Managing your Kerberos Credentials Cache

Kerberos keeps track of your identity by issuing tickets for various services in your name. These tickets are kept in a "credentials cache". If you log into a Configured Workstation at the console, the cache is managed for you automatically. If you log into a Configured Workstation remotely (e.g. with ssh public key authentication) or are using CAL services from a machine that is not a Configured Workstation but has the krb5 libraries installed, you'll need to initialize and tear down the cache yourself before using Kerberos or GSSAPI services.

Initializing the credentials cache

Here's an example of dkg examining an empty kerberos credentials cache, initializing it, and examining it again:

[0 dkg@kalyke ~]$ klist -5
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2001)
[1 dkg@kalyke ~]$ kinit 
Password for dkg@ASTRO.COLUMBIA.EDU: 
[0 dkg@kalyke ~]$ klist -5
Ticket cache: FILE:/tmp/krb5cc_2001
Default principal: dkg@ASTRO.COLUMBIA.EDU

Valid starting     Expires            Service principal
07/25/06 15:09:35  07/26/06 01:09:35  krbtgt/ASTRO.COLUMBIA.EDU@ASTRO.COLUMBIA.EDU
	renew until 07/26/06 15:09:32
[0 dkg@kalyke ~]$ 

Clearing the credentials cache

If you are sure you no longer need your credentials, you will probably want to remove them for safety:

[0 dkg@kalyke ~]$ kdestroy
[0 dkg@kalyke ~]$ klist -5
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2001)
[1 dkg@kalyke ~]$