klist Command

Purpose

Displays the contents of a Kerberos credentials cache or key table.

Syntax

klist [[ -c] [ -f] [ -e] [ -s] [ -a] [ -n]] [ -k [ -t] [ -K]] [ name]

Description

The klist command displays the contents of a Kerberos credentials cache or key table.

Flags

Flags Description
Item Description
-a Displays all tickets in the credentials cache, including expired tickets. Expired tickets are not listed if this flag is not specified. This flag is valid only when listing a credentials cache.
-c Lists the tickets in a credentials cache. This is the default if neither the -c nor the -k flag is specified. This flag is mutually exclusive with the -k flag.
-e Displays the encryption type for the session key and the ticket.
-f Displays the ticket flags using the following abbreviations:
F
Forwardable ticket
f
Forwarded ticket
P
Proxiable ticket
p
Proxy ticket
D
Postdateable ticket
d
Postdated ticket
R
Renewable ticket
I
Initial ticket
i
Invalid ticket
H
Hardware preauthentication used
A
Preauthentication used
O
Server can be a delegate
name Specifies the name of the credentials cache or key table. The default credentials cache or key table is used if you do not specify a filename.

If you do not specify a name indicating a cache name or keytab name, klist displays the credentials in the default credentials cache or keytab file as appropriate. If the KRB5CCNAME environment variable is set, its value is used to name the default credentials (ticket) cache.

-k Lists the entries in a key table. This flag is mutually exclusive with the -c flag.
-K Displays the encryption key value for each key table entry. This flag is valid only when listing a key table.
-n Displays the numerical internet address instead of the host name. The default without the -n is host name. This command is used in conjunction with the -a flag.
-s Suppresses command output but sets the exit status to 0 if a valid ticket-granting ticket is found in the credentials cache. This flag is valid only when listing a credentials cache.
-t Displays timestamps for key table entries. This flag is valid only when listing a key table.

Examples

  1. To list all of the entries in the default credentials cache, type:
    klist
  2. To list all of the entries in the etc/krb5/my_keytab key table with timestamps, type:
    klist -t -k etc/krb5/my_keytab

Files

Files
Item Description
/usr/krb5/bin/klist -
/var/krb5/security/creds/krb5cc_[uid] default credentials cache ([uid] is the UID of the user.)
/etc/krb5/krb5.keytab default location for the local host's keytab file.