Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.

16.6. PAM and Administrative Credential Caching

A variety of graphical administrative tools under Red Hat Enterprise Linux give users elevated privileges for up to five minutes via the pam_timestamp.so module. It is important to understand how this mechanism works because a user who walks away from a terminal while pam_timestamp.so is in effect leaves the machine open to manipulation by anyone with physical access to the console.

Under the PAM timestamp scheme, the graphical administrative application prompts the user for the root password when it is launched. Once authenticated, the pam_timestamp.so module creates a timestamp file within the /var/run/sudo/ directory by default. If the timestamp file already exists, other graphical administrative programs do not prompt for a password. Instead, the pam_timestamp.so module freshens the timestamp file — reserving an extra five minutes of unchallenged administrative access for the user.

The existence of the timestamp file is denoted by an authentication icon in the notification area of the panel. Below is an illustration of the authentication icon:

Figure 16-1. The Authentication Icon

16.6.1. Removing the Timestamp File

It is recommended that before walking away from a console where a PAM timestamp is active, the timestamp file be destroyed. To do this from within a graphical environment, click on the authentication icon on the panel. When a dialog box appears, click on the Forget Authorization button.

Figure 16-2. Authentication Icon Dialog

If logged into a system remotely using ssh, use the /sbin/pam_timestamp_check -k root command to destroy the timestamp file.

Note Note
 

You must be logged in as the user who originally invoked the pam_timestamp.so module in order to use the /sbin/pam_timestamp_check command. Do not log in as root to issue this command.

For information about destroying the timestamp file using pam_timestamp_check, refer to the pam_timestamp_check man page.

16.6.2. Common pam_timestamp Directives

The pam_timestamp.so module accepts several directives. Below are the two most commonly used options:

  • timestamp_timeout — Specifies the number of seconds the during which the timestamp file is valid (in seconds). The default value is 300 seconds (five minutes).

  • timestampdir — Specifies the directory in which the timestamp file is stored. The default value is /var/run/sudo/.

For more information about controlling the pam_timestamp.so module, refer to Section 16.8.1 Installed Documentation.

 
 
  Published under the terms of the GNU General Public License Design by Interspire