Get a TGT for the principal 'fred@EXAMPLE.COM', with the password 'test', and put that TGT into the default credential cache. Use verbose output so that the credential cache file is known:
$ jkinit -V fred@EXAMPLE.COM test
## Requesting ticket for service krbtgt/EXAMPLE.COM by principal fred@EXAMPLE.COM
## Storing ticket in cache FILE:/tmp/krb5cc_1062
Get a TGT for the principal in the default credential cache:
$ jkinit -verbose
## Using credential cache FILE:/tmp/krb5cc_1062
## Requesting ticket for service krbtgt/EXAMPLE.COM by principal fred@EXAMPLE.COM
Password for fred@EXAMPLE.COM: ****
## Storing ticket in cache FILE:/tmp/krb5cc_1062
Get a TGT for the principal 'fred@EXAMPLE.COM', and put that TGT into the credential cache 'fred.ccache':
$ jkinit -c fred.ccache -verbose fred@EXAMPLE.COM
## Using credential cache FILE:/home/fred/freddo.ccache
## Requesting ticket for service krbtgt/EXAMPLE.COM by principal fred@EXAMPLE.COM
Password for fred@EXAMPLE.COM: ****
## Storing ticket in cache FILE:/home/fred/fred.ccache
Get a TGT for the principal 'barney@EXAMPLE.COM”, using the keytab /home/barney/barney.kt:
$ jkinit -k -t /home/barney/barney.kt -verbose barney@EXAMPLE.COM
## Using credential cache FILE:/tmp/krb5cc_2000
## Requesting ticket for service krbtgt/EXAMPLE.COM by principal barney@EXAMPLE.COM
The jklist
tool is used to display the contents of credential caches and keytabs including the key encryption types, the ticket flags, principal name, or session keys held by the current user.
The following information about the credentials cache is listed:
Additional cache information may be displayed using the -a, -n, -e, and -f options.
The following information about the keytab is listed:
for each key in the keytab:
Additional keytab information may be displayed using the -K, -t, and -e options.
jklist [[-c][-e][-f][-a [-n]] [-k [-t][-K]]
[-help][-debug][-verbose] [<filename>]
The <filename> represents the name of a keytab if the -k option is specified, and the name of a credential cache if the -c option is specified.
If neither the -c nor the -k options are specified, the -c option is assumed as the default.
If <filename> is not present, the location of the credential cache or keytab is determined dynamically.
The following options are supported:
Option |
Description |
-e |
Displays the encryption type of the session key for each credential in the credential cache, or for each key in the keytab file. |
-c |
Displays the credentials of a cache. This is the default if neither -c nor -k options are specified. If no filename is specified, the cache is located as follows: |
For Windows-based systems, the default keytab location is:
${user.home}\krb5.keytab
For UNIX-based systems, the default keytab locations are:
${user.home}/krb5.keytab
/etc/krb5.keytab
where
${user.home} is the user's home directory.
Option |
Description |
-a |
Display the addresses listed in the credential. |
-n |
Shows numeric IP addresses instead of reverse-resolving addresses. Only valid with -a option. |
-f |
Display the flags in the credential, with the following abbreviations: “F” - forwardable “f” - forwarded “P” - proxiable “p” - proxy “D” - post-dateable “d” - post-dated “R” - renewable “I” - initial “i” - invalid |
-k |
Display the keys of a keytab. |
-t |
Display timestamp for each entry in the keytab. |
-K |
Display encryption key value for each entry in the keytab. |
-help |
Print help about jklist usage and exit. |
-verbose |
Show verbose output. |
-debug |
Show debug output. This shall include verbose output. |
Display the default credentials cache:
$ jklist
Ticket cache: FILE:/tmp/krb5cc_1062
Default principal: fred@EXAMPLE.COM
Valid starting Expires Service Principal
08/31/2004 12:57:35 08/31/2004 13:57:35 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Display the credential cache fred.ccache:
$ jklist fred.ccache
Ticket cache: FILE:/home/fred/fred.ccache
Default principal: fred@EXAMPLE.COM
Valid starting Expires Service Principal
08/31/2004 14:14:02 08/31/2004 15:14:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Display the credential cache fred.ccache, including encryption types, ticket flags, and unresolved addresses:
$ jklist -f -a -n
Ticket cache: FILE:/tmp/krb5cc_1062
Default principal: fred@EXAMPLE.COM
Valid starting Expires Service Principal
08/31/2004 14:14:02 08/31/2004 15:14:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Flags: IA
Addresses: puffin.example.com
Display the default keytab:
$ jklist -k
Keytab name: FILE:/home/fred/krb5.keytab
KVNO Principal
---- --------------------
255 fred@EXAMPLE.COM
Display the keytab fred.kt:
$ jklist -k fred.kt
Keytab name: FILE:freddo.kt
KVNO Principal
---- --------------------
255 fred@EXAMPLE.COM
Display the default keytab, including encryption types, timestamps and key values:
$ jklist -k -t -K -e
Keytab name: FILE:/home/fred/krb5.keytab
KVNO Timestamp Principal EncType Key
---- ------------------- -------------------- -----------
255 08/31/2004 14:17:06 fred@EXAMPLE.COM des-cbc-crc 75B65ED67C0843B9
The jktutil tool allows the user to create keytab entries specifying the principal name, encryption type and key version number. The entries can then be saved or appended to a keytab file. jktutil can also read and write keytab files, which enables merging of keytabs and their entries, and can list the current set of keys.
jktutil [-help][-verbose][-debug]
The following options are supported:
Option |
Description |
-verbose |
Show verbose output. |
-debug |
Show debug output (includes ' |
-help |
Show help screen and exit. |
Once the jktutil application has started, the user is presented with a prompt, at which commands are entered:
jktutil (type '?' for help):
The following commands are supported by jktutil (note that some commands may have more than one name):
Command |
Description |
list <filename> |
List the available entries. May use the letter l as an alias for list. Initially, there are zero entries. Entries are added by creating new entries (via the add_entry command), or by reading a keytab (via the read_kt command). |
clear_list |
Clear the list. May use clear as an alias for clear_list. |
read_kt <filename> |
Read keys from the specified keytab file and add them to the list. May use rkt as an alias for read_kt. |
write_kt [-a|-o] <filename> |
Write the entries in the list to the specified keytab file. May use wkt as an alias for write_kt. The options for the write_kt command are as follows: -a Append entries to the end of the keytab file, if the keytab file already exists. This is the default option. -o Overwrite the keytab file with the entries in the list. In either case, the list remains unchanged. |
delete_entry <slot> |
Delete the entry at the specified slot from the list. May use delent as an alias for delete_entry. Entries are numbered from 1. add_entry (-key | -password) -p <principal> -k <kvno> -e <enctype> Add an entry to the list. May use addent as an alias for add_entry. The options for the add_entry command are: -key Specify a key value via command line -password Specify a password via command line <principal> The principal, in the form 'name@realm' <kvno> The key version number <enctype> The encryption type. Supported values are: des-cbc-crc des3-hmac-sha1 des-cbc-md4 des-cbc-md5 rc4-hmac aes256-sha1 aes128-sha1 The new entry is added to the end of the current list. |
list_requests |
List the available commands. May use thelr or ? as an alias for list_requests. |
help_command <command_name> |
Get help for the specified command name. May use hc as an alias for help_command. |
quit |
Quit the application. May use exit or q as an alias for quit. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center