Jack Wallen shows you how to change the default sudo timeout on your Linux machines, to make your administration a bit more efficient—and secure.
The sudo system is an ingenious way to manage who can run administrative commands on a Linux system. And, for the most part, it's pretty foolproof. But there are times, when I am busy multitasking or installing a new server software on a Linux box that sudo frustrates me. Why? Because of the default timeout.
By default, sudo will always prompt you for your password after five minutes of sudo inactivity. This is great if you step away from your machine for a bit and don't want to worry that, after the five minutes of inactivity, someone comes along and could issue a sudo command without having to first input a password.
SEE: IT pro's guide to working smarter with Linux (Tech Pro Research)
But sometimes I need that to function a bit differently. This is especially the case when I'm working on a machine only I have physical access to and would prefer the sudo timeout be a bit longer. Or, if a machine is in a high traffic area, I might want to change the default behavior such that sudo always asks for a password (no matter how much time has passed).
How do I do that? It's actually quite simple. All you have to do is edit the sudoers file.
In order to edit the sudoers file, there's a tool you'll want to know about. That tool is visudo. Why would you want to use visudo instead of just issuing the command sudo nano /etc/sudoers? Simple. Using visudo locks the sudoers file against simultaneous edits. In other words, if you have the sudoers file open in visudo, no one else can open the file in write mode.
On top of that, visudo also runs sanity checks and tests for parse errors -- so you don't have to worry that you've made a mistake in the sudoers file that'll prevent you from using sudo. Without using visudo, you could leave an error in the sudoers file that would render you unable to do any administrative work.
Now that you know to never edit the sudoers file outside of visudo, let's make the change.
Extending the timeout
Let's say you have multiple users on this machine, and you want to extend the timeout, for one particular user, to thirty minutes. To do that, issue the command:
In the file, you'll want to add at the end:
where USER is the username in question.
Save and close the file. If you're working with that user, I recommend you login via SSH and issue a sudo command (such as sudo apt-get update). Wait six or more minutes, and issue the command again. You shouldn't be prompted for a sudo password. Wait thirty or more minute, and you should be prompted for that password.
Once you have verified that the user account is functioning properly, exit out of the SSH session, log out of the terminal window, and log back in. Your account should now not require the sudo password for 30 minutes.
Always ask for a password
If you want to change the behavior, such that it always asks for a password, the Defaults line would look like:
where USER is the user in question. Once this is complete, log out and log back in. Any time you issue a sudo command, the configured user will be prompted for their sudo password.
Easy Sudo timeout management
This is a great way of managing sudo password timeout. Just make sure you use this configuration option wisely. Don't all of a sudden start changing all sudo timeouts to eight hours, as that is an invitation to disaster. Use wisely and this could make your daily Linux admin a bit more efficient, or your machines a bit more secure.
- How to install sudo on a Debian minimal server (TechRepublic)
- How to re-add yourself to the sudo security group (TechRepublic)
- Linus Torvalds talks frankly about Intel security bugs (ZDNet)
- How to quickly give users sudo privileges in Linux (TechRepublic)
- How to keep your Ubuntu Linux systems updated with uCaresystem (TechRepublic)
- Most secure Linux server setups vulnerable to newly discovered sudo hole (ZDNet)