# kinit-rs **Repository Path**: awol2010ex/kinit-rs ## Basic Information - **Project Name**: kinit-rs - **Description**: A Rust implementation of kinit command for Kerberos authentication, with MIT-compatible CCACHE support - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2025-09-27 - **Last Updated**: 2025-09-27 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # kinit-rs A Rust implementation of the Kerberos kinit command for obtaining and caching Kerberos ticket-granting tickets. ## Features - **Password Authentication**: Authenticate using username/password - **Keytab Authentication**: Authenticate using keytab files - **Ticket Management**: Renew, validate, and destroy tickets - **Credential Cache**: Support for multiple credential cache types - **MIT Kerberos Compatible**: Full CCACHE v4 format compatibility - **Flexible Configuration**: Support for krb5.conf configuration files - **Cross-platform**: Works on Windows, Linux, and macOS ## Installation ```bash cargo build --release ``` ## Usage ### Basic Authentication ```bash # Authenticate with password ./kinit user@EXAMPLE.COM # Authenticate with keytab ./kinit -k /path/to/keytab user@EXAMPLE.COM ``` ### Advanced Options ```bash # Request forwardable tickets ./kinit -f user@EXAMPLE.COM # Request renewable tickets ./kinit -r user@EXAMPLE.COM # Specify custom credential cache ./kinit -c /tmp/mycache user@EXAMPLE.COM # Specify custom configuration file ./kinit -C /etc/krb5.conf user@EXAMPLE.COM # Set ticket lifetime ./kinit -l 1d user@EXAMPLE.COM # 1 day ./kinit -l 8h user@EXAMPLE.COM # 8 hours ``` ### Ticket Management ```bash # Renew existing ticket ./kinit renew user@EXAMPLE.COM # Validate ticket ./kinit validate user@EXAMPLE.COM # Destroy credential cache ./kinit destroy # List credentials ./kinit list ``` ## Configuration The tool reads configuration from the standard Kerberos configuration file (`krb5.conf`). The default location varies by platform: - **Linux**: `/etc/krb5.conf` - **macOS**: `/etc/krb5.conf` - **Windows**: `C:\ProgramData\Kerberos\krb5.conf` ### Sample krb5.conf ```ini [libdefaults] default_realm = EXAMPLE.COM forwardable = true renewable = true [realms] EXAMPLE.COM = { kdc = kdc.example.com admin_server = kdc.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM ``` ## Environment Variables - `USER`: Default username if principal not provided - `KRB5_CONFIG`: Path to custom krb5.conf file - `KRB5CCNAME`: Credential cache name ## Development ### Running Tests ```bash # Run all tests cargo test # Run specific test with output cargo test test_ccache_format_v4 -- --nocapture # Run library tests only cargo test --lib ``` ### Running with Debug Output ```bash RUST_LOG=debug ./kinit user@EXAMPLE.COM ``` ## Architecture The project is organized into several modules: - **auth.rs**: Core authentication logic and CCACHE format implementation - **config.rs**: Configuration file parsing - **keytab.rs**: Keytab file handling - **error.rs**: Error types and handling - **lib.rs**: Public API and data structures - **main.rs**: Command-line interface ### CCACHE Format Implementation The credential cache implementation follows the MIT Kerberos CCACHE v4 specification: - **Header**: 4-byte format (version + header length) - **Principal**: Name type + component count + realm + components - **Keyblock**: Encryption type + key length + key data - **Credentials**: Client principal + server principal + keyblock + timestamps + flags + ticket data ## Recent Updates ### CCACHE Format Fix (Latest) - **Fixed MIT Kerberos CCACHE v4 format compatibility** - Corrected file header format (4-byte: version + header length) - Fixed principal serialization with proper name type and component count - Updated keyblock format with encryption type and 32-bit length prefix - Uses actual KDC ticket data instead of manual ASN.1 construction - Now fully compatible with standard Kerberos tools (klist, kdestroy, etc.) See [CCACHE_FIX_SUMMARY.md](CCACHE_FIX_SUMMARY.md) for detailed technical changes. ## Limitations - Currently implements basic functionality - some advanced Kerberos features are not yet implemented - Keytab file format support is basic ## Contributing Contributions are welcome! Please feel free to submit issues and pull requests. ## License Apache License 2.0 - see [LICENSE](LICENSE) file for details.