As you may already know, when an user enter a command with sudo privileges, the sudo password will be remembered for a brief period of time.
By default, the password is remembered for 15 minutes. During this time, the users don't have to enter the password for the subsequent commands that run shortly after the first sudo command, even if they require sudo privileges.
What if you want to force the users to enter sudo password all the time? That's what we are going to learn now. This brief guide explains how to force sudo password authentication in Linux.
Force Password Authentication In Sudo
We can do this globally for all users or apply this rule for specific users only. First, let us see the global way.
Forcing Sudo Password Authentication Globally For All Users
1. Edit the /etc/sudoers
file using your default editor:
$ sudo visudo
My default text editor is nano.
2. Find the following line:
Defaults env_reset
And timestamp_timeout=0
next to Defaults env_reset
line like below:
Defaults env_reset, timestamp_timeout=0
Save the file and close it. If your text editor is nano, press CTRL+O
and ENTER followed by CTRL+X
to save the file and close it. If it is Vi/Vim editor, press ESC
and type :wq
and press ENTER
to save and close the file.
Log out from the current session and log back in. From now on, all users will have to enter sudo password every time for each command prefixed with sudo.
As I already said, this is applicable for all users in the system. You can, however, apply this configuration for specific users only as described below.
Forcing Sudo Password Authentication For Specific Users
Instead of forcing all users to enter password all the time for all sudo commands, you can make only certain users to enter password for every sudo commands by adding local content in /etc/sudoers.d/
directory. This is better approach for forcing sudo password authentication on a per-user basis.
1. Cd into "/etc/sudoers.d/
" directory:
$ cd /etc/sudoers.d/
2. Create a per-user configuration file using command:
$ sudo visudo -f ostechnix
Replace "ostechnix" with your username in the above command.
3. Add the following line in it:
Defaults timestamp_timeout=0
Save the file and closed it. Log out and log back in to apply the changes.
From now on, the user "ostechnix" must enter the password for each sudo command every time.
However, the other users in the system don't need to enter the sudo password. For other users, the password will be remembered for 15 minutes by default. Only after 15 minutes, the users will have to enter password for each sudo command.
Conclusion
In this brief tutorial, we discussed a simple yet useful tip to force all users or a specific user to enter sudo password when running commands in Linux.
Please note that this might be annoying in some cases, because the user is forced to enter password for every sudo transaction. Use this tip only when it is absolutely necessary.
Related Read:
Featured Image by Pexels.
2 comments
Hi.
You don’t create a per-user sudo configuration by creating /etc/sudoers.d/ or using `visudo -f username`. Instead, you’re just creating a file that’s included after /etc/sudoers. The configuration you created for ostechnix (/etc/sudoers.d/ostechnix) affects all users.
Instead, use this syntax:
`Defaults: timestamp_timeout=0`
`Defaults: timestamp_timeout=0`
So, if /etc/sudoers.d/ostechnix contains:
`Defaults:ostechnix timestamp_timeout=0 `
It’ll only alter sudo behavior for the user ostechnix.
Thanks for the heads up. I will test and update the guide accordingly.