How to Change the Default sudo Password Timeout on Linux


When you run the sudo command in Linux, it remembers the password for 15 minutes by default, determined by the timestamp_timeout variable in the /etc/sudoers file. So during this time, you can run any other sudo command without providing the password. It prompts for a password again after 15 minutes of sudo inactivity.

However, you can tweak the default timeout period and make it longer or shorter according to your preferences. You can also configure it in a way that it always asks for a password or ask for it once per terminal session or system boot. Here’s how you can do this.

Adjust sudo Password Timeout on Linux

For any sudo-related changes such as granting the sudo privileges, adding or setting up custom rules, etc., you need to edit the /etc/sudoers file. However, it is not recommended to manually edit this file directly using any text editor. Instead, use the following command to edit the file:

 sudo visudo 

This command opens the /etc/sudoers file in a text editor for editing.

To change the default sudo password timeout (and make it either longer or shorter), add the following line at the end of the file and change its value to whatever time (in minutes) you want it to wait for before the timeout.

 Defaults timestamp_timeout=x 

Let’s say you want to shorten the sudo password timeout to three minutes, so you will add:

 Defaults timestamp_timeout=3 
adjust sudo password timeout

Note that the term Defaults in the above command refers to system-wide settings. To apply the configuration only to a specific user, use the following command instead:

 Defaults:username timestamp_timeout=x 

Always Prompt for a sudo Password

To always prompt for a password whenever a sudo command runs, change the value of the timestamp_timeout variable to 0:

 Defaults timestamp_timeout=0 

Remember, you can make this change only as a superuser. As a standard user, you can accomplish this by using the following command:

 sudo -k 

This command does not require a sudo password. Also, it will make sudo prompt for a password the next time you run it. However, remember that it will not be a permanent change. You can invoke this command whenever you want sudo to prompt for a password.

Prompt for an Admin Password Once Per Terminal Session

You can also make sudo prompt for the password once per terminal session. For instance, If you want to enter a sudo password only once per session, add the following line in the /etc/sudoers file:

 Defaults timestamp_timeout = -1 

Now the timestamp will not expire until you close the terminal. This means after opening the terminal, you will only have to enter the password once when you run the first sudo command.

An alternative way to do this is to open the shell as root using the following command:

 sudo bash 

The following command will ask for the sudo password once, and then you can run all the subsequent commands without any password.

launch shell as root

Prompt for Administrator Password Once Per System Boot

To make sudo prompt for a password once per system boot, add the following entries in the /etc/sudoers file:

 Defaults !tty_tickets
Defaults timestamp_timeout = -1

In the above command, !tty_tickets will enable the single timestamp for all terminal sessions so you will only need to input the sudo password once regardless of how many terminals you open. The timestamp_timeout = -1 will set the sudo password to never expire until the system reboot.

You can reboot your Linux machine to check if the changes were saved.

Tweaking the sudo Timeout Behavior on Linux

Now you can easily change the sudo timeout behavior and adjust when it prompts you for a password. Note that you can also use sudo without ever being prompted for a password. However, you should use this option only if you are the sole user that has access to the system; otherwise, it can be a great security risk.


Source link

Leave a Reply

%d bloggers like this: