10.3. PAM and Administrative Credential Caching


A number of graphical administrative tools in Red Hat Enterprise Linux, such as the GNOME's control-center, provide users with elevated privileges for up to five minutes using the pam_timestamp.so module. It is important to understand how this mechanism works, because a user who walks away from a terminal while pam_timestamp.so is in effect leaves the machine open to manipulation by anyone with physical access to the console.
In the PAM timestamp scheme, the graphical administrative application prompts the user for the root password when it is launched. When the user has been authenticated, the pam_timestamp.so module creates a timestamp file. By default, this is created in the /var/run/sudo/ directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the pam_timestamp.so module freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
You can verify the actual state of the timestamp file by inspecting the file in the /var/run/sudo/user directory. For the desktop, the relevant file is unknown:root. If it is present and its timestamp is less than five minutes old, the credentials are valid.
The existence of the timestamp file is indicated by an authentication icon, which appears in the notification area of the panel.
The Authentication Icon

Figure 10.1. The Authentication Icon

10.3.1. Common pam_timestamp Directives

The pam_timestamp.so module provides these two interfaces:
  • auth
  • session
In addition, the following options are available for pam_timestamp.so:
  • timestamp_timeout: specifies the validity period (in seconds) of the timestamp file, by default 300 (five minutes).
  • timestampdir: specifies in which directory the timestamp file is stored, by default /var/run/sudo/.
  • You can also use verbose or debug for more detailed messages.
For example:
auth       sufficient    pam_timestamp.so timestamp_timeout=600
session    optional     pam_timestamp.so
For details on how to use and configure PAM's directives, refer to Section 10.2, “About PAM Configuration Files”. See also the pam_timestamp(8) man page and the pam.conf(5) man page.

10.3.2. Removing the Timestamp File

Before abandoning a console where a PAM timestamp is active, it is recommended that the timestamp file be destroyed. To do this from a graphical environment, click the authentication icon on the panel. This causes a dialog box to appear. Click the Forget Authorization button to destroy the active timestamp file.
Dismiss Authentication Dialog

Figure 10.2. Dismiss Authentication Dialog

The PAM timestamp file has some important characteristics:
  • If logged in to the system remotely using ssh, use the /sbin/pam_timestamp_check -k root command to destroy the timestamp file.
  • Run the /sbin/pam_timestamp_check -k root command from the same terminal window where the privileged application was launched.
  • The logged in user who originally invoked the pam_timestamp.so module must be the user who runs the /sbin/pam_timestamp_check -k command. Do not run this command as root.
  • Killing the credentials on the desktop without using the Forget Authorization action on the icon can be done with the /sbin/pam_timestamp_check command.
    /sbin/pam_timestamp_check -k root </dev/null >/dev/null 2>/dev/null
    Any other method only removes the credentials from the PTY where the command was run.
Refer to the pam_timestamp_check man page for more information about destroying the timestamp file using pam_timestamp_check.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.