About
The klist utility display the entries (tickets,..) in the local credentials cache and key table.
Articles Related
Installation
Java
Usage: klist [[-c] [-f] [-e] [-a [-n]]] [-k [-t] [-K]] [name]
name name of credentials cache or keytab with the prefix. File-based cache or keytab's prefix is FILE:.
-c specifies that credential cache is to be listed
-k specifies that key tab is to be listed
options for credentials caches:
-f shows credentials flags
-e shows the encryption type
-a shows addresses
-n do not reverse-resolve addresses
options for keytabs:
-t shows keytab entry timestamps
-K shows keytab entry key value
-e shows keytab entry key type
Usage: java sun.security.krb5.tools.Klist -help for help.
MIT kerberos
- With MIT kerberos
Usage: klist [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
-c specifies credentials cache
-k specifies keytab
(Default is credentials cache)
-i uses default client keytab if no name given
-l lists credential caches in collection
-A shows content of all credential caches
-e shows the encryption type
-V shows the Kerberos version and exits
options for credential caches:
-d shows the submitted authorization data types
-f shows credentials flags
-s sets exit status based on valid tgt existence
-a displays the address list
-n do not reverse-resolve
options for keytabs:
-t shows keytab entry timestamps
-K shows keytab entry keys
Windows
C:\Windows\System32\klist.exe
Usage: klist.exe [command]
Command list:
[tickets] [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
tgt [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
purge [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
sessions [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
kcd_cache [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
get <SPN> [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
[-kdcoptions <options>] [-cacheoptions <options>]
add_bind <DOMAIN> <DC>
query_bind
purge_bind
where:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist
Example
klist -f
Credentials cache: C:\Users\gerard\krb5cc_gerard
Default principal: [email protected], 1 entry found.
[1] Service Principal: krbtgt/[email protected]
Valid starting: Jul 10, 2014 10:11:40
Expires: Jul 10, 2014 20:11:40
Flags: INITIAL;PRE-AUTHENT
where:
- The default principal is your kerberos principal
- The service principal describes each ticket. The ticket-granting ticket (TGT) has the Kerberos - Principal (Account) krbtgt (ie Kerberos TGT), and the Kerberos - Principal (Account) is the realm name.
- The flags are the ticket properties
Flags | Description |
---|---|
F | Forwardable |
f | forwarded |
P | Proxiable |
p | proxy |
D | postDateable |
d | postdated |
R | Renewable |
I | Initial |
i | invalid |
H | Hardware authenticated |
A | preAuthenticated |
T | Transit policy checked |
O | Okay as delegate |
a | anonymous |