Home Linux Tips & Tricks How To Force Sudo Password Authentication In Linux

How To Force Sudo Password Authentication In Linux

Forcing Users To Enter Sudo Password For Each Command In Linux

By sk
Published: Last Updated on 3.1K views

As you may already know, when an user enter a command with sudo privileges, the sudo password will be remembered for a brief period of time.

By default, the password is remembered for 15 minutes. During this time, the users don't have to enter the password for the subsequent commands that run shortly after the first sudo command, even if they require sudo privileges.

What if you want to force the users to enter sudo password all the time? That's what we are going to learn now. This brief guide explains how to force sudo password authentication in Linux.

Force Password Authentication In Sudo

We can do this globally for all users or apply this rule for specific users only. First, let us see the global way.

Forcing Sudo Password Authentication Globally For All Users

1. Edit the /etc/sudoers file using your default editor:

$ sudo visudo

My default text editor is nano.

2. Find the following line:

Defaults env_reset

And timestamp_timeout=0 next to Defaults env_reset line like below:

Defaults env_reset, timestamp_timeout=0
Forcing Sudo Password Authentication Globally
Forcing Sudo Password Authentication Globally

Save the file and close it. If your text editor is nano, press CTRL+O and ENTER followed by CTRL+X to save the file and close it. If it is Vi/Vim editor, press ESC and type :wq and press ENTER to save and close the file.

Log out from the current session and log back in. From now on, all users will have to enter sudo password every time for each command prefixed with sudo.

As I already said, this is applicable for all users in the system. You can, however, apply this configuration for specific users only as described below.

Forcing Sudo Password Authentication For Specific Users

Instead of forcing all users to enter password all the time for all sudo commands, you can make only certain users to enter password for every sudo commands by adding local content in /etc/sudoers.d/ directory. This is better approach for forcing sudo password authentication on a per-user basis.

1. Cd into "/etc/sudoers.d/" directory:

$ cd /etc/sudoers.d/

2. Create a per-user configuration file using command:

$ sudo visudo -f ostechnix

Replace "ostechnix" with your username in the above command.

3. Add the following line in it:

Defaults timestamp_timeout=0
Forcing Sudo Password Authentication For Specific User
Forcing Sudo Password Authentication For Specific User

Save the file and closed it. Log out and log back in to apply the changes.

From now on, the user "ostechnix" must enter the password for each sudo command every time.

However, the other users in the system don't need to enter the sudo password. For other users, the password will be remembered for 15 minutes by default. Only after 15 minutes, the users will have to enter password for each sudo command.

Conclusion

In this brief tutorial, we discussed a simple yet useful tip to force all users or a specific user to enter sudo password when running commands in Linux.

Please note that this might be annoying in some cases, because the user is forced to enter password for every sudo transaction. Use this tip only when it is absolutely necessary.

Featured Image by Pexels.

You May Also Like

2 comments

Xamder June 25, 2022 - 9:53 pm

Hi.

You don’t create a per-user sudo configuration by creating /etc/sudoers.d/ or using `visudo -f username`. Instead, you’re just creating a file that’s included after /etc/sudoers. The configuration you created for ostechnix (/etc/sudoers.d/ostechnix) affects all users.

Instead, use this syntax:

`Defaults: timestamp_timeout=0`
`Defaults: timestamp_timeout=0`

So, if /etc/sudoers.d/ostechnix contains:

`Defaults:ostechnix timestamp_timeout=0 `

It’ll only alter sudo behavior for the user ostechnix.

Reply
sk July 14, 2022 - 12:28 pm

Thanks for the heads up. I will test and update the guide accordingly.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More