3

Is is possible to keep the sudo session for sometimes? I mean when you open synaptic, each time you have to authenticate. In a single terminal, sudo session exits for a specific amount of time. You don't need to authenticate each time you run something with sudo. Also user account (system settings) has this feature(unlock). Can we do it system wide?

I don't recommend to disable password or login as root. Thanks in advance.

shantanu
  • 8,599
  • Have you got sudo setup so that after you have run a sudo command, you can another few sudo commands without entering your password? – Wilf Jul 08 '14 at 04:46
  • You might want to look at http://askubuntu.com/questions/383747/how-to-configure-pkexec-to-not-ask-for-password or http://askubuntu.com/a/98032/158442, since, for synaptic at least, it's pkexec and not sudo that you are using. – muru Jul 08 '14 at 04:49
  • @wilf Thank you for quick reply. Are you talking about terminal? I didn't configure sudo. It's a default feature. You can try this with gnome-terminal – shantanu Jul 08 '14 at 04:56
  • @muru Thank you for reply. I know this. Actually application is not important here. synaptic was an example. I am talking about authentication session. – shantanu Jul 08 '14 at 04:57
  • And that's the point I am trying to make. It used to be that we would use gksudo (or something similar), it would maintain a session (or a timeout), during which you didn't have to enter password again, just like sudo. AFAIK, pkexec does not support such a timeout, or session. So the program used for authentication matters in this context. – muru Jul 08 '14 at 05:09
  • improve your question if you need a better answer, because logging in as root is the best answer I see... – Alvar Jul 08 '14 at 05:35

2 Answers2

5

From the sudoers man page:

SUDOERS OPTIONS

tty_tickets

If set, users must authenticate on a per-tty basis. With this flag enabled, sudo will use a separate record in the time stamp file for each tty. If disabled, a single record is used for all login sessions. This flag is on by default.

In other words, disabling tty_tickets creates a single ticket that is shared across every tty for that user. Authenticating on any tty creates a new ticket which becomes valid on every other tty belonging to that user, voila - no redundant password prompt just because you opened a new tab.

I recommend setting defaults on a per-user basis, along the lines of:

echo Defaults:$USER '!tty_tickets' | sudo tee -a /etc/sudoers.d/mycustomconf

If you really want to, I suppose, you could make a change to the global defaults in /etc/sudoers with visudo. Something like this placed with the other defaults near the top should do:

Defaults    !tty_tickets

Since the next question is usually "how can I change the session timeout value?", I figured I'd include it here for the sake of convenience:

## disable per-tty auth, timeout after 15 minutes
echo Defaults:$USER '!tty_tickets', timestamp_timeout=15 | sudo tee -a /etc/sudoers.d/mycustomconf
malkowski
  • 51
  • Works great. Thanks - I searched for "share sudo auth across shell sessions" and found this. It was an issue with tmux especially. – Docunext Apr 08 '18 at 23:59
3

Extending time: From the sudo man page :

-v          When given the -v (validate) option, sudo will
                 update the user's cached credentials, authen‐
                 ticating the user's password if necessary.
                 For the sudoers plugin, this extends the sudo
                 timeout for another 15 minutes (or whatever
                 the timeout is set to by the security policy)
                 but does not run a command.  Not all security
                 policies support cached credentials.

So according to this , running sudo -v should extend the time

Login in as root: Yes, you said you don't recommend logging in as root, but that's cheapest way to keep root privileges for extended time.You can always exit or log out from root, so it's not like you have to kill the terminal completely or log out of tty completely

sudo su

$ sign should change to # when you done it

Alvar
  • 17,058
Sergiy Kolodyazhnyy
  • 105,154
  • 20
  • 279
  • 497
  • Thank you for reply. You are log in as root which is not good for global session. Also it will not work in different application. This is not the answer. – shantanu Jul 08 '14 at 05:30