This brief guide explains how to change sudo password timeout in Linux. The sudo system is an ingenious way to allow who can run administrative tasks in Linux and Unix operating systems.
You can promote any normal user to execute commands that requires root permissions by simply adding him/her to the "sudo" group. This way we don't have to share the root user's password to all users.
Whenever you run a command with sudo, you will be prompted to enter the sudo password. For the subsequent commands that run shortly after first sudo command, you don't have to enter the password, even if they require sudo privileges.
This is because sudo remembers your password for 15 minutes by default. After 15 minutes, you will be asked to enter the password again for any sudo command.
This is actually a security feature. For instance, if you left the terminal open after running commands with sudo, the authentication automatically expires after 15 minutes of sudo inactivity. So, the other users can’t do any further administrative tasks.
This behaviour can be changed by increasing or decreasing the sudo password timeout limit as described below.
1. Change Sudo Password Timeout in Linux
1.1. To change sudo password timeout limit in Linux, run:
$ sudo visudo
This command will open the /etc/sudoers file in nano editor.
1.2. Find the following line:
And change it like below:
Defaults env_reset, timestamp_timeout=30
Here, 30 is the new timeout in minutes. Press Ctrl+X followed by Y to save the changes and close the editor.
From now on, you will be asked to enter the sudo password after 30 minutes of sudo inactivity.
1.1. The right way to edit sudoers file
Instead of directly making changes in the "/etc/sudoers" file, please consider adding local content in /etc/sudoers.d/. This is better approach to modify sudo password timeout limit.
1.1.1. Cd into "/etc/sudoers.d/" directory:
$ cd /etc/sudoers.d/
1.1.2. Create a per-user configuration file using command:
$ sudo visudo -f sk
Replace "sk" with your username in the above command.
1.1.3. Add the following line in it:
As per the above line, I have set sudo password timeout for 30 minutes. Save the file by pressing Ctrl+O and press ENTER. And then, close the file by pressing CTRL+X.
If you're the only one who have the access to the system, there is no need to set sudo password limit shorter. You can increase the password timeout value much longer.
1.2. Always ask for sudo password
If you specify 0 (zero) for "timestamp_timeout", you will always be asked the sudo password.
$ sudo visudo
If you specify a negative value, the timeout will never expire.
1.3. Why visudo?
You might be wondering why we need to run "sudo visudo"? Why not just "sudo nano /etc/sudoers" and make the changes? Yes, you can do that as well. However, using visudo is the right way to edit /etc/sudoers file. This way you can put a lock on /etc/sudoers file and avoid simultaneous edits by other users at the same time.
2. Reset Sudo Password Timeout
Like I already said, once you entered the sudo password, you will not be asked to enter the password for subsequent commands for the next N minutes defined in the sudoers file.
If you want to reset this behaviour and make sudo asks for password next time, run:
$ sudo -k
This will immediately reset the password timeout and you will have to enter the sudo password for the next command.
For more details, refer man pages.
$ man sudoers
- How To Add, Delete And Grant Sudo Privileges To Users In Linux
- How To Change Default Sudo Log File In Linux
- How To Restore Sudo Privileges To A User
- How To Find All Sudo Users In Your Linux System
- How To Run Particular Commands Without Sudo Password In Linux
Hope this helps.