Kinit command explained

The Kinit command retrieves or extends a granting ticket in the Kerberos authentication protocol. This means that it’s an important part of the authentication service in that it provides an increased level of privacy and cyber security, mainly in poorly secured computer networks. Using practical examples, we’ll dive into the syntax of the command and show you what options it provides in conjunction with Kerberos.

$1 Domain Names – Register yours today!
  • Simple registration
  • Premium TLDs at great prices
  • 24/7 personal consultant included
  • Free privacy protection for eligible domains

What is a Kinit command and why is it used?

To apply the Kinit command properly, you first need to understand its role in the security protocol. Kerberos is a standard authorization technology that, just like NTLM, is also a network protocol that belongs to the family of Internet protocols (IPs). Both security protocols use TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) for the transfer of data.

Tip

Do you want to find out how TCP and IP work together? We explore the topic in our article on TCP/IP.

Unlike NTLM, Kerberos uses a third party to verify a user, so it adds an additional layer of security. In addition to the client and the hosting server, there is also an authentication server or ticket-granting server (together they form the KDC or Key Distribution Center). Here, a TGT (Ticket Granting Ticket) is issued to the client upon request and after successful verification. This service ticket determines how long the user has access to certain data.

In this process, the Kinit command plays an important role. It is used to retrieve the Ticket Granting Ticket or to extend it if it has already expired. In the next section we’ll explore what the syntax of the Kinit command looks like and what options are available to you when using it.

Tip

As technologies like artificial intelligence advance, cyber-attacks are also becoming more sophisticated. Back up your important data using IONOS’ HiDrive cloud storage solution and rely on state-of-the-art security.

Kinit command: syntax and options

Below you can see the syntax of the Kinit command and a breakdown of each variable or flag.

kinit [ -l lifetime ] [ -r renewable_life ] [ -f ] [ -p ] [ -A ] [ -s start_time ] [ -S target_service ] [ -k [ -t keytab_file ] ] [ -R ] [ -v ] [ -u ] [ -c cachename ] [ principal ]
Element Explanation
-A This specifies that the ticket includes a list of client addresses. If not specified, the ticket includes the local host address list. However, if your initial ticket includes a specific address list, then usage is limited to the addresses that are included in the address list.
-c This is the cache name. The -c flag is used to specify which cache should be used for credentials. If this flag is missing, then the default cache is simply used.
-f Specify this flag if the respective ticket should be forwarded. If -f is missing, then it cannot be forwarded.
-k This states that the key for a ticket principal is retrieved from a key table. If this flag is missing, then the user is prompted to enter the password manually.
-l* This specifies the lifetime i.e. how long a ticket should be valid. By default, a ticket is invalid after ten hours and must then be renewed.
-p Allows you to specify that the ticket should be proxy-enabled.
principal This specifies the respective ticket principal. Without this flag, the principal is retrieved from the credential cache.
-r* This stands for the renewable life. The new validity must always be outside the original end time. If you do not specify -r, the ticket cannot be renewed.
-R Here you specify whether an existing ticket should be renewed.
-s* Use this flag to specify that a ticket should be backdated with a specific start time.
-S This represents the target service to be used when retrieving the ticket.
-t This stands for cipher key file or indicates which key file should be used instead of the default key file.
-v The TGT in the cache should be passed to the Key Distribution Center for validation.
-u Specifies that Kinit should create a credential cache file so that the process can be uniquely identified.
* You should always specify these flags in this format: ndnhnmns. Where n stands for a number, d for day, h for hour, m for minute and s for second.
Note

A command with -p allows you to connect a service with a different IP address, then you can read our article on the topic. If you’d like to know how you can find your IP address, then you can read our article on the topic.

Kinit command: example

Imagine you want to generate a TGT with a validity of nine hours, renewed for six days. According to Kinit syntax, the command would look like this:

kinit -l 9h  -r  6d  my_principal

The next command requests a TGT for the specified principal that expires in one hour but can be extended for up to ten hours. Remember that you can renew only one ticket before it expires. The renewed ticket can be renewed again within ten hours of its initial request.

kinit -R user@example.com
Tip

Encryption technologies like Kerberos are important to ensure that your data never falls into the wrong hands. If you want your own domain from IONOS or are looking to rent an IONOS server, then IONOS can offer encrypted data exchange that complies with current security standards, e.g. through the SSL wildcard certificate.

MyDefender
Easy cyber security
  • Ransomware attack protection
  • Regular virus and malware scans
  • Automatic backups and simple file recovery
Was this article helpful?
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.
Page top