kdestroy

kdestroy [options]

-A
    Destroys all credential caches in the collection. This is useful when multiple caches exist, for instance, due to different ticket types or identities.

-c cache_name
    Specifies the path or name of the credential cache to be destroyed. If omitted, kdestroy operates on the default cache, typically specified by the KRB5CCNAME environment variable or a system default location.

-q
    Runs in quiet mode. No output or messages are displayed upon successful execution, which is useful for scripting.

-s
    If all credential caches are destroyed (either explicitly or via -A), this option instructs kdestroy to shut down the KCM (Kerberos Credential Manager) process if it was managing the caches.

The kdestroy command is used to permanently delete a user's active Kerberos tickets and associated credential caches. This action invalidates any current Kerberos authentication sessions, meaning the user will lose access to Kerberos-protected services until new tickets are obtained (e.g., via kinit). It is typically used for security reasons, such as logging out of a system or ensuring that credentials are not left on a shared machine.

By default, kdestroy destroys the default credentials cache. However, it can be instructed to destroy specific caches or all caches belonging to the user.

Destroying Kerberos tickets is an irreversible action for the current session; new tickets must be acquired to regain access to Kerberos-protected resources. Ensure you have finished all tasks requiring Kerberos authentication before running kdestroy, especially on shared systems.

The KRB5CCNAME environment variable can be used to specify the default credentials cache. If this variable is set, kdestroy will operate on the cache it points to, unless overridden by the -c option.

kdestroy is a fundamental utility that has been a part of the MIT Kerberos distribution for a long time, evolving alongside the Kerberos protocol itself. Its core function of securely removing credential caches has remained consistent, reflecting its essential role in Kerberos security and session management.

kinit(1), klist(1)