Is it possible to enter password for sudo only once, and configure it to not require for password on other terminals?

Question

I enter my first sudo command. I enter my password. For a while, I wont have to enter my password for subsequent sudo commands.

Now the question. I am someone who opens a lot of terminals. It would be very convenient if I don't have to enter passwords when I use sudo in the terminals I open after my first sudo, for the short time when I wont have to enter password for sudo in the terminal from which I have used sudo for the first time. (Sorry for the long sentence!)

Is it possible? If not, why? If yes, how?

Have you considered that by doing so you're opening the security hole which that mechanism exists to close? The reason that you have to enter your password with sudo is to guard against the circumstance that an attacker somehow has gained access to a login session in your name. If you disable it and someone manages to hijack one of your terminal sessions (are they all on the same console?) or in some other way gains access to a login session in your name without knowing your password, they will be able to run any command as root. Not a very likely scenario, but something you should consider. — Pepijn Schmitz, Jul 01 '15 at 15:44
There should be a productivity tag, just to find questions like this. Else, have to follow the old way of keep waiting for that moment of ingenuity to come up with such questions. — saurabheights, Jan 18 '21 at 13:36

terdon · Accepted Answer · 2015-07-12T10:45:09.397

64

Sure it is. Run sudo visudo and add this line to your sudoers file:

Defaults        !tty_tickets

As explained in man sudoers:

 tty_tickets       If set, users must authenticate on a per-tty basis.
                   With this flag enabled, sudo will use a separate record
                   in the time stamp file for each tty.  If disabled, a
                   single record is used for all login sessions.  This
                   flag is on by default.

By setting tty_tickets to off (that's what the ! means), you enable a single authentication to be shared by multiple sessions.

edited Jul 12 '15 at 10:45

answered Jul 01 '15 at 13:03

terdon

98,183
15
197
293

1

The only thing I do differently here when advising users is to use a sudoers.d file instead. That way if they somehow screwup very easy to recover, just delete that file. Ex. `sudo visudo -f /etc/sudoers.d/01_file` – doug Jul 01 '15 at 13:14
What happens when sudo timeout ends? or run something like `sudo -k`? – Maythux Jul 01 '15 at 13:15
@Maythux you need to enter it again. This just makes a single identification work for all shell sessions. Nothing else. – terdon Jul 01 '15 at 13:24
I should note that if I use this method, the password will expire only at timeout of 15 minutes, even if I reboot which poses a security concern. So maybe add `sudo -k` to `/etc/rc6.d`? – daltonfury42 Jul 01 '15 at 13:50
1

@daltonfury42 this option does not affect the timeout. It _always_ expires after 15 minutes. The difference is that before, the authentication only affected a single session. Adding `sudo -k` in `/etc/rc.d` won't help since that is not run by your user and won't affect your user's session. You could add it to `~/.bash_logout` or `~/.profile` if you like. – terdon Jul 01 '15 at 14:04
Alright, it won't be a security concern, because I will have to log in with my password after shut-down. – daltonfury42 Jul 01 '15 at 15:00
@daltonfury42, you could use rc6 to remove all the timestamps with rm. You might also want to do it in rc0 – hildred Jul 01 '15 at 15:05
@doug how does that work? I didn't know of the `-f` option. From the manual, it looks like you will still need to copy that over to `/etc/sudoers` so, since `visudo` already checks for syntax errors and won't let you save the file if it detects any, I don't see how this offers any more protection. What am I missing? – terdon Jul 01 '15 at 16:39
No need to copy over to sudoers file, /etc/sudoers.d/ is used in addition to. It's actually recommended in sudoers to do this. "# Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file." While yes visudo does ck. that still doesn't account for users screwing up sudoers on occasion, so the less they access it the better. – doug Jul 01 '15 at 22:11
This feature is actually described in `man sudoers`, not `man sudo`. – and Jul 08 '15 at 15:12
It's not a "security concern" unless you count "security by handholding". The user that will invoke sudo has to be already logged in and that requires credentials. That option should be the default on popular linux distributions that are mainly used for desktops. – j riv Jan 12 '20 at 05:35
My answer below accomplishes the best of all worlds. – Theodore R. Smith Sep 30 '20 at 17:50

Theodore R. Smith · Answer 2 · 2020-09-30T17:50:01.293

0

So here is what you want to do to only have sudo ask for your password once per boot:

/etc/sudoers.d/00_prompt_once:

## Only ask for the password once for all TTYs per reboot.
## See https://askubuntu.com/a/1278937/367284 and
##     https://github.com/hopeseekr/BashScripts/
Defaults !tty_tickets
Defaults timestamp_timeout = -1

edited Sep 30 '20 at 17:50

answered Sep 30 '20 at 16:51

Theodore R. Smith

169
7

This is essentially disabling sudo completely: most of us work on machines that rarely reboot (either servers, or laptops), which means that your approach would allow anyone who sits in front of the machine to run any command at all, as long as the machine is on and someone has at any time during this boot entered the password. This isn't what the question was asking for, and it really isn't a good idea unless you truly don't care about security at all. – terdon Oct 01 '20 at 08:15
While this is true terdon, this means anyone with access to an account, however, for personal computers with one user account and no root password this means that they would have to be on the only account first which means they already have access where they shouldn't. If you use the system as a personal computer I don't see the issue as long as you lock your screen whenever you leave and don't share your private account password. – Jason Ivey Oct 26 '22 at 19:53

score 0 · Answer 3 · answered Mar 14 '22 at 19:30

In your sudoers.d file

sudo EDITOR=vim visudo -f /etc/sudoers/<filename>

Add the following:

Defaults    timestamp_timeout=-1

man sudoers reveals the following:

sudoers uses per-user time stamp files for credential caching. ...  The user may then use sudo without a password for a short period of time  (15 minutes unless overridden by the timestamp_timeout  option). ...   The timestamp_type option can be used to select the type of time stamp record  sudoers will use.

Further down:

 timestamp_timeout
                   Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout may include a fractional component if minute granularity is insufficient, for example 2.5.  The default is 15.  Set
                   this to 0 to always prompt for a password.  If set to a value less than 0 the user's time stamp will not expire until the system is rebooted.  This can be used to allow users to create or delete their own
                   time stamps via “sudo -v” and “sudo -k” respectively.

please clarify your answer.. – theYnot Mar 17 '22 at 06:42 — theYnot, Mar 17 '22 at 06:42

Is it possible to enter password for sudo only once, and configure it to not require for password on other terminals?

3 Answers3