The kinit command is widely used to renew Kerberos tickets in Linux. This program authenticates the user with the Key Distribution Center (KDC). You can easily use the kinit command on Linux to register and certify a node in a network.
The kinit command securely authenticates nodes on an unsecured network for the Kerberos protocol. Kerberos protocol is an authentication protocol designed to provide strong encryption for client/server applications. Furthermore, the protocol implements a ticketing system that enables the nodes to prove their identity and communicate over the network.
In Linux, the kinit command is used for renewing a Kerberos ticket authentication system. However, you can only use the Kinit command once you register as a principal with the Key Distribution Center (KDC).
In this article, we will cover how to use the kinit command on Linux to authenticate a ticket on the Kerberos protocol. We will also highlight some syntax, examples, environment variables, and flags that you can use to renown, obtain or cache your tickets.
Prerequisite
For this tutorial, ensure that you have root access or sudo privilege. Also, ensure that the Kerberos protocol is installed on your system with all the required packages.
Syntax
The general syntax of the command looks like this:
kinit [-V verbose][ -l lifetime ] [ -r renewable_life ] [ -f ] [ -p ] [ -A ] [ -C ] [ E ] [ -s start_time ] [ -S target_service ] [ -k [ -t keytab_file ] ] [ -R ] [ -v ] [ -u ] [ -c cachename ] [ principal ] [ <assword ] [ help ]These flags and environment variables stand for the following:
V: display verbose outputl: requests tickets with the lifetime. Lifetime means the expiry time of a ticket, and it always comes before time delimiters such as s (seconds), m (minutes), h (hours), and d (days).s: requests postcard tickets that are valid at start timer: requests renewable ticketsp: fetches proxiable ticketsP: cannot request proxiable ticketsf: requests for forwardable ticketsF: does not request forwardable ticketsa: fetches tickets with local addressesA: fetches tickets without local addressesC: provides canonization of the principal nameE: changes the principal name into an enterprise namev: validate ticket-granting tickets through the KDC.R: renews ticket-granting ticketsk: fetches tickets from the host key tab filec: helps with anonymous processingS: specifies alternate service names for getting initial ticketsT: identifies the name of the cache that already has a ticket- principal: The principal name or the URL
- password: Kerberos password to the principal
- help: displays instructions related to the kinit command
The values of -s, -l, and -r are denoted in terms of ndnhnmns, where:
n: associates a numberd: represents the number of daysh: denotes hoursm: denotes the number of minutess: expresses the seconds
How to Use kinit Command on Linux
That’s all for the basic syntax of the command. Let’s look at how you can use the kinit command on Linux to fetch Kerberos authentication tickets.
1. Confirm if the kinit Tool is Installed on Linux
The first step is to confirm if the kinit exists on your Linux machine or not. If the Kerberos protocol was installed successfully, the kinit command would also exist in the system. For this step, press “Ctrl + Alt + T” to open the terminal and type the kinit command with the version flag. For example:
kinit –versionHowever, if the Kerberos is not installed on the machine, go to step 2. Otherwise, skip step 2 and continue to step 3.
2. Install Kerberos on Linux
Firstly, update the local machine to ensure that all packages are up to date. For this step, use the update command with apt repository. For instance:
sudo apt updateSecondly, install the Kerberos protocol on Linux. For this step, you will use the the install command.
For example:
sudo apt install krb5-userThe output should look something like this:
You will be prompted to enter the default Kerberos realm. Enter the common website domains. For example:
INF.ED.AC.UKYou should get a similar prompt:
Press the “Enter” key to continue. The installation will complete on its own.
3. Configure the krb5.conf File on Linux
Now that the kinit command exists in the system, we will move on to the next step. The next step is to configure the kbr5.conf file. This file consists of Kerberos configuration information such as the location of KDCs, environment variables, and mapping of hostnames. Generally, this file exists in the /etc directory. However, if it is not there, you can simply create it using your favorite text editor.
For example:
nano kbr5.confAlternatively, you can use the vim editor. For instance:
vim kbr5.confCorrespondingly, the default configurations for the file will look something like this:
Add the following content to the file:
[libdefaults]
default_realm = KENHINT.COM
[realms]
KENHINT.COM = {
Kdc= kenhint.net: 60088
}
[domain_realm]
.kenhint.com = KENHINT.COM
Kenhint.com = KENHINT.COM
Then press “Ctrl + S” to save the changes. Lastly, press “Ctrl + X” to exit the text editor.
Let’s look at the content of the kbr5.conf file:
default_realm: Identifies the default Kerberos realm for the client machinerealms: consists of the details of the local realm names. Each description in the realm tag defines the properties of realms mentioned in the libdefaults section.domain_realm: The domain_realm section provides a translation from a domain name to a Kerberos realm name for all the realms that exist in the libdefaults section.
4. Use kinit Command on Linux
Lastly, we will validate if the Kerberos server is running by fetching a ticket for one of the domains that exist in the Kerberos realm. Given the username, let’s fetch the ticket for the Kenhint user domain.
For example:
kinit [email protected]The command will prompt you to enter the password. Hence, type the password for the same domain and hit Enter key.
If it is successful, the command will not return any output.
5. View All Kerberos Tickets on Linux
To get a list of all the running tickets, use the klist command.
Input:
klistAlternatively, you can also use the kinit manual to learn how to modify the duration of your ticket, how long it can be renewed, and the options for forwarding and proxying the Kerberos tickets.
And that’s a wrap! The kinit command in Kerberos Linux consists of a wide variety of options. These options range from using SSH to configuring it as a single-sign-in option. You will also find it helpful to display the Kinit help menu whenever you experience a problem. For more details, checkout MIT Kinit Manual. We hope you found this article to be useful.
If this guide helped you, please share it.
