klist - Linux

Overview

The klist command in Linux displays the entries in Kerberos credential cache or keytab files. It is mainly used for troubleshooting and verifying the proper operation of Kerberos authentication systems. The command helps users and administrators ensure that their Kerberos tokens are valid and gives details about their tickets, such as their expiration times and start times.

Syntax

The basic syntax for the klist command is as follows:

klist [-e] [-V] [-l] [-A] [-C] [-s] [-t] [-K] [[-c] [-f] [-a] [-n] [cache_name]] [[-k] [-t] [-K] [keytab_name]]

Where:

  • cache_name refers to the named ticket cache.
  • keytab_name refers to the name of the keytab file to view.

Options/Flags

  • -e: Lists the encryption types of the session key and the ticket for each credential.
  • -V: Displays the version of the command.
  • -l: Lists valid ticket caches in the default credentials cache collection.
  • -A: Lists all credential caches in the default credentials cache collection.
  • -C: Shows configuration data for each cache.
  • -s: Runs silently (produces output only if there are problems with the cache).
  • -t: Checks if the credentials cache is valid (i.e., it has unexpired tickets).
  • -K: Displays the encryption keys contained in each key in the keytab.
  • -c: Specifies a credentials cache (default if neither -c nor -k are presented).
  • -f: Shows the flags present in the credentials, such as pre-authenticated, forwarded, etc.
  • -a: Displays addresses in the tickets.
  • -n: Shows numeric addresses instead of trying to resolve them into names.

Examples

  • Basic Usage: Display the default ticket cache:

    klist

  • Specify a Cache: View a specific cache file:

    klist -c /tmp/krb5cc_1000

  • View Keytab Contents: Examine the contents of a keytab:

    klist -k /etc/krb5.keytab

  • Check Ticket Validity: Quickly verify that tickets in the cache are still valid:

    klist -s

Common Issues

  • Expired Tickets: Users often encounter issues with expired tickets. Running klist can verify ticket validity. To refresh credentials, use kinit.
  • Permission Errors: Accessing caches or keytabs might require elevated permissions. Use sudo if needed.

Integration

klist is often used in conjunction with other Kerberos tools such as kinit and kdestroy to manage session initiations and closures. For scripting and automation, one could pipe klist results to analyze or trigger other actions:

# Automatically renew ticket if not valid
klist -s || kinit
  • kinit: Obtains and caches Kerberos ticket-granting tickets.
  • kdestroy: Deletes Kerberos credentials.
  • kpasswd: Changes a user’s Kerberos password.

For more information, consult the Kerberos documentation Kerberos Documentation.