kinit#

Initialise a Kerberos ticket-granting ticket (TGT).

Parameters:

usernamestr, optional

Name principal for Kerberos credential, will be prompted for if not given.

passwordstr, optional

Cleartext password of user for given realm, will be prompted for if not given.

Warning

Passing passwords in plain text presents a security risk, please consider using a Kerberos keytab file to store credentials.

realmstr, optional

Name of realm to authenticate against if not given as part of username. Defaults to 'default_realm'; see man krb5.conf(5).

keytabstr, Path, optional

Path to keytab file. If not given this will be read from the KRB5_KTNAME environment variable. See notes for more details.

ccachestr, Path, optional

Path to Kerberos credentials cache.

lifetimeint, optional

Desired liftime of the Kerberos credential (may not be respected by the underlying GSSAPI implementation); pass None to use the maximum permitted liftime (default).

This is currently not respected by MIT Kerberos (the most common GSSAPI implementation).

verbosebool, optional

DEPRECATED. This argument does nothing, instead of using verbose=True use logging to control output.

krb5ccnamestr, optional

DEPRECATED. This argument has been renamed to ccache.

Returns:

credsgssapi.Credentials: The acquired Kerberos credentials.

Notes

If a keytab is given, or is read from the KRB5_KTNAME environment variable, this will be used to guess the principal, if it contains only a single credential.

Examples

Example 1: standard user input, with password prompt:

>>> kinit('albert.einstein')
Password for albert.einstein@LIGO.ORG:
Kerberos ticket generated for albert.einstein@LIGO.ORG

Example 2: extract username and realm from keytab, and use that in authentication:

>>> kinit(keytab='~/.kerberos/ligo.org.keytab', verbose=True)
Kerberos ticket generated for albert.einstein@LIGO.ORG