sudo -k vs. sudo -K

I know what the man page has to say about the -K and -k :

‑K

The ‑K (sure kill) option is like ‑k except that it removes the user's cached credentials entirely and may not be used in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching.

‑k[command]

When used alone, the ‑k (kill) option to sudo invalidates the user's cached credentials. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. Not all security policies support credential caching. When used in conjunction with a command or an option that may require a password, the ‑k option will cause sudo to ignore the user's cached credentials. As a result, sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials.

So if there is no need to use a command in conjunction with these options, am i correct in assuming K is always the better option to use rather that k?


sudo -K and sudo -k, without a command, do the same thing: they invalidate the user's cached credentials.

sudo -k command ... is different: it ignores the user's cached credentials for the current command, but doesn't invalidate them.

Use -k with a command when you want to run a single command without either using or clobbering your cached credentials. (I'm actually not sure why you'd want to do that, but the capability is there.)

Use either sudo -k or sudo -K if you want to clobber your cached credentials.

Summary:

sudo -k           # clobbers cached credentials
sudo -K           # clobbers cached credentials
sudo -k command   # ignores cached credentials
sudo -K command   # invalid

UPDATE :

Revisiting this answer, it looks like the only difference between -k and -K is that -k accepts a command and -K does not. I'm not convinced having two separate options is useful, since -K doesn't really add any functionality that -k doesn't provide. There is a subtle difference in wording in the man page; -k "invalidates the user's cached credentials", while -K "removes the user's cached credentials entirely". I don't think that indicates a real difference in the way it affects the credentials.


sudo -K will invalidate your cached credentials across all terminal sessions. This can be useful to run prior to locking your DE.

sudo -k will only invalidate your cached credentials for the current terminal session.