klist
The Qshell command klist displays the contents of a Kerberos credentials cache or key table.
Syntax
klist [-a] [-e] [-c] [-f] [-s] [-k] [-t] [-K] [filename]Default public authority: *USE
Options
- -a
- Show all tickets in the credentials cache, including expired tickets. If you do not specify this option, expired tickets are not listed. This option is valid only when you list a credentials cache.
- -e
- Display the encryption type for the session key and the ticket. This option is valid only when you list a credentials cache.
- -c
- List the tickets in a credentials cache. If neither the -c nor the -k option is specified, this is the default. This option is mutually exclusive with the -k option.
- -f
- Show the ticket flags, using the following abbreviations:
Abbreviation Meaning F Ticket can be forwarded f Forwarded ticket P Ticket can be a proxy p Proxy ticket D Ticket can be postdated d Postdated ticket R Renewable ticket I Initial ticket i Ticket not valid A Preauthentication used O Server can be a delegate C Transit list checked by the Kerberos server This option is valid only when you list a credentials cache.
- -s
- Suppress command output, but set the exit status to 0 if a valid ticket-granting ticket is found in the credentials cache. This option is valid only when you list a credentials cache.
- -k
- List the entries in a key table. This option is mutually exclusive with the -c option.
- -t
- Display timestamps for key table entries. This option is valid only when you list a key table.
- -K
- Display the encryption key value for each key table entry. This option is valid only when you list a key table.
- filename
- Specifies the name of the credentials cache or key table. If no file name is specified, the default credentials cache or key table is used
Authorities
| Object referred to | Authority required |
|---|---|
| Each directory in the path name preceding the file if -k option is specified as keytab | *X |
| Keytab file when -k is specified | *R |
| Each directory in the path name preceding the credentials cache file if the -k option is not specified | *X |
| Credentials cache file if the -k option is not specified | *R |
To enable the Kerberos run time to find your credentials cache file from any running process, the name of the cache file is normally stored in the home directory in a file named krb5ccname. The storage location of the cache file name can be overridden by setting the environment variable _EUV_SEC_KRB5CCNAME_FILE. To access this file, the user profile must have *X authority to each directory in the path and *R authority to the file where the cache file name is stored. The first time that a user creates a credentials cache, the user profile must have *WX authority to the parent directory.
Messages
- The option_name option requires a value.
- command_option is not a valid command option.
- command_option_one and command_option_two cannot be specified together.
- No default credentials cache found.
- Unable to resolve credentials cache file_name.
- Unable to retrieve principal name from credentials cache file_name.
- Unable to retrieve ticket from credentials cache file_name.
- Unable to decode ticket.
- No default key table found.
- Unable to resolve key table file_name.
For an example of how this command is used, see Displaying credentials cache.