kvno - print key version numbers of Kerberos principals
kvno [
-c ccache] [
-e etype] [
-k
keytab] [
-q] [
-u |
-S sname] [
-P]
[
--cached-only] [
--no-store] [
--out-cache
cache] [[{
-F cert_file | {
-I |
-U}
for_user} [
-P]] |
--u2u ccache]
service1
service2 ...
kvno acquires a service ticket for the specified Kerberos principals and prints
out the key version numbers of each.
-
-c ccache
- Specifies the name of a credentials cache to use (if not
the default)
-
-e etype
- Specifies the enctype which will be requested for the
session key of all the services named on the command line. This is useful
in certain backward compatibility situations.
-
-k keytab
- Decrypt the acquired tickets using keytab to confirm
their validity.
- -q
- Suppress printing output when successful. If a service
ticket cannot be obtained, an error message will still be printed and kvno
will exit with nonzero status.
- -u
- Use the unknown name type in requested service principal
names. This option Cannot be used with -S.
- -P
- Specifies that the service1 service2 ... arguments
are to be treated as services for which credentials should be acquired
using constrained delegation. This option is only valid when used in
conjunction with protocol transition.
-
-S sname
- Specifies that the service1 service2 ... arguments
are interpreted as hostnames, and the service principals are to be
constructed from those hostnames and the service name sname. The
service hostnames will be canonicalized according to the usual rules for
constructing service principals.
-
-I for_user
- Specifies that protocol transition (S4U2Self) is to be used
to acquire a ticket on behalf of for_user. If constrained
delegation is not requested, the service name must match the credentials
cache client principal.
-
-U for_user
- Same as -I, but treats for_user as an enterprise
name.
-
-F cert_file
- Specifies that protocol transition is to be used,
identifying the client principal with the X.509 certificate in
cert_file. The certificate file must be in PEM format.
- --cached-only
- Only retrieve credentials already present in the cache, not
from the KDC. (Added in release 1.19.)
- --no-store
- Do not store retrieved credentials in the cache. If
--out-cache is also specified, credentials will still be stored
into the output credential cache. (Added in release 1.19.)
-
--out-cache ccache
- Initialize ccache and store all retrieved
credentials into it. Do not store acquired credentials in the input cache.
(Added in release 1.19.)
-
--u2u ccache
- Requests a user-to-user ticket. ccache must contain
a local krbtgt ticket for the server principal. The reported version
number will typically be 0, as the resulting ticket is not encrypted in
the server's long-term key.
See
kerberos(7) for a description of Kerberos environment variables.
- FILE:/tmp/krb5cc_%{uid}
- Default location of the credentials cache
kinit(1),
kdestroy(1),
kerberos(7)
MIT
1985-2022, MIT