This brief guide explains how to change sudo password timeout in Linux. The sudo system is an ingenious way to allow who can run administrative tasks in Linux and Unix operating systems.
Table of Contents
Introduction
You can promote any normal user to execute commands that requires root permissions by simply adding him/her to the "sudo
" group. This way we don't have to share the root user's password to all users.
Whenever you run a command with sudo, you will be prompted to enter the sudo password. For the subsequent commands that run shortly after first sudo command, you don't have to enter the password, even if they require sudo privileges.
This is because sudo remembers your password for 15 minutes by default. After 15 minutes, you will be asked to enter the password again for any sudo command.
This is actually a security feature. For instance, if you left the terminal open after running commands with sudo, the authentication automatically expires after 15 minutes of sudo inactivity. So, the other users can’t do any further administrative tasks.
This behaviour can be changed by increasing or decreasing the sudo password timeout limit as described below.
1. Change Sudo Password Timeout in Linux
1.1. To change sudo password timeout limit in Linux, run:
$ sudo visudo
This command will open the /etc/sudoers
file in nano editor.
1.2. Find the following line:
Defaults env_reset
And change it like below:
Defaults env_reset, timestamp_timeout=30
Here, 30
is the new timeout in minutes. Press Ctrl+X
followed by Y
to save the changes and close the editor.
From now on, you will be asked to enter the sudo password after 30 minutes of sudo inactivity.
1.1. The Right Way to Edit Sudoers File
Instead of directly making changes in the "/etc/sudoers
" file, please consider adding local content in /etc/sudoers.d/
. This is better approach to modify sudo password timeout limit.
1.1.1. Cd into "/etc/sudoers.d/
" directory:
$ cd /etc/sudoers.d/
1.1.2. Create a per-user configuration file using command:
$ sudo visudo -f sk
Replace "sk
" with your username in the above command.
1.1.3. Add the following line in it:
Defaults timestamp_timeout=30
As per the above line, I have set sudo password timeout for 30 minutes. Save the file by pressing Ctrl+O
and press ENTER. And then, close the file by pressing CTRL+X
.
If you're the only one who have the access to the system, there is no need to set sudo password limit shorter. You can increase the password timeout value much longer.
1.2. Always ask for sudo password
If you set 0
(zero) for "timestamp_timeout
", you will always be asked the sudo
password.
$ sudo visudo
Defaults timestamp_timeout=0
If you specify a negative value, the timeout will never expire.
1.3. Why visudo?
You might be wondering why we need to run "sudo visudo
"? Why not just "sudo nano /etc/sudoers
" and make the changes? Yes, you can do that as well. However, using visudo is the right way to edit /etc/sudoers
file. This way you can put a lock on /etc/sudoers
file and avoid simultaneous edits by other users at the same time.
2. Reset Sudo Password Timeout
Like I already said, once you entered the sudo password, you will not be asked to enter the password for subsequent commands for the next N minutes defined in the sudoers file.
If you want to reset this behaviour and make sudo asks for password next time, run:
$ sudo -k
This will immediately reset the password timeout and you will have to enter the sudo password for the next command.
For more details, refer man pages.
$ man sudoers
Hope this helps.
5 comments
the command of visudo will open the file in vi not nano. Other than that, good article and very helpful info. Got this bookmarked until I can make a note of this info.
thanks,
john
In Ubuntu, It opens the file in Nano, not Vim. In CentOS, It opens the file in Vi as you said. Glad it helped you.
This does not work.
$ cd /etc/sudoers.d/
-ash: cd: can’t cd to /etc/sudoers.d/: Permission denied
Your user doesn’t have permission. Check if the user has sudo permission.https://ostechnix.com/find-sudo-users-linux-system/
I had the same issue, as the directory is protected. Worked around it by switching to root user:
“`
sudo -i
cd /etc/sudoers.d/
visudo my-username
“`