.\" .\" $Header: /home/cvs.crypt/src/eBones/usr.bin/rkinit/rkinit.1,v 1.1.1.1 1995/09/16 10:48:39 mark Exp $ .\" $Source: /home/cvs.crypt/src/eBones/usr.bin/rkinit/rkinit.1,v $ .\" $Author: mark $ .\" .\" .TH RKINIT 1 "November 12, 1989" .UC 4 .SH NAME rkinit \- establish kerberos tickets safely on a remote host .SH SYNOPSIS .B rkinit [ host ] [ -p .B principal ] [ -l .B username ] [ -k .B kerberos_realm ] [ -f .B ticket_file ] [ -h .B remote_host ] [ -t .B ticket_lifetime ] [ .B \-notimeout ] A host name must be specified either as the first command line argument or following a \-h flag. If redundant command line arguments are given, the last one to appear takes precedence. .SH DESCRIPTION .I rkinit is a program that allows a user to establish kerberos tickets on a remote host registered for rlogin service. This can be done without the user's kerberos password ever leaving the client machine. In order to establish tickets remotely without the use of something like .I rkinit, one would have to log in to the remote host and run .IR kinit (1). .I rkinit followed by .I rlogin can be thought of as a safe substitute for .I rlogin followed .I kinit. .I rkinit uses the same access checking mechanism as .I rlogin. That means that .I rkinit can be used to create any tickets for user .I A on remote host .I B if and only if .IR A 's tickets would entitle a login to .I B. This means that one can create remote tickets for himself or for another user if he is in that user's .klogin file. .I rkinit understands the following command line options: .TP 4 .B \-p \fIprincipal\fR If .I principal, in the format .I name[.inst][@realm] is specified, the tickets created on the remote host will be the tickets indicated by the .I principal field. If this option is not given, the following defaults are used: If the user running .I rkinit does not have tickets on the client machine, .I rkinit will prompt for a password and behave effectively as if the user had invoked .I kinit on the specified remote host; i.e., the tickets established will be owned on the remote host by the user who invoked .I rkinit and will be for the local realm of the remote host. If the user running .I rkinit already has tickets, .I rkinit will prompt for a password and create tickets whose principal matches that of the tickets that the user already has. .TP .B \-l \fIusername\fR If .I username is specified, the ticket file on the remote host will be owned by the user .I username. If it is not specified, the tickets will be owned by the remote user whose login name matches that of the user invoking .I rkinit. .TP .B \-r \fIrealm\fR .I realm is used to tell .I rkinit what realm the remote host is in. This option should not usually have to be used since .I rkinit uses .IR krb_realmofhost (3) to determine the remote host's kerberos realm. Note that this is distinct from realm as specified in .I principal, which refers to the realm of the remote tickets. .TP .B \-f \fIticket_file\fR This option is used to specify the name of the ticket file that should be used on the remote host. Note that if you specify a location for the ticket file that is other than the default, you will have to set the environment variable KRBTKFILE to that filename once you get to the remote host in order for you to use the tickets. If a ticket file is not specified, the tickets will be placed in the default location as specified by .IR tkt_file (3). On a UNIX host, this is /tmp/tkt, where is the user id of the person who owns the remote ticket file. .TP .B \-h \fIremote_host\fR .I remote host is the host on which remote tickets are being obtained. This option can be used in place of specifying the host as the first command line argument. .TP .B \-t \fIticket_lifetime\fR .I ticket lifetime is the lifetime in minutes of the remote tickets. If it is not specified, the default ticket life time (as defined in krb.h) is used. .TP .B \-notimeout prevents the client from timing out. This is mainly useful only for debugging since the rkinit server also times out. .SH EXAMPLES In the following examples, .B tabetha and .B soup are machines in the .B ATHENA.MIT.EDU kerberos realm and .B local is a user who can log in to .B soup and has .B qjb.root@ATHENA.MIT.EDU in his .klogin file. % rkinit tabetha .br Kerberos initialization (tabetha) .br Password for qjb@ATHENA.MIT.EDU: .br % .br .br % rkinit soup -p qjb.root -l local .br Kerberos initialization (soup): tickets will be owned by local .br Password for qjb.root@ATHENA.MIT.EDU: .br % .SH SEE ALSO rkinitd(8), kerberos(1), kerberos(3), kinit(1) .SH AUTHOR Emanuel Jay Berkenbilt (MIT-Project Athena)