kdestroy

kdestroy [-A] [-q] [-t ticket_file]

-A
    Destroy all Kerberos tickets across multiple realms.

-q
    Quiet mode: suppress warning messages if no tickets found.

-t ticket_file
    Destroy tickets in specified credentials cache file instead of default.

kdestroy is a command-line utility in the MIT Kerberos 5 suite used to securely destroy a user's Kerberos credentials cache, commonly known as tickets. Kerberos tickets serve as time-limited proofs of identity for authenticating to network services without transmitting passwords.

By default, tickets are stored in a file like /tmp/krb5cc_<uid>, where <uid> is the user's ID. Running kdestroy removes this file, effectively ending the Kerberos session and preventing unauthorized access to services using those credentials. This is crucial for security during logout, session cleanup, or when switching identities.

It supports destroying tickets from specific realms or custom cache files, making it versatile for multi-realm environments. Without options, it targets the default cache. The command verifies removal and warns if tickets persist, unless suppressed.

Common in enterprise UNIX/Linux systems with Kerberos integration (e.g., Active Directory, LDAP), it's paired with kinit for ticket acquisition and klist for inspection. Failure occurs if no tickets exist or access is denied.

Requires write permissions on the ticket file; does not affect remote or delegated tickets on servers. No effect if no tickets exist.

Returns 0 on success, 1 if tickets not destroyed or access denied.

KRB5CCNAME overrides default ticket cache location.

Typically /tmp/krb5cc_<uid> or via KRB5CCNAME.

Developed as part of MIT Kerberos 5 (krb5) in the early 1990s, evolving from Project Athena. Standardized in Heimdal and other implementations; essential for secure network auth in Linux/UNIX since krb5-1.0 (1993).

kinit(1), klist(1), kswitch(1), krb5(8)