Destroy expired tickets?

Ken Raeburn raeburn at MIT.EDU
Thu Nov 6 10:05:31 EST 2008


On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
> How can I destroy expired tickets?
>
> They're useless at best, and in some cases they're positively harmful
> (their presence prompts `ssh' to contact the KDC to try and delegate
> credentials, which is a waste if the tickets are expired, and is  
> really
> annoying when the KDC times out because it's behind a firewall).

Hm, that sounds a bit broken.  I could see, maybe, inferring that you  
want to use Kerberos and prompting to get new tickets, but trying to  
forward expired ones is no good...

> But I couldn't find any command that would destroy only expired  
> tickets.
> Any idea what I should use?  I guess I could try and parse the  
> date&time
> in "klist", but it'd be a pain in the rear and blatantly brittle.

Running "klist -s" and testing the exit status should let you figure  
out if there are currently-valid tickets.  I don't know if there's a  
way to test for "tickets exist and are not valid", though perhaps  
"klist >& /dev/null" (C shell syntax) succeeding and "klist -s"  
failing would do the job.  Or you could try "klist -s" and then just  
run "kdestroy >& /dev/null", ignoring any errors caused by a ticket  
cache not existing.

Ken



More information about the Kerberos mailing list