How to Use kinit Command on Linux

The kinit command is widely used to renew Kerberos tickets in Linux. This program authenticates the user with the Key Distribution Center (KDC). You can easily use the kinit command on Linux to register and certify a node in a network.

The kinit command securely authenticates nodes on an unsecured network for the Kerberos protocol. Kerberos protocol is an authentication protocol designed to provide strong encryption for client/server applications. Furthermore, the protocol implements a ticketing system that enables the nodes to prove their identity and communicate over the network. 

In Linux, the kinit command is used for renewing a Kerberos ticket authentication system. However, you can only use the Kinit command once you register as a principal with the Key Distribution Center (KDC).

In this article, we will cover how to use the kinit command on Linux to authenticate a ticket on the Kerberos protocol. We will also highlight some syntax, examples, environment variables, and flags that you can use to renown, obtain or cache your tickets. 

Prerequisite

For this tutorial, ensure that you have root access or sudo privilege. Also, ensure that the Kerberos protocol is installed on your system with all the required packages. 

Syntax

The general syntax of the command looks like this:

kinit [-V verbose][ -l lifetime ] [ -r renewable_life ] [ -f ] [ -p ] [ -A ] [ -C ] [ E ] [ -s start_time ] [ -S target_service ] [ -k [ -t keytab_file ] ] [ -R ] [ -v ] [ -u ] [ -c cachename ] [ principal ] [ <assword ] [ help ]

These flags and environment variables stand for the following:

  • V: display verbose output
  • l: requests tickets with the lifetime. Lifetime means the expiry time of a ticket, and it always comes before time delimiters such as s (seconds), m (minutes), h (hours), and d (days).
  • s: requests postcard tickets that are valid at start time
  • r: requests renewable tickets
  • p: fetches proxiable tickets
  • P: cannot request proxiable tickets
  • f: requests for forwardable tickets
  • F: does not request forwardable tickets
  • a: fetches tickets with local addresses
  • A: fetches tickets without local addresses
  • C: provides canonization of the principal name
  • E: changes the principal name into an enterprise name
  • v: validate ticket-granting tickets through the KDC.
  • R: renews ticket-granting tickets
  • k: fetches tickets from the host key tab file
  • c: helps with anonymous processing
  • S: specifies alternate service names for getting initial tickets
  • T: identifies the name of the cache that already has a ticket
  • principal: The principal name or the URL
  • password: Kerberos password to the principal
  • help: displays instructions related to the kinit command

The values of -s, -l, and -r are denoted in terms of ndnhnmns, where:

  • n: associates a number
  • d: represents the number of days
  • h: denotes hours
  • m: denotes the number of minutes
  • s: expresses the seconds 

How to Use kinit Command on Linux

That’s all for the basic syntax of the command. Let’s look at how you can use the kinit command on Linux to fetch Kerberos authentication tickets.

1. Confirm if the kinit Tool is Installed on Linux

The first step is to confirm if the kinit exists on your Linux machine or not. If the Kerberos protocol was installed successfully, the kinit command would also exist in the system. For this step, press “Ctrl + Alt + T” to open the terminal and type the kinit command with the version flag. For example:

kinit –version

However, if the Kerberos is not installed on the machine, go to step 2. Otherwise, skip step 2 and continue to step 3.

2. Install Kerberos on Linux

Firstly, update the local machine to ensure that all packages are up to date. For this step, use the update command with apt repository. For instance:

sudo apt update

Secondly, install the Kerberos protocol on Linux. For this step, you will use the the install command. 

For example:

sudo apt install krb5-user

The output should look something like this:

use kinit command on Linux

You will be prompted to enter the default Kerberos realm. Enter the common website domains. For example:

INF.ED.AC.UK

You should get a similar prompt:

use kinit command on Linux

Press the “Enter” key to continue. The installation will complete on its own.

3. Configure the krb5.conf File on Linux

Now that the kinit command exists in the system, we will move on to the next step. The next step is to configure the kbr5.conf file. This file consists of Kerberos configuration information such as the location of KDCs, environment variables, and mapping of hostnames. Generally, this file exists in the /etc directory. However, if it is not there, you can simply create it using your favorite text editor. 

For example:

nano kbr5.conf

Alternatively, you can use the vim editor.  For instance:

vim kbr5.conf

Correspondingly, the default configurations for the file will look something like this:

Kerberos file

Add the following content to the file:

[libdefaults]
 default_realm = KENHINT.COM 
[realms] 
 KENHINT.COM = {
 Kdc= kenhint.net: 60088
 }
[domain_realm]
 .kenhint.com = KENHINT.COM 
 Kenhint.com = KENHINT.COM

Then press “Ctrl + S” to save the changes. Lastly, press “Ctrl + X” to exit the text editor. 

Let’s look at the content of the kbr5.conf file:

  • default_realm: Identifies the default Kerberos realm for the client machine
  • realms: consists of the details of the local realm names. Each description in the realm tag defines the properties of realms mentioned in the libdefaults section.
  • domain_realm: The domain_realm section provides a translation from a domain name to a Kerberos realm name for all the realms that exist in the libdefaults section.  

4. Use kinit Command on Linux

Lastly, we will validate if the Kerberos server is running by fetching a ticket for one of the domains that exist in the Kerberos realm. Given the username, let’s fetch the ticket for the Kenhint user domain. 

For example:

kinit [email protected]

The command will prompt you to enter the password. Hence, type the password for the same domain and hit Enter key. 

If it is successful, the command will not return any output. 

5. View All Kerberos Tickets on Linux

To get a list of all the running tickets, use the klist command. 

Input:

klist

Alternatively, you can also use the kinit manual to learn how to modify the duration of your ticket, how long it can be renewed, and the options for forwarding and proxying the Kerberos tickets. 

And that’s a wrap! The kinit command in Kerberos Linux consists of a wide variety of options. These options range from using SSH to configuring it as a single-sign-in option. You will also find it helpful to display the Kinit help menu whenever you experience a problem. For more details, checkout MIT Kinit Manual. We hope you found this article to be useful.

If this guide helped you, please share it.

Leave a Reply
Related Posts