Change default sudo password timeout

Question

When I run sudo and enter my password, a subsequent invocation of sudo within a few minutes will not need the password to be re-entered.

How can I change the default timeout to require the password again?

Tom Hale · Accepted Answer · 2017-07-27T11:52:04.357

71

man sudoers says:

Once a user has been authenticated, [...] the user may then use sudo without a password for a short period of time (5 minutes unless overridden by the timestamp_timeout option).

To change the timeout, run, sudo visudo and add the line:

Defaults        timestamp_timeout=30

where 30 is the new timeout in minutes.

To always require a password, set to 0. To set an infinite timeout, set the value to be negative.

To totally disable the prompt for a password for user ravi:

Defaults:ravi      !authenticate

edited Jul 27 '17 at 11:52

answered Jul 27 '17 at 02:31

Tom Hale

30,455

3

Huh, I got as far as timestamp_timeout when searching the man pages myself, but I didn't know to include Defaults. What told you that in the manual? – mcp Mar 20 '22 at 20:52

score 33 · Answer 2 · edited Jun 11 '20 at 14:16

sudo visudo is to modify the default configuration file directly, but in the file has suggestion below

Please consider adding local content in /etc/sudoers.d/ instead of directly modifying this file.

So, better way is

cd /etc/sudoers.d
sudo visudo -f user_name

Add the content

Defaults timestamp_timeout=(number)

(number) is the new timeout in minutes.

timestamp_timeout (man 5 sudoers)

Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's time stamp will not expire until the system is rebooted. This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” respectively.

Save the file by pressing Ctrl + O and press enter, and exit using Ctrl + X.

Good catch.. +1 to you as well. Yes, "conf.d" format/type areas are always the best and preferred way to edit system/service configs (when it's available). — B. Shea, Oct 01 '21 at 16:56
This doesnt work in tmux. Any idea how to make it recognizable in tmux. — rambalachandran, Oct 27 '21 at 00:06

Qwertie · Answer 3 · 2019-01-22T23:08:58.087

5

You need to edit /etc/sudoers. For those who don't use vi, you should edit this file (on some flavors of Linux) with a terminal command like this:

sudo EDITOR=gedit visudo

Then add or change timestamp_timeout:

# After authenticating, this is the amount of time after which
# sudo will prompt for a password again in the same terminal
Defaults    timestamp_timeout=30

edited Jan 22 '19 at 23:08

answered Jan 22 '19 at 22:30

Qwertie

209

2

The right™ way to avoid vi, would be setting the $EDITOR variable to something else. The idea of visudo is not to call vi, but to keep people from locking themselves (and anyone else depending on sudo) out of their root account by 1) copying /etc/sudoers to a temporary file, 2) calling $EDITOR on this file, 3) running a syntax check on this file and 4) eventually replacing /etc/sudoers with the updated version. – Andreas Wiese Jan 22 '19 at 22:34
1

visudo's documentation says this: "Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list" - and the list defaults to only vi, while allowing any editor is said to be a security hole. But I can confim that sudo EDITOR=gedit visudo works on my CentOS 7.2 box. The syntax check it provides is certainly a Good Thing. – Qwertie Jan 22 '19 at 22:56
Ah, yeah, thank you for the (further) clarification, I missed that. But IIRC you can also change the default editor in sudoers itself - just for the record. I'm sure the syntax check will tell. ;) – Andreas Wiese Jan 22 '19 at 23:11
1

The right way is just to spend 5 minutes a learn the basics of vi/vim. There is no question it will be there when you type visudo, but other editors may not. All you really need to know is vi has 2 modes, command (default) and insert modes. You tap 'i' to get into insert mode (edit as normal) and tap ESC to return to command mode. Then :wq to write and quit or just :q to quit and to discard changes and quit it's just :q!. When all else fails, tap ESC to return to command mode... – David C. Rankin Jul 12 '23 at 09:54

Change default sudo password timeout

3 Answers3

Linked