kdestroy

kdestroy [-q] [-A] [-c cache_name] [-p principal]

-q
    Quiet mode. Suppresses all output.

-A
    Destroy all Kerberos credential caches in the system.

-c cache_name
    Specifies the Kerberos credentials cache name to destroy. If not specified, the default cache is used.

-p principal
    Specifies the principal to destroy. Requires the -c option to also be specified.
Note: Not all implementations support this.

The kdestroy command destroys the user's current Kerberos authorization tickets, removing them from the credentials cache. This effectively logs the user out of Kerberos services, requiring them to re-authenticate to access resources that require Kerberos authentication. This is useful to prevent unauthorized access when leaving a workstation unattended. It provides a secure way to clear credentials when no longer needed. It is important to note that kdestroy only affects the tickets stored locally on the machine where it is executed. It does not revoke or invalidate tickets on the Key Distribution Center (KDC) server, but simply prevents them from being used by any subsequent applications on that client. By default, kdestroy destroys all tickets in the default credentials cache. It can be configured to operate on non-default credential caches, but that is less commonly used in typical scenarios.

kdestroy only deletes the tickets on the client machine. Tickets remain valid until their expiration time according to the KDC.

Running kdestroy is crucial in shared computing environments to prevent unauthorized use of your Kerberos credentials. Consider using it before logging out or locking your workstation. Always verify if your workstation is configured to clear tickets automatically on logout.

The kdestroy command is a standard utility in Kerberos distributions. It's been present since the early days of Kerberos, providing a simple and essential function for managing user credentials. Its purpose has always been to allow users to quickly and securely clear their Kerberos tickets, improving security when a session is no longer required.

kinit(1), klist(1)