Sudo password timeout

AnimeFreak · #1 9th January 2009, 07:47 PM

I recently switched from ubuntu..

Is there a password timeout for sudo.

If so, I would like to have sudo ask for the password every single time.

How do I do this.

what command do I use in the sudoers file.

Also, where do I place the command in the sudoers file.

NOTE: I already have sudo enabled.

Thanks,

AnimeFreak

madmix · #2 17th January 2009, 09:30 PM

Hi AnimeFreak,

As root enter visudo, look for the section of Defaults and add the following line:

Code:

Defaults    timestamp_timeout = 0

Then quit VI (Esc followed by :wq).

AnimeFreak · #3 20th January 2009, 10:02 AM

I have one more question.

When I have to authenticate as root to do things like mange users and groups or the firewall with the Fedora Firewall GUI, it asks for the root password, I enter it, and manage the users and groups, or the firewall.

A couple of minutes later I do the same thing but am not required to enter the root users password.

How can I make it so that I am required to enter root's password every time.

madmix · #4 20th January 2009, 10:06 PM

Enter the following commands:

Code:

su -
cd /etc/pam.d
sed -i.bkp 's/^auth.\+pam_timestamp.so$/& timestamp_timeout=0/' config-util

A number of graphical administrative tools provide users with elevated privileges for up to five minutes using the pam_timestamp.so module. The sed command above specifies a period of 0 seconds for which the timestamp is valid. The file modified, config-util, is included in the PAM configuration files related to these graphical tools which intend to cache successful authentication attempts.

AnimeFreak · #5 20th January 2009, 11:23 PM

Quote:

Originally Posted by madmix

Enter the following commands:

Code:

sed -i.bkp 's/^auth.\+pam_timestamp.so$/& timestamp_timeout=0/' config-util

Is all of the above code one command?

madmix · #6 21st January 2009, 01:10 PM

Yeah, each line is one command. You can copy and paste it.

Code:

sed -i.bkp 's/^auth.\+pam_timestamp.so$/& timestamp_timeout=0/' config-util

This sed line makes a backup of file config-util, copying it to a file with prefix .bkp (config-util.bkp) and then updates the original file in place -- this is the -i switch. The one-liner sed script uses a substitution command, s/what_to_look_for/replacement/, to update a line whose first characters are auth and last ones pam_timestamp.so. When it finds such a line it appends timestamp_timeout=0 to it, which is the option we want to modify from the default of 300.

You can do it by hand if you wish. It is a small modification.

AnimeFreak · #7 21st January 2009, 04:27 PM

thanks for the info.

madmix · #8 21st January 2009, 11:26 PM

You're welcome.