16.6. PAM and Administrative Credential Caching
pam_timestamp.somodule. It is important to understand how this mechanism works because a user who walks away from a terminal while
pam_timestamp.sois in effect leaves the machine open to manipulation by anyone with physical access to the console.
pam_timestamp.somodule creates a timestamp file within the
/var/run/sudo/directory by default. If the timestamp file already exists, other graphical administrative programs do not prompt for a password. Instead, the
pam_timestamp.somodule freshens the timestamp file — reserving an extra five minutes of unchallenged administrative access for the user.
Figure 16.1. The Authentication Icon
16.6.1. Removing the Timestamp File
Figure 16.2. Authentication Icon Dialog
ssh, use the
/sbin/pam_timestamp_check -k rootcommand to destroy the timestamp file.
pam_timestamp.somodule in order to use the
/sbin/pam_timestamp_checkcommand. Do not log in as root to issue this command.
pam_timestamp_check, refer to the