Use the Qshell command klist to display the
contents of a Kerberos credentials cache or key table.
Syntax
klist [-a] [-e] [-c] [-f] [-s] [-k] [-t]
[-K] [filename] Default public authority: *USE
The Qshell
command klist displays the contents of a Kerberos credentials
cache or key table.
Options
- -a
- Show all tickets in the credentials cache, including expired tickets.
If you do not specify this option, expired tickets are not listed. This option
is valid only when you list a credentials cache.
- -e
- Display the encryption type for the session key and the ticket. This option
is valid only when you list a credentials cache.
- -c
- List the tickets in a credentials cache. If neither the -c nor
the -k option is specified, this is the default. This option is mutually
exclusive with the -k option.
- -f
- Show the ticket flags, using the following abbreviations:
| Abbreviation |
Meaning |
|---|
| F |
Ticket can be forwarded |
| f |
Forwarded ticket |
| P |
Ticket can be a proxy |
| p |
Proxy ticket |
| D |
Ticket can be postdated |
| d |
Postdated ticket |
| R |
Renewable ticket |
| I |
Initial ticket |
| i |
Ticket not valid |
| A |
Preauthentication used |
| O |
Server can be a delegate |
| C |
Transit list checked by the Kerberos server |
This option is valid only when you list a credentials cache.
- -s
- Suppress command output, but set the exit status to 0 if a valid ticket
granting ticket is found in the credentials cache. This option is valid only
when you list a credentials cache.
- -k
- List the entries in a key table. This option is mutually exclusive with
the -c option.
- -t
- Display timestamps for key table entries. This option is valid only when
you list a key table.
- -K
- Display the encryption key value for each key table entry. This option
is valid only when you list a key table.
- filename
- Specifies the name of the credentials cache or key table. If no file name
is specified, the default credentials cache or key table is used
Authorities
| Object Referred to |
Authority Required |
|---|
| Each directory in the path name preceding
the file if -k option is specified as keytab |
*X |
| Keytab file when -k is specified |
*R |
| Each directory in the path name preceding
the credentials cache file if the -k option is not specified |
*X |
| Credentials cache file if the -k option
is not specified |
*R |
To enable the Kerberos run time to find your credentials cache
file from any running process, the name of the cache file is normally stored
in the home directory in a file named krb5ccname. The storage location
of the cache file name can be overridden by setting the environment variable _EUV_SEC_KRB5CCNAME_FILE.
To access this file, the user profile must have *X authority to each
directory in the path and *R authority to the file where the cache
file name is stored. The first time that a user creates a credentials cache,
the user profile must have *WX authority to the parent directory.
Messages
- The option_name option requires a value.
- command_option is not a valid command option.
- command_option_one and command_option_two cannot be
specified together.
- No default credentials cache found.
- Unable to resolve credentials cache file_name.
- Unable to retrieve principal name from credentials cache file_name.
- Unable to retrieve ticket from credentials cache file_name.
- Unable to decode ticket.
- No default key table found.
- Unable to resolve key table file_name.