Provided by: krb5-user_1.21.3-4ubuntu2_amd64 bug

NAME
       kvno - print key version numbers of Kerberos principals


SYNOPSIS
       kvno  [-c  ccache]  [-e  etype]  [-k  keytab]  [-q]  [-u  |  -S  sname] [-P] [--cached-only] [--no-store]
       [--out-cache cache] [[{-F cert_file | {-I | -U} for_user} [-P]] | --u2u ccache] service1 service2 ...


DESCRIPTION
       kvno acquires a service ticket for the specified Kerberos principals  and  prints  out  the  key  version
       numbers of each.


OPTIONS
       -c ccache
              Specifies the name of a credentials cache to use (if not the default)

       -e etype
              Specifies the enctype which will be requested for the session key of all the services named on the
              command line.  This is useful in certain backward compatibility situations.

       -k keytab
              Decrypt the acquired tickets using keytab to confirm their validity.

       -q     Suppress  printing  output  when  successful.   If  a  service ticket cannot be obtained, an error
              message will still be printed and kvno will exit with nonzero status.

       -u     Use the unknown name type in requested service principal names.  This option Cannot be  used  with
              -S.

       -P     Specifies  that  the  service1  service2  ...   arguments  are to be treated as services for which
              credentials should be acquired using constrained delegation.  This option is only valid when  used
              in conjunction with protocol transition.

       -S sname
              Specifies  that  the service1 service2 ... arguments are interpreted as hostnames, and the service
              principals are to be constructed from those hostnames and the service  name  sname.   The  service
              hostnames will be canonicalized according to the usual rules for constructing service principals.

       -I for_user
              Specifies  that  protocol  transition  (S4U2Self)  is  to be used to acquire a ticket on behalf of
              for_user.  If constrained delegation is not requested, the service name must match the credentials
              cache client principal.

       -U for_user
              Same as -I, but treats for_user as an enterprise name.

       -F cert_file
              Specifies that protocol transition is to be used, identifying the client principal with the  X.509
              certificate in cert_file.  The certificate file must be in PEM format.

       --cached-only
              Only  retrieve  credentials  already  present  in  the cache, not from the KDC.  (Added in release
              1.19.)

       --no-store
              Do not store retrieved credentials in the cache.  If --out-cache is  also  specified,  credentials
              will still be stored into the output credential cache.  (Added in release 1.19.)

       --out-cache ccache
              Initialize  ccache and store all retrieved credentials into it.  Do not store acquired credentials
              in the input cache.  (Added in release 1.19.)

       --u2u ccache
              Requests a user-to-user ticket.  ccache  must  contain  a  local  krbtgt  ticket  for  the  server
              principal.   The  reported  version  number  will  typically  be 0, as the resulting ticket is not
              encrypted in the server's long-term key.


ENVIRONMENT
       See kerberos(7) for a description of Kerberos environment variables.


FILES
       FILE:/tmp/krb5cc_%{uid}
              Default location of the credentials cache


SEE ALSO
       kinit(1), kdestroy(1), kerberos(7)


AUTHOR
       MIT


COPYRIGHT
       1985-2024, MIT

1.21.3                                                                                                   KVNO(1)