I am connecting by SSH to a RHEL6 server.

When I SSH into the box, I am challenged for my linux username/password (which is a shared account)

username: mySharedLinuxUser

pass for mySharedLinuxUser: password123

then I am prompted again for my personal employee number and personal network password:

domain username: 111222

passowrd for 111222@defaultDomain: my$uper$ecurePasswordHere

I believe the latter bit is done with Kerberos (I see references to 'kinit' which I've learned is a kerberos thing).

However, the kerberos docs are vast and confusing and I am but a mere confused java dev.

How can I print the kerberos usernae/employee number '111222' after I've already logged in?

for example, if I wanted to do person-specific logging while someone is logged in as a service account ("John deployed .war file 1234.war at 6:15am using the generic account... Mary deployed .war file 4321.war at 7:21am using the generic account" etc)

I'm sure the server already does this somewhere for audit purposes, but I can't find any examples of it.


  • 163
  • 1
  • 2
  • 9

1 Answers1


You can use the klist command to show your Kerberos principal and cached tickets. For example:

$ klist
Ticket cache: KCM:1000
Default principal: error@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
08/13/2019 15:00:46  08/14/2019 15:00:23  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 08/20/2019 15:00:23
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thank you! To clarify the 'Default Principal' here is cached on the server, and not as part of an SSH connection... So it is cached one-per-linux-user, is that right? So if I log into the server with someLinuxUser, and do 'klist' I'll see my ID as the default principle - but if while I'm still logged in, someone else logs in as someLinuxUser, the cached ticket will change/be overwritten & it'll show their ID when I run klist - right? In other words - just checking this is probably not a good way of determining who does what with a generic Linux user, without reprompting for creds each time – Paul Aug 14 '19 at 09:19
  • @Paul The default principal is whoever you logged in as, and the cache is specific to your user. – Michael Hampton Aug 14 '19 at 15:36
  • Gotcah - so if someone logs in as the same linux user as me, the default principle for that user will change...so if I'm still logged in as that user also, I'll see their ID when I run klist? – Paul Aug 14 '19 at 15:38
  • @Paul You won't see anything related to someone else's activity, nor will their activity affect you. – Michael Hampton Aug 14 '19 at 15:39
  • and If I am already seeing someone else's activity as I describe above, that's a misconfiguration somewhere? – Paul Aug 14 '19 at 15:41
  • @Paul You shared an account with other people. That's generally a very bad idea. All bets are off. – Michael Hampton Aug 14 '19 at 15:43
  • All bets are off? It's a service account... – Paul Aug 14 '19 at 15:55
  • @Paul Indeed, so most likely nobody at all should be logging into it. – Michael Hampton Aug 14 '19 at 15:57