10.3. PAM and Administrative Credential Caching
control-center, provide users with elevated privileges for up to five minutes using the
pam_timestamp.somodule. It is important to understand how this mechanism works, because a user who walks away from a terminal while
pam_timestamp.sois in effect leaves the machine open to manipulation by anyone with physical access to the console.
pam_timestamp.somodule creates a timestamp file. By default, this is created in the
/var/run/sudo/directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the
pam_timestamp.somodule freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
/var/run/sudo/user directory. For the desktop, the relevant file is
unknown:root. If it is present and its timestamp is less than five minutes old, the credentials are valid.
Figure 10.1. The Authentication Icon
10.3.1. Common pam_timestamp Directives
pam_timestamp.somodule provides these two interfaces:
timestamp_timeout: specifies the validity period (in seconds) of the timestamp file, by default 300 (five minutes).
timestampdir: specifies in which directory the timestamp file is stored, by default
- You can also use
debugfor more detailed messages.
auth sufficient pam_timestamp.so timestamp_timeout=600 session optional pam_timestamp.so
pam_timestamp(8)man page and the
10.3.2. Removing the Timestamp File
Figure 10.2. Dismiss Authentication Dialog
- If logged in to the system remotely using
ssh, use the
/sbin/pam_timestamp_check -k rootcommand to destroy the timestamp file.
- Run the
/sbin/pam_timestamp_check -k rootcommand from the same terminal window where the privileged application was launched.
- The logged in user who originally invoked the
pam_timestamp.somodule must be the user who runs the
/sbin/pam_timestamp_check -kcommand. Do not run this command as root.
- Killing the credentials on the desktop without using theaction on the icon can be done with the
/sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/nullAny other method only removes the credentials from the PTY where the command was run.
pam_timestamp_checkman page for more information about destroying the timestamp file using