kerberos

Remove a single kerberos principal from the cache

I have some principals in my kerberos cache:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1234
Default principal: myuser@MY.REALM

Valid starting       Expires              Service principal
04/21/2024 23:51:59  04/22/2024 02:37:58  krbtgt/MY.REALM@MY.REALM
        renew until 04/22/2024 23:51:46
04/21/2024 23:51:57  04/22/2024 02:37:58  HTTP/some-host.my.domain@MY.REALM
        renew until 04/22/2024 23:51:46

I want to remove a single entry (HTTP/some-host.my.domain@MY.REALM in this example), while leaving everything else. I tried this, but it failed:

$ kdestroy -p HTTP/some-host.my.domain@MY.REALM
kdestroy: Matching credential not found while finding cache for HTTP/some-host.my.domain@MY.REALM

What shall I do instead?

Solution

  • Since your 'krbtgt' ticket is renewable, the easiest way would be to use:

    kinit -R

    which gets you a new TGT using the current one, and has the side-effect of throwing out all other service tickets (there is usually no real need to keep the rest as they'll be reacquired using the TGT).

    Other than that, MIT Kerberos does not have any command-line tools to do precise edits to the contents of a ticket cache – it has the krb5_cc_remove_cred() API, but no convenient way to use it (python-pykrb5 has parts of the krb5_cc_*() APIs but not this specific one yet). Heimdal Kerberos does have kcpytkt which would allow manually copying tickets one by one to a new cache.

    As I had some related code around, I wrote a tool to remove individual entries:
    https://git.nullroute.lt/hacks/python-krb5ccparse.git/

    The purpose of the kdestroy -p parameter is to select a cache when you have a collection of them – e.g. a DIR: cache that has multiple sets of tickets for several different client principals:

    $ export KRB5CCNAME=DIR:/run/user/2001/krb5cc

$ kinit grawity@HOME.EXAMPLE.NET
$ kinit grawity@WORK.EXAMPLE.COM

$ klist -A
Default principal: grawity@WORK.EXAMPLE.COM
Valid starting       Expires              Service principal
04/23/2024 16:25:41  04/24/2024 02:25:41  krbtgt/WORK.EXAMPLE.COM@WORK.EXAMPLE.COM

Default principal: grawity@HOME.EXAMPLE.NET
Valid starting       Expires              Service principal
04/23/2024 16:25:31  04/24/2024 16:25:29  krbtgt/HOME.EXAMPLE.NET@HOME.EXAMPLE.NET

$ kdestroy -p grawity@HOME.EXAMPLE.NET