10.3. PAM and Administrative Credential Caching
control-center, provide users with elevated privileges for up to five minutes using the
pam_timestamp.somodule. It is important to understand how this mechanism works, because a user who walks away from a terminal while
pam_timestamp.sois in effect leaves the machine open to manipulation by anyone with physical access to the console.
pam_timestamp.somodule creates a timestamp file. By default, this is created in the
/var/run/sudo/directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the
pam_timestamp.somodule freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
/var/run/sudo/user directory. For the desktop, the relevant file is
unknown:root. If it is present and its timestamp is less than five minutes old, the credentials are valid.
Figure 10.1. The Authentication Icon
10.3.1. Removing the Timestamp File
Figure 10.2. Dismiss Authentication Dialog
- If logged in to the system remotely using
ssh, use the
/sbin/pam_timestamp_check -k rootcommand to destroy the timestamp file.
- Run the
/sbin/pam_timestamp_check -k rootcommand from the same terminal window where the privileged application was launched.
- The logged in user who originally invoked the
pam_timestamp.somodule must be the user who runs the
/sbin/pam_timestamp_check -kcommand. Do not run this command as root.
- Killing the credentials on the desktop without using theaction on the icon can be done with the
/sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/nullAny other method only removes the credentials from the PTY where the command was run.
pam_timestamp_checkman page for more information about destroying the timestamp file using
10.3.2. Common pam_timestamp Directives
pam_timestamp.somodule accepts several directives, with two used most commonly:
timestamp_timeout— Specifies the period (in seconds) for which the timestamp file is valid. The default value is 300 (five minutes).
timestampdir— Specifies the directory in which the timestamp file is stored. The default value is
pam_timestamp, see the