Sudo is Not Prompting For a Password When Re-executed Second Time

by on February 3, 2008 · 7 comments· LAST UPDATED May 2, 2012

in , ,

I use sudo to provide permissions and command execution rights to other users under UNIX and Linux operating systems. However, I noticed something strange about sudo. When executing sudo, it will prompt for the user's password the first time, but sudo no longer requires a password anymore when re-executing it. Why? Is this is a security risk?

The sudo tool records the timestamp by creating a file, when it is executed the first time, sudo won't need a password if the timestamp has not timed out. The default time out value is 900 seconds (15 minutes).

timestamp_timeout Option

The timestamp_timeout defines the number of minutes that can elapse before sudo will ask for a password again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user’s timestamp will never expire. Edit /etc/sudoers, enter:
# vi /etc/sudoers
You can also use the visudo command, which edits the sudoers file in a safe fashion:
# visudo
Set timestamp_timeout as per your requirmehnt or 0 so that it will always prompt for a password:
timestamp_timeout 0
Save and close the file.

sudo -k command line option

The -k option allow users to create or delete their own timestamps via sudo -v and sudo -k respectively. Run sudo -k to invalidate the timestamp after executing sudo command:
$ sudo -k

passwd_timeout Option

The passwd_timeout defines number of minutes before the sudo password prompt times out. The default is 5, set this to 0 for no password timeout. Edit /etc/sudoers, enter:
passwd_timeout 2

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 Nik May 24, 2011 at 2:11 pm

I really didn’t understand anything. HOW DO YOU CHANGE the timestamp_timeout ?
Add that in sudoeds ? Nothing happened i got a parse error.

Sudo -k does nothing

HOW ?

Reply

2 ET December 22, 2011 at 12:38 pm

“The time out value is 600 seconds (5 minutes) by default. ” – 600sec != 5min…

Reply

3 bialy May 2, 2012 at 1:14 pm

I think there are some errors in this article:

1. “vi timestamp_timeout” should be “visudo” or “sudo visudo”.
2. There are no “Defaults” before timeout settings.

Reply

4 nixCraft May 2, 2012 at 1:33 pm

Thanks for the heads up. According to man page:

timestamp_timeout – Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user’s timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

The faq has been updated.

Reply

5 Girish Ram July 6, 2012 at 5:12 pm

There is a setting in the /etc/sudoer’s file that an entry you can add to force it to skip prompting for passwords (example below):

girish ALL=(ALL) NOPASSWD: ALL

The NOPASSWD tage will force sudo to skip the password prompt you can remove that tag and it will force you to enter the password

girish ALL=(ALL) ALL

Thanks
Girish

Reply

6 David Bell July 9, 2013 at 2:16 pm

The above does not work as described. When I add the line “timestamp_timeout 0″ to the /etc/sudoers file via the command visudo, and I try to close the file, I get the following error:

>>> /etc/sudoers: syntax error near line 17 <<<
What now? r
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

What now?

Also, Girish you are wrong. girish ALL=(ALL) ALL will ask for the password the first time you use it, and then no password is required until the default timeout has expired. Test this by using sudo commands twice, not once.

Reply

7 David Bell July 9, 2013 at 2:27 pm

OK, here is the proper format to make this work in the /etc/sudoers file:

Defaults:USER_NAME timestamp_timeout=0

Be sure of the capital D in defaults.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: