Currently DockerRegistryToken makes no attempt to log you out when KeyMaterial.close is called. This makes it inappropriate for environments in which access to the registry credentials must be tightly controlled.
The problem is that ~/.dockercfg must be used to store the login globally for the user (typically, one slave agent), so if there are multiple executors on the slave, one log out while another is still using the login.
If https://github.com/docker/docker/issues/10318 or similar is implemented, that would be ideal, so that the authentication between executors does not clash.
Otherwise, it might be possible to use reference-counting. TBD if docker login/logout would preserve other fields, or if a separate file would be needed. There are potential locking issues there.