48.4.6. PAM and Administrative Credential Caching
pam_timestamp.somodule. It is important to understand how this mechanism works, because a user who walks away from a terminal while
pam_timestamp.sois in effect leaves the machine open to manipulation by anyone with physical access to the console.
pam_timestamp.somodule creates a timestamp file. By default, this is created in the
/var/run/sudo/directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the
pam_timestamp.somodule freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
/var/run/sudo/<user>file. For the desktop, the relevant file is
unknown:root. If it is present and its timestamp is less than five minutes old, the credentials are valid.
Figure 48.7. The Authentication Icon
220.127.116.11. Removing the Timestamp File
Figure 48.8. Dismiss Authentication Dialog
- If logged in to the system remotely using
ssh, use the
/sbin/pam_timestamp_check -k rootcommand to destroy the timestamp file.
- You need to run the
/sbin/pam_timestamp_check -k rootcommand from the same terminal window from which you launched the privileged application.
- You must be logged in as the user who originally invoked the
pam_timestamp.somodule in order to use the
/sbin/pam_timestamp_check -kcommand. Do not log in as root to use this command.
- If you want to kill the credentials on the desktop (without using theaction on the icon), use the following command:
pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/nullFailure to use this command will only remove the credentials (if any) from the pty where you run the command.
pam_timestamp_checkman page for more information about destroying the timestamp file using