kinit’ is a command-line utility included in the Kerberos V5 distribution, and it allows a user (a client) to establish a Kerberos authenticated session by obtaining a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). For people new to the world of Linux and Kerberos, these terms can sound quite alien. Do not worry, though. We will discuss each of these concepts in detail as we go through this post.
The world of Kerberos
Before we dive into ‘kinit’, it would be a good idea to understand what Kerberos is. Kerberos is a network authentication protocol that uses tickets to allow nodes to prove their identity over a non-secure network, in a secure manner. One thing I like about Kerberos is that it uses symmetric key cryptography, meaning that it uses the same key to both encrypt and decrypt a message. What I do not like is that setting it up can be a bit of a challenge, especially for a beginner. But with the help of guides and tutorials, you would find it much easier.
The kinit command in action
In order to better understand how the ‘kinit’ command works, let’s see it in action. Assume that we have a client machine that wants to communicate with a server within a Kerberized environment. The first step to establishing this secure communication is to initiate a Kerberos authenticated session. This is where the ‘kinit’ command enters the scene.
You would obtain a ticket by using the ‘kinit’ command, followed by the username of the Kerberos principal you wish to authenticate as. If you have gone with a default installation of Kerberos, your principal would typically be your username.
Here is what that looks like:
$ kinit your_username Password for your_username@YOUR_REALM:
After running this command, you would be prompted to enter your password. Upon successful authentication, a ticket-granting ticket (TGT) would be issued and stored in a credentials cache on your local machine. This marks the commencement of your Kerberos authenticated session. Your machine can now request service tickets for any Kerberized services you want to use, without requiring you to re-enter your password.
To confirm that you have a valid TGT, you can use the ‘klist’ command. This command displays all the tickets in your credentials cache, including your TGT.
Here’s how you can do that:
$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: your_username@YOUR_REALM Valid starting Expires Service principal 07/19/23 10:10:10 07/19/23 20:10:10 krbtgt/YOUR_REALM@YOUR_REALM
In the output above, you can see your Kerberos ticket details, including the starting and expiry times, along with the Service principal.
Exploring more options
The ‘kinit’ command comes with several options that can make your life easier. One such option that I particularly like is the ‘-l’ (lifetime) option. This allows you to specify the lifetime of the ticket. For example, if you want a ticket that lasts for 1 hour, you could use:
kinit -l 1h username
One thing that I do not like, however, is that the maximum lifetime of a ticket is determined by the Kerberos policy, and you cannot exceed this limit. But I understand that this is necessary for security reasons.
Pro tips on kinit command usage
Now that you have a good understanding of how the ‘kinit’ command works, here are a few pro tips that I’ve gathered over the years:
Use keytabs: Keytabs are files that contain one or more Kerberos keys. They allow you to use ‘kinit’ without having to enter your password. This is especially useful for scripts and services. To use a keytab, you would use the ‘-k’ option followed by the path to the keytab file:
$ kinit -k -t /path/to/keytab username
Renew your tickets: If your TGT is about to expire but you still need it, you can renew it using the ‘-R’ option:
$ kinit -R
Be mindful of your cache: Kerberos tickets are stored in a credentials cache. You can specify a different cache using the ‘-c’ option. Also, remember that if your cache gets too large, it may slow down your system.
$ kinit -c /tmp/mycache username
Final thoughts
Understanding the ‘kinit’ command and its usage in a Kerberos setup can significantly improve your experience when dealing with Kerberized services. It can seem complex initially, but trust me, it is one of those things that seem difficult until you actually get your hands dirty and start playing around with it. Once you get the hang of it, it becomes second nature.
I hope that you found this guide helpful. As always, if you have any questions or if you would like to share your experiences with ‘kinit’, feel free to leave a comment below.
2 comments
thanks
Thank you!
But there is one aspect missing… on the pro tips, you explain how to use keytab files in order to avoid entering the password for batch purpose for example.
BUT you don’t explain how to create such keytab file. Could you add that aspect too?
Thanks!