Kerberos - klist

About

The klist utility display the entries (tickets,..) in the local credentials cache and key table.

Articles Related

Installation

Java

Usage: klist [[-c] [-f] [-e] [-a [-n]]] [-k [-t] [-K]] [name]
   name  name of credentials cache or  keytab with the prefix. File-based cache or keytab's prefix is FILE:.
   -c specifies that credential cache is to be listed
   -k specifies that key tab is to be listed
   options for credentials caches:
        -f       shows credentials flags
        -e       shows the encryption type
        -a       shows addresses
          -n       do not reverse-resolve addresses
   options for keytabs:
        -t       shows keytab entry timestamps
        -K       shows keytab entry key value
        -e       shows keytab entry key type

Usage: java sun.security.krb5.tools.Klist -help for help.

MIT kerberos

With MIT kerberos

Usage: klist [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
        -c specifies credentials cache
        -k specifies keytab
           (Default is credentials cache)
        -i uses default client keytab if no name given
        -l lists credential caches in collection
        -A shows content of all credential caches
        -e shows the encryption type
        -V shows the Kerberos version and exits
        options for credential caches:
                -d shows the submitted authorization data types
                -f shows credentials flags
                -s sets exit status based on valid tgt existence
                -a displays the address list
                        -n do not reverse-resolve
        options for keytabs:
                -t shows keytab entry timestamps
                -K shows keytab entry keys

Windows

C:\Windows\System32\klist.exe

Usage: klist.exe [command]

Command list:
  [tickets] [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  tgt [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  purge [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  sessions [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  kcd_cache [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  get <SPN> [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
            [-kdcoptions <options>] [-cacheoptions <options>]
  add_bind <DOMAIN> <DC>
  query_bind
  purge_bind

where:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

Example

klist -f

Credentials cache: C:\Users\gerard\krb5cc_gerard

Default principal: [email protected], 1 entry found.

[1]  Service Principal:  krbtgt/[email protected]
     Valid starting:     Jul 10,  2014 10:11:40
     Expires:            Jul 10,  2014 20:11:40
     Flags:              INITIAL;PRE-AUTHENT

where:

the credential cache is the file where the ticket are stored.
The default principal is your kerberos principal
The service principal describes each ticket. The ticket-granting ticket (TGT) has the Kerberos - Principal (Account) krbtgt (ie Kerberos TGT), and the Kerberos - Principal (Account) is the realm name.
The flags are the ticket properties

Flags	Description
F	Forwardable
f	forwarded
P	Proxiable
p	proxy
D	postDateable
d	postdated
R	Renewable
I	Initial
i	invalid
H	Hardware authenticated
A	preAuthenticated
T	Transit policy checked
O	Okay as delegate
a	anonymous