KVNO(1) MIT Kerberos KVNO(1)
NAME
kvno - print key version numbers of Kerberos principals
SYNOPSIS
kvno [-c ccache] [-e etype] [-k keytab] [-q] [-u | -S sname] [-P]
[--cached-only] [--no-store] [--out-cache cache] [[{-F cert_file | {-I
| -U} for_user} [-P]] | --u2u ccache] service1 service2 ...
DESCRIPTION
kvno acquires a service ticket for the specified Kerberos principals
and prints out the key version numbers of each.
OPTIONS
-c ccache
Specifies the name of a credentials cache to use (if not the de-
fault)
-e etype
Specifies the enctype which will be requested for the session
key of all the services named on the command line. This is use-
ful in certain backward compatibility situations.
-k keytab
Decrypt the acquired tickets using keytab to confirm their va-
lidity.
-q Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
-u Use the unknown name type in requested service principal names.
This option Cannot be used with -S.
-P Specifies that the service1 service2 ... arguments are to be
treated as services for which credentials should be acquired us-
ing constrained delegation. This option is only valid when used
in conjunction with protocol transition.
-S sname
Specifies that the service1 service2 ... arguments are inter-
preted as hostnames, and the service principals are to be con-
structed from those hostnames and the service name sname. The
service hostnames will be canonicalized according to the usual
rules for constructing service principals.
-I for_user
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of for_user. If constrained delega-
tion is not requested, the service name must match the creden-
tials cache client principal.
-U for_user
Same as -I, but treats for_user as an enterprise name.
-F cert_file
Specifies that protocol transition is to be used, identifying
the client principal with the X.509 certificate in cert_file.
The certificate file must be in PEM format.
--cached-only
Only retrieve credentials already present in the cache, not from
the KDC. (Added in release 1.19.)
--no-store
Do not store retrieved credentials in the cache. If --out-cache
is also specified, credentials will still be stored into the
output credential cache. (Added in release 1.19.)
--out-cache ccache
Initialize ccache and store all retrieved credentials into it.
Do not store acquired credentials in the input cache. (Added in
release 1.19.)
--u2u ccache
Requests a user-to-user ticket. ccache must contain a local
krbtgt ticket for the server principal. The reported version
number will typically be 0, as the resulting ticket is not en-
crypted in the server's long-term key.
ENVIRONMENT
See kerberos(7) for a description of Kerberos environment variables.
FILES
FILE:/tmp/krb5cc_%{uid}
Default location of the credentials cache
SEE ALSO
kinit(1), kdestroy(1), kerberos(7)
AUTHOR
MIT
COPYRIGHT
1985-2022, MIT
1.20.1 KVNO(1)
Generated by dwww version 1.15 on Sat Jun 22 12:22:22 CEST 2024.