 \hline
 1476 \end{tabulary}
 1477 \par
 1478 \sphinxattableend\end{savenotes}
 1479 
 1480 \end{description}
 1481 
 1482 
 1483 \subsection{EXAMPLES}
 1484 \label{\detokenize{user/user_commands/krb5-config:examples}}
 1485 krb5-config is particularly useful for compiling against a Kerberos
 1486 installation that was installed in a non-standard location.  For example,
 1487 a Kerberos installation that is installed in \sphinxcode{/opt/krb5/} but uses
 1488 libraries in \sphinxcode{/usr/local/lib/} for text localization would produce
 1489 the following output:
 1490 
 1491 \fvset{hllines={, ,}}%
 1492 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1493 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{config} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{libs} \PYG{n}{krb5}
 1494 \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{\PYGZhy{}}\PYG{n}{rpath} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{lkrb5} \PYG{o}{\PYGZhy{}}\PYG{n}{lk5crypto} \PYG{o}{\PYGZhy{}}\PYG{n}{lcom\PYGZus{}err}
 1495 \end{sphinxVerbatim}
 1496 
 1497 
 1498 \subsection{SEE ALSO}
 1499 \label{\detokenize{user/user_commands/krb5-config:see-also}}
 1500 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, cc(1)
 1501 
 1502 
 1503 \section{ksu}
 1504 \label{\detokenize{user/user_commands/ksu:ksu-1}}\label{\detokenize{user/user_commands/ksu:ksu}}\label{\detokenize{user/user_commands/ksu::doc}}
 1505 
 1506 \subsection{SYNOPSIS}
 1507 \label{\detokenize{user/user_commands/ksu:synopsis}}
 1508 \sphinxstylestrong{ksu}
 1509 {[} \sphinxstyleemphasis{target\_user} {]}
 1510 {[} \sphinxstylestrong{-n} \sphinxstyleemphasis{target\_principal\_name} {]}
 1511 {[} \sphinxstylestrong{-c} \sphinxstyleemphasis{source\_cache\_name} {]}
 1512 {[} \sphinxstylestrong{-k} {]}
 1513 {[} \sphinxstylestrong{-r} time {]}
 1514 {[} \sphinxstylestrong{-p} \textbar{} \sphinxstylestrong{-P}{]}
 1515 {[} \sphinxstylestrong{-f} \textbar{} \sphinxstylestrong{-F}{]}
 1516 {[} \sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime} {]}
 1517 {[} \sphinxstylestrong{-z \textbar{} Z} {]}
 1518 {[} \sphinxstylestrong{-q} {]}
 1519 {[} \sphinxstylestrong{-e} \sphinxstyleemphasis{command} {[} args …  {]} {]} {[} \sphinxstylestrong{-a} {[} args …  {]} {]}
 1520 
 1521 
 1522 \subsection{REQUIREMENTS}
 1523 \label{\detokenize{user/user_commands/ksu:requirements}}
 1524 Must have Kerberos version 5 installed to compile ksu.  Must have a
 1525 Kerberos version 5 server running to use ksu.
 1526 
 1527 
 1528 \subsection{DESCRIPTION}
 1529 \label{\detokenize{user/user_commands/ksu:description}}
 1530 ksu is a Kerberized version of the su program that has two missions:
 1531 one is to securely change the real and effective user ID to that of
 1532 the target user, and the other is to create a new security context.
 1533 
 1534 \begin{sphinxadmonition}{note}{Note:}
 1535 For the sake of clarity, all references to and attributes of
 1536 the user invoking the program will start with “source”
 1537 (e.g., “source user”, “source cache”, etc.).
 1538 
 1539 Likewise, all references to and attributes of the target
 1540 account will start with “target”.
 1541 \end{sphinxadmonition}
 1542 
 1543 
 1544 \subsection{AUTHENTICATION}
 1545 \label{\detokenize{user/user_commands/ksu:authentication}}
 1546 To fulfill the first mission, ksu operates in two phases:
 1547 authentication and authorization.  Resolving the target principal name
 1548 is the first step in authentication.  The user can either specify his
 1549 principal name with the \sphinxstylestrong{-n} option (e.g., \sphinxcode{-n jqpublic@USC.EDU})
 1550 or a default principal name will be assigned using a heuristic
 1551 described in the OPTIONS section (see \sphinxstylestrong{-n} option).  The target user
 1552 name must be the first argument to ksu; if not specified root is the
 1553 default.  If \sphinxcode{.} is specified then the target user will be the
 1554 source user (e.g., \sphinxcode{ksu .}).  If the source user is root or the
 1555 target user is the source user, no authentication or authorization
 1556 takes place.  Otherwise, ksu looks for an appropriate Kerberos ticket
 1557 in the source cache.
 1558 
 1559 The ticket can either be for the end-server or a ticket granting
 1560 ticket (TGT) for the target principal’s realm.  If the ticket for the
 1561 end-server is already in the cache, it’s decrypted and verified.  If
 1562 it’s not in the cache but the TGT is, the TGT is used to obtain the
 1563 ticket for the end-server.  The end-server ticket is then verified.
 1564 If neither ticket is in the cache, but ksu is compiled with the
 1565 \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a
 1566 Kerberos password which will then be used to get a TGT.  If the user
 1567 is logged in remotely and does not have a secure channel, the password
 1568 may be exposed.  If neither ticket is in the cache and
 1569 \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails.
 1570 
 1571 
 1572 \subsection{AUTHORIZATION}
 1573 \label{\detokenize{user/user_commands/ksu:authorization}}
 1574 This section describes authorization of the source user when ksu is
 1575 invoked without the \sphinxstylestrong{-e} option.  For a description of the \sphinxstylestrong{-e}
 1576 option, see the OPTIONS section.
 1577 
 1578 Upon successful authentication, ksu checks whether the target
 1579 principal is authorized to access the target account.  In the target
 1580 user’s home directory, ksu attempts to access two authorization files:
 1581 {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} and .k5users.  In the .k5login file each line
 1582 contains the name of a principal that is authorized to access the
 1583 account.
 1584 
 1585 For example:
 1586 
 1587 \fvset{hllines={, ,}}%
 1588 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1589 \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1590 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1591 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1592 \end{sphinxVerbatim}
 1593 
 1594 The format of .k5users is the same, except the principal name may be
 1595 followed by a list of commands that the principal is authorized to
 1596 execute (see the \sphinxstylestrong{-e} option in the OPTIONS section for details).
 1597 
 1598 Thus if the target principal name is found in the .k5login file the
 1599 source user is authorized to access the target account.  Otherwise ksu
 1600 looks in the .k5users file.  If the target principal name is found
 1601 without any trailing commands or followed only by \sphinxcode{*} then the
 1602 source user is authorized.  If either .k5login or .k5users exist but
 1603 an appropriate entry for the target principal does not exist then
 1604 access is denied.  If neither file exists then the principal will be
 1605 granted access to the account according to the aname-\textgreater{}lname mapping
 1606 rules.  Otherwise, authorization fails.
 1607 
 1608 
 1609 \subsection{EXECUTION OF THE TARGET SHELL}
 1610 \label{\detokenize{user/user_commands/ksu:execution-of-the-target-shell}}
 1611 Upon successful authentication and authorization, ksu proceeds in a
 1612 similar fashion to su.  The environment is unmodified with the
 1613 exception of USER, HOME and SHELL variables.  If the target user is
 1614 not root, USER gets set to the target user name.  Otherwise USER
 1615 remains unchanged.  Both HOME and SHELL are set to the target login’s
 1616 default values.  In addition, the environment variable \sphinxstylestrong{KRB5CCNAME}
 1617 gets set to the name of the target cache.  The real and effective user
 1618 ID are changed to that of the target user.  The target user’s shell is
 1619 then invoked (the shell name is specified in the password file).  Upon
 1620 termination of the shell, ksu deletes the target cache (unless ksu is
 1621 invoked with the \sphinxstylestrong{-k} option).  This is implemented by first doing a
 1622 fork and then an exec, instead of just exec, as done by su.
 1623 
 1624 
 1625 \subsection{CREATING A NEW SECURITY CONTEXT}
 1626 \label{\detokenize{user/user_commands/ksu:creating-a-new-security-context}}
 1627 ksu can be used to create a new security context for the target
 1628 program (either the target shell, or command specified via the \sphinxstylestrong{-e}
 1629 option).  The target program inherits a set of credentials from the
 1630 source user.  By default, this set includes all of the credentials in
 1631 the source cache plus any additional credentials obtained during
 1632 authentication.  The source user is able to limit the credentials in
 1633 this set by using \sphinxstylestrong{-z} or \sphinxstylestrong{-Z} option.  \sphinxstylestrong{-z} restricts the copy
 1634 of tickets from the source cache to the target cache to only the
 1635 tickets where client == the target principal name.  The \sphinxstylestrong{-Z} option
 1636 provides the target user with a fresh target cache (no creds in the
 1637 cache).  Note that for security reasons, when the source user is root
 1638 and target user is non-root, \sphinxstylestrong{-z} option is the default mode of
 1639 operation.
 1640 
 1641 While no authentication takes place if the source user is root or is
 1642 the same as the target user, additional tickets can still be obtained
 1643 for the target cache.  If \sphinxstylestrong{-n} is specified and no credentials can
 1644 be copied to the target cache, the source user is prompted for a
 1645 Kerberos password (unless \sphinxstylestrong{-Z} specified or \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}
 1646 is undefined).  If successful, a TGT is obtained from the Kerberos
 1647 server and stored in the target cache.  Otherwise, if a password is
 1648 not provided (user hit return) ksu continues in a normal mode of
 1649 operation (the target cache will not contain the desired TGT).  If the
 1650 wrong password is typed in, ksu fails.
 1651 
 1652 \begin{sphinxadmonition}{note}{Note:}
 1653 During authentication, only the tickets that could be
 1654 obtained without providing a password are cached in in the
 1655 source cache.
 1656 \end{sphinxadmonition}
 1657 
 1658 
 1659 \subsection{OPTIONS}
 1660 \label{\detokenize{user/user_commands/ksu:options}}\begin{description}
 1661 \item[{\sphinxstylestrong{-n} \sphinxstyleemphasis{target\_principal\_name}}] \leavevmode
 1662 Specify a Kerberos target principal name.  Used in authentication
 1663 and authorization phases of ksu.
 1664 
 1665 If ksu is invoked without \sphinxstylestrong{-n}, a default principal name is
 1666 assigned via the following heuristic:
 1667 \begin{itemize}
 1668 \item {} 
 1669 Case 1: source user is non-root.
 1670 
 1671 If the target user is the source user the default principal name
 1672 is set to the default principal of the source cache.  If the
 1673 cache does not exist then the default principal name is set to
 1674 \sphinxcode{target\_user@local\_realm}.  If the source and target users are
 1675 different and neither \sphinxcode{\textasciitilde{}target\_user/.k5users} nor
 1676 \sphinxcode{\textasciitilde{}target\_user/.k5login} exist then the default principal name
 1677 is \sphinxcode{target\_user\_login\_name@local\_realm}.  Otherwise, starting
 1678 with the first principal listed below, ksu checks if the
 1679 principal is authorized to access the target account and whether
 1680 there is a legitimate ticket for that principal in the source
 1681 cache.  If both conditions are met that principal becomes the
 1682 default target principal, otherwise go to the next principal.
 1683 \begin{enumerate}
 1684 \item {} 
 1685 default principal of the source cache
 1686 
 1687 \item {} 
 1688 target\_user@local\_realm
 1689 
 1690 \item {} 
 1691 source\_user@local\_realm
 1692 
 1693 \end{enumerate}
 1694 
 1695 If a-c fails try any principal for which there is a ticket in
 1696 the source cache and that is authorized to access the target
 1697 account.  If that fails select the first principal that is
 1698 authorized to access the target account from the above list.  If
 1699 none are authorized and ksu is configured with
 1700 \sphinxstylestrong{PRINC\_LOOK\_AHEAD} turned on, select the default principal as
 1701 follows:
 1702 
 1703 For each candidate in the above list, select an authorized
 1704 principal that has the same realm name and first part of the
 1705 principal name equal to the prefix of the candidate.  For
 1706 example if candidate a) is \sphinxcode{jqpublic@ISI.EDU} and
 1707 \sphinxcode{jqpublic/secure@ISI.EDU} is authorized to access the target
 1708 account then the default principal is set to
 1709 \sphinxcode{jqpublic/secure@ISI.EDU}.
 1710 
 1711 \item {} 
 1712 Case 2: source user is root.
 1713 
 1714 If the target user is non-root then the default principal name
 1715 is \sphinxcode{target\_user@local\_realm}.  Else, if the source cache
 1716 exists the default principal name is set to the default
 1717 principal of the source cache.  If the source cache does not
 1718 exist, default principal name is set to \sphinxcode{root\textbackslash{}@local\_realm}.
 1719 
 1720 \end{itemize}
 1721 
 1722 \end{description}
 1723 
 1724 \sphinxstylestrong{-c} \sphinxstyleemphasis{source\_cache\_name}
 1725 \begin{quote}
 1726 
 1727 Specify source cache name (e.g., \sphinxcode{-c FILE:/tmp/my\_cache}).  If
 1728 \sphinxstylestrong{-c} option is not used then the name is obtained from
 1729 \sphinxstylestrong{KRB5CCNAME} environment variable.  If \sphinxstylestrong{KRB5CCNAME} is not
 1730 defined the source cache name is set to \sphinxcode{krb5cc\_\textless{}source uid\textgreater{}}.
 1731 The target cache name is automatically set to \sphinxcode{krb5cc\_\textless{}target
 1732 uid\textgreater{}.(gen\_sym())}, where gen\_sym generates a new number such that
 1733 the resulting cache does not already exist.  For example:
 1734 
 1735 \fvset{hllines={, ,}}%
 1736 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1737 \PYG{n}{krb5cc\PYGZus{}1984}\PYG{o}{.}\PYG{l+m+mi}{2}
 1738 \end{sphinxVerbatim}
 1739 \end{quote}
 1740 \begin{description}
 1741 \item[{\sphinxstylestrong{-k}}] \leavevmode
 1742 Do not delete the target cache upon termination of the target
 1743 shell or a command (\sphinxstylestrong{-e} command).  Without \sphinxstylestrong{-k}, ksu deletes
 1744 the target cache.
 1745 
 1746 \item[{\sphinxstylestrong{-z}}] \leavevmode
 1747 Restrict the copy of tickets from the source cache to the target
 1748 cache to only the tickets where client == the target principal
 1749 name.  Use the \sphinxstylestrong{-n} option if you want the tickets for other then
 1750 the default principal.  Note that the \sphinxstylestrong{-z} option is mutually
 1751 exclusive with the \sphinxstylestrong{-Z} option.
 1752 
 1753 \item[{\sphinxstylestrong{-Z}}] \leavevmode
 1754 Don’t copy any tickets from the source cache to the target cache.
 1755 Just create a fresh target cache, where the default principal name
 1756 of the cache is initialized to the target principal name.  Note
 1757 that the \sphinxstylestrong{-Z} option is mutually exclusive with the \sphinxstylestrong{-z}
 1758 option.
 1759 
 1760 \item[{\sphinxstylestrong{-q}}] \leavevmode
 1761 Suppress the printing of status messages.
 1762 
 1763 \end{description}
 1764 
 1765 Ticket granting ticket options:
 1766 \begin{description}
 1767 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime} \sphinxstylestrong{-r} \sphinxstyleemphasis{time} \sphinxstylestrong{-p} \sphinxstylestrong{-P} \sphinxstylestrong{-f} \sphinxstylestrong{-F}}] \leavevmode
 1768 The ticket granting ticket options only apply to the case where
 1769 there are no appropriate tickets in the cache to authenticate the
 1770 source user.  In this case if ksu is configured to prompt users
 1771 for a Kerberos password (\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is defined), the
 1772 ticket granting ticket options that are specified will be used
 1773 when getting a ticket granting ticket from the Kerberos server.
 1774 
 1775 \item[{\sphinxstylestrong{-l} \sphinxstyleemphasis{lifetime}}] \leavevmode
 1776 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies the lifetime to be requested
 1777 for the ticket; if this option is not specified, the default ticket
 1778 lifetime (12 hours) is used instead.
 1779 
 1780 \item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{time}}] \leavevmode
 1781 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies that the \sphinxstylestrong{renewable} option
 1782 should be requested for the ticket, and specifies the desired
 1783 total lifetime of the ticket.
 1784 
 1785 \item[{\sphinxstylestrong{-p}}] \leavevmode
 1786 specifies that the \sphinxstylestrong{proxiable} option should be requested for
 1787 the ticket.
 1788 
 1789 \item[{\sphinxstylestrong{-P}}] \leavevmode
 1790 specifies that the \sphinxstylestrong{proxiable} option should not be requested
 1791 for the ticket, even if the default configuration is to ask for
 1792 proxiable tickets.
 1793 
 1794 \item[{\sphinxstylestrong{-f}}] \leavevmode
 1795 option specifies that the \sphinxstylestrong{forwardable} option should be
 1796 requested for the ticket.
 1797 
 1798 \item[{\sphinxstylestrong{-F}}] \leavevmode
 1799 option specifies that the \sphinxstylestrong{forwardable} option should not be
 1800 requested for the ticket, even if the default configuration is to
 1801 ask for forwardable tickets.
 1802 
 1803 \item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{args}{]}}] \leavevmode
 1804 ksu proceeds exactly the same as if it was invoked without the
 1805 \sphinxstylestrong{-e} option, except instead of executing the target shell, ksu
 1806 executes the specified command. Example of usage:
 1807 
 1808 \fvset{hllines={, ,}}%
 1809 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1810 \PYG{n}{ksu} \PYG{n}{bob} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{ls} \PYG{o}{\PYGZhy{}}\PYG{n}{lag}
 1811 \end{sphinxVerbatim}
 1812 
 1813 The authorization algorithm for \sphinxstylestrong{-e} is as follows:
 1814 
 1815 If the source user is root or source user == target user, no
 1816 authorization takes place and the command is executed.  If source
 1817 user id != 0, and \sphinxcode{\textasciitilde{}target\_user/.k5users} file does not exist,
 1818 authorization fails.  Otherwise, \sphinxcode{\textasciitilde{}target\_user/.k5users} file
 1819 must have an appropriate entry for target principal to get
 1820 authorized.
 1821 
 1822 The .k5users file format:
 1823 
 1824 A single principal entry on each line that may be followed by a
 1825 list of commands that the principal is authorized to execute.  A
 1826 principal name followed by a \sphinxcode{*} means that the user is
 1827 authorized to execute any command.  Thus, in the following
 1828 example:
 1829 
 1830 \fvset{hllines={, ,}}%
 1831 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1832 \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ls} \PYG{n}{mail} \PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{klist}
 1833 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*}
 1834 \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU}
 1835 \end{sphinxVerbatim}
 1836 
 1837 \sphinxcode{jqpublic@USC.EDU} is only authorized to execute \sphinxcode{ls},
 1838 \sphinxcode{mail} and \sphinxcode{klist} commands.  \sphinxcode{jqpublic/secure@USC.EDU} is
 1839 authorized to execute any command.  \sphinxcode{jqpublic/admin@USC.EDU} is
 1840 not authorized to execute any command.  Note, that
 1841 \sphinxcode{jqpublic/admin@USC.EDU} is authorized to execute the target
 1842 shell (regular ksu, without the \sphinxstylestrong{-e} option) but
 1843 \sphinxcode{jqpublic@USC.EDU} is not.
 1844 
 1845 The commands listed after the principal name must be either a full
 1846 path names or just the program name.  In the second case,
 1847 \sphinxstylestrong{CMD\_PATH} specifying the location of authorized programs must
 1848 be defined at the compilation time of ksu.  Which command gets
 1849 executed?
 1850 
 1851 If the source user is root or the target user is the source user
 1852 or the user is authorized to execute any command (\sphinxcode{*} entry)
 1853 then command can be either a full or a relative path leading to
 1854 the target program.  Otherwise, the user must specify either a
 1855 full path or just the program name.
 1856 
 1857 \item[{\sphinxstylestrong{-a} \sphinxstyleemphasis{args}}] \leavevmode
 1858 Specify arguments to be passed to the target shell.  Note that all
 1859 flags and parameters following -a will be passed to the shell,
 1860 thus all options intended for ksu must precede \sphinxstylestrong{-a}.
 1861 
 1862 The \sphinxstylestrong{-a} option can be used to simulate the \sphinxstylestrong{-e} option if
 1863 used as follows:
 1864 
 1865 \fvset{hllines={, ,}}%
 1866 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1867 \PYG{o}{\PYGZhy{}}\PYG{n}{a} \PYG{o}{\PYGZhy{}}\PYG{n}{c} \PYG{p}{[}\PYG{n}{command} \PYG{p}{[}\PYG{n}{arguments}\PYG{p}{]}\PYG{p}{]}\PYG{o}{.}
 1868 \end{sphinxVerbatim}
 1869 
 1870 \sphinxstylestrong{-c} is interpreted by the c-shell to execute the command.
 1871 
 1872 \end{description}
 1873 
 1874 
 1875 \subsection{INSTALLATION INSTRUCTIONS}
 1876 \label{\detokenize{user/user_commands/ksu:installation-instructions}}
 1877 ksu can be compiled with the following four flags:
 1878 \begin{description}
 1879 \item[{\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}}] \leavevmode
 1880 In case no appropriate tickets are found in the source cache, the
 1881 user will be prompted for a Kerberos password.  The password is
 1882 then used to get a ticket granting ticket from the Kerberos
 1883 server.  The danger of configuring ksu with this macro is if the
 1884 source user is logged in remotely and does not have a secure
 1885 channel, the password may get exposed.
 1886 
 1887 \item[{\sphinxstylestrong{PRINC\_LOOK\_AHEAD}}] \leavevmode
 1888 During the resolution of the default principal name,
 1889 \sphinxstylestrong{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in
 1890 the .k5users file as described in the OPTIONS section
 1891 (see \sphinxstylestrong{-n} option).
 1892 
 1893 \item[{\sphinxstylestrong{CMD\_PATH}}] \leavevmode
 1894 Specifies a list of directories containing programs that users are
 1895 authorized to execute (via .k5users file).
 1896 
 1897 \item[{\sphinxstylestrong{HAVE\_GETUSERSHELL}}] \leavevmode
 1898 If the source user is non-root, ksu insists that the target user’s
 1899 shell to be invoked is a “legal shell”.  \sphinxstyleemphasis{getusershell(3)} is
 1900 called to obtain the names of “legal shells”.  Note that the
 1901 target user’s shell is obtained from the passwd file.
 1902 
 1903 \end{description}
 1904 
 1905 Sample configuration:
 1906 
 1907 \fvset{hllines={, ,}}%
 1908 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1909 \PYG{n}{KSU\PYGZus{}OPTS} \PYG{o}{=} \PYG{o}{\PYGZhy{}}\PYG{n}{DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD} \PYG{o}{\PYGZhy{}}\PYG{n}{DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD} \PYG{o}{\PYGZhy{}}\PYG{n}{DCMD\PYGZus{}PATH}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZdq{}}\PYG{l+s+s1}{/bin /usr/ucb /local/bin}\PYG{l+s+s1}{\PYGZdq{}}
 1910 \end{sphinxVerbatim}
 1911 
 1912 ksu should be owned by root and have the set user id bit turned on.
 1913 
 1914 ksu attempts to get a ticket for the end server just as Kerberized
 1915 telnet and rlogin.  Thus, there must be an entry for the server in the
 1916 Kerberos database (e.g., \sphinxcode{host/nii.isi.edu@ISI.EDU}).  The keytab
 1917 file must be in an appropriate location.
 1918 
 1919 
 1920 \subsection{SIDE EFFECTS}
 1921 \label{\detokenize{user/user_commands/ksu:side-effects}}
 1922 ksu deletes all expired tickets from the source cache.
 1923 
 1924 
 1925 \subsection{AUTHOR OF KSU}
 1926 \label{\detokenize{user/user_commands/ksu:author-of-ksu}}
 1927 GENNADY (ARI) MEDVINSKY
 1928 
 1929 
 1930 \subsection{ENVIRONMENT}
 1931 \label{\detokenize{user/user_commands/ksu:environment}}
 1932 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1933 variables.
 1934 
 1935 
 1936 \subsection{SEE ALSO}
 1937 \label{\detokenize{user/user_commands/ksu:see-also}}
 1938 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}
 1939 
 1940 
 1941 \section{kswitch}
 1942 \label{\detokenize{user/user_commands/kswitch:kswitch-1}}\label{\detokenize{user/user_commands/kswitch:kswitch}}\label{\detokenize{user/user_commands/kswitch::doc}}
 1943 
 1944 \subsection{SYNOPSIS}
 1945 \label{\detokenize{user/user_commands/kswitch:synopsis}}
 1946 \sphinxstylestrong{kswitch}
 1947 \{\sphinxstylestrong{-c} \sphinxstyleemphasis{cachename}\textbar{}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}\}
 1948 
 1949 
 1950 \subsection{DESCRIPTION}
 1951 \label{\detokenize{user/user_commands/kswitch:description}}
 1952 kswitch makes the specified credential cache the primary cache for the
 1953 collection, if a cache collection is available.
 1954 
 1955 
 1956 \subsection{OPTIONS}
 1957 \label{\detokenize{user/user_commands/kswitch:options}}\begin{description}
 1958 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{cachename}}] \leavevmode
 1959 Directly specifies the credential cache to be made primary.
 1960 
 1961 \item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}}] \leavevmode
 1962 Causes the cache collection to be searched for a cache containing
 1963 credentials for \sphinxstyleemphasis{principal}.  If one is found, that collection is
 1964 made primary.
 1965 
 1966 \end{description}
 1967 
 1968 
 1969 \subsection{ENVIRONMENT}
 1970 \label{\detokenize{user/user_commands/kswitch:environment}}
 1971 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 1972 variables.
 1973 
 1974 
 1975 \subsection{FILES}
 1976 \label{\detokenize{user/user_commands/kswitch:files}}\begin{description}
 1977 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 1978 Default location of Kerberos 5 credentials cache
 1979 
 1980 \end{description}
 1981 
 1982 
 1983 \subsection{SEE ALSO}
 1984 \label{\detokenize{user/user_commands/kswitch:see-also}}
 1985 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}},
 1986 {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 1987 
 1988 
 1989 \section{kvno}
 1990 \label{\detokenize{user/user_commands/kvno:kvno-1}}\label{\detokenize{user/user_commands/kvno::doc}}\label{\detokenize{user/user_commands/kvno:kvno}}
 1991 
 1992 \subsection{SYNOPSIS}
 1993 \label{\detokenize{user/user_commands/kvno:synopsis}}
 1994 \sphinxstylestrong{kvno}
 1995 {[}\sphinxstylestrong{-c} \sphinxstyleemphasis{ccache}{]}
 1996 {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{etype}{]}
 1997 {[}\sphinxstylestrong{-q}{]}
 1998 {[}\sphinxstylestrong{-h}{]}
 1999 {[}\sphinxstylestrong{-P}{]}
 2000 {[}\sphinxstylestrong{-S} \sphinxstyleemphasis{sname}{]}
 2001 {[}\sphinxstylestrong{-I} \sphinxstyleemphasis{for\_user}{]}
 2002 {[}\sphinxstylestrong{-U} \sphinxstyleemphasis{for\_user}{]}
 2003 {[}\sphinxstylestrong{-F} \sphinxstyleemphasis{cert\_file}{]}
 2004 {[}\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}{]}
 2005 \sphinxstyleemphasis{service1 service2}
 2006 
 2007 
 2008 \subsection{DESCRIPTION}
 2009 \label{\detokenize{user/user_commands/kvno:description}}
 2010 kvno acquires a service ticket for the specified Kerberos principals
 2011 and prints out the key version numbers of each.
 2012 
 2013 
 2014 \subsection{OPTIONS}
 2015 \label{\detokenize{user/user_commands/kvno:options}}\begin{description}
 2016 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{ccache}}] \leavevmode
 2017 Specifies the name of a credentials cache to use (if not the
 2018 default)
 2019 
 2020 \item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{etype}}] \leavevmode
 2021 Specifies the enctype which will be requested for the session key
 2022 of all the services named on the command line.  This is useful in
 2023 certain backward compatibility situations.
 2024 
 2025 \item[{\sphinxstylestrong{-q}}] \leavevmode
 2026 Suppress printing output when successful.  If a service ticket
 2027 cannot be obtained, an error message will still be printed and
 2028 kvno will exit with nonzero status.
 2029 
 2030 \item[{\sphinxstylestrong{-h}}] \leavevmode
 2031 Prints a usage statement and exits.
 2032 
 2033 \item[{\sphinxstylestrong{-P}}] \leavevmode
 2034 Specifies that the \sphinxstyleemphasis{service1 service2} …  arguments are to be
 2035 treated as services for which credentials should be acquired using
 2036 constrained delegation.  This option is only valid when used in
 2037 conjunction with protocol transition.
 2038 
 2039 \item[{\sphinxstylestrong{-S} \sphinxstyleemphasis{sname}}] \leavevmode
 2040 Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are
 2041 interpreted as hostnames, and the service principals are to be
 2042 constructed from those hostnames and the service name \sphinxstyleemphasis{sname}.
 2043 The service hostnames will be canonicalized according to the usual
 2044 rules for constructing service principals.
 2045 
 2046 \item[{\sphinxstylestrong{-I} \sphinxstyleemphasis{for\_user}}] \leavevmode
 2047 Specifies that protocol transition (S4U2Self) is to be used to
 2048 acquire a ticket on behalf of \sphinxstyleemphasis{for\_user}.  If constrained
 2049 delegation is not requested, the service name must match the
 2050 credentials cache client principal.
 2051 
 2052 \item[{\sphinxstylestrong{-U} \sphinxstyleemphasis{for\_user}}] \leavevmode
 2053 Same as -I, but treats \sphinxstyleemphasis{for\_user} as an enterprise name.
 2054 
 2055 \item[{\sphinxstylestrong{-F} \sphinxstyleemphasis{cert\_file}}] \leavevmode
 2056 Specifies that protocol transition is to be used, identifying the
 2057 client principal with the X.509 certificate in \sphinxstyleemphasis{cert\_file}.  The
 2058 certificate file must be in PEM format.
 2059 
 2060 \item[{\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}}] \leavevmode
 2061 Requests a user-to-user ticket.  \sphinxstyleemphasis{ccache} must contain a local
 2062 krbtgt ticket for the server principal.  The reported version
 2063 number will typically be 0, as the resulting ticket is not
 2064 encrypted in the server’s long-term key.
 2065 
 2066 \end{description}
 2067 
 2068 
 2069 \subsection{ENVIRONMENT}
 2070 \label{\detokenize{user/user_commands/kvno:environment}}
 2071 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 2072 variables.
 2073 
 2074 
 2075 \subsection{FILES}
 2076 \label{\detokenize{user/user_commands/kvno:files}}\begin{description}
 2077 \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode
 2078 Default location of the credentials cache
 2079 
 2080 \end{description}
 2081 
 2082 
 2083 \subsection{SEE ALSO}
 2084 \label{\detokenize{user/user_commands/kvno:see-also}}
 2085 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 2086 
 2087 
 2088 \section{sclient}
 2089 \label{\detokenize{user/user_commands/sclient:sclient}}\label{\detokenize{user/user_commands/sclient::doc}}\label{\detokenize{user/user_commands/sclient:sclient-1}}
 2090 
 2091 \subsection{SYNOPSIS}
 2092 \label{\detokenize{user/user_commands/sclient:synopsis}}
 2093 \sphinxstylestrong{sclient} \sphinxstyleemphasis{remotehost}
 2094 
 2095 
 2096 \subsection{DESCRIPTION}
 2097 \label{\detokenize{user/user_commands/sclient:description}}
 2098 sclient is a sample application, primarily useful for testing
 2099 purposes.  It contacts a sample server \DUrole{xref,std,std-ref}{sserver(8)} and
 2100 authenticates to it using Kerberos version 5 tickets, then displays
 2101 the server’s response.
 2102 
 2103 
 2104 \subsection{ENVIRONMENT}
 2105 \label{\detokenize{user/user_commands/sclient:environment}}
 2106 See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment
 2107 variables.
 2108 
 2109 
 2110 \subsection{SEE ALSO}
 2111 \label{\detokenize{user/user_commands/sclient:see-also}}
 2112 {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, \DUrole{xref,std,std-ref}{sserver(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}
 2113 
 2114 
 2115 
 2116 \renewcommand{\indexname}{Index}
 2117 \printindex
 2118 \end{document}