pam_timestamp

pam_timestamp.so [debug] [nowarn] [dir=directory] [prefix=prefix] [timestamp_timeout=seconds] [grace=seconds] [purge=age]

debug
    Enables verbose debugging output to syslog.

nowarn
    Suppresses warning messages.

dir=directory
    Specifies the directory where timestamp files are stored. The default is /var/run/timestamp.

prefix=prefix
    Specifies a prefix for the timestamp filenames. The full filename is usually prefix.username.

timestamp_timeout=seconds
    Specifies the maximum age of the timestamp file in seconds for access to be granted.
If timestamp file is older than this value, access is denied. Default value is 300 seconds.

grace=seconds
    Specifies a grace period in seconds. The timestamp file should be created with "now - grace" time, so access will be allowed for "grace + timestamp_timeout" duration. Default value is 0 seconds.

purge=age
    Specifies the maximum age in seconds of timestamp files before they are purged/deleted. Useful for cleanup.

The pam_timestamp PAM module provides a mechanism for granting access based on the existence and age of a timestamp file. This module can be used to implement time-based access control, where users are granted access only after performing some action (e.g., running a specific program) that updates the timestamp. The module verifies if a timestamp file associated with the user exists and its age is within a defined threshold. If the file exists and is recent enough, access is granted. Otherwise, access is denied. This can be used for tasks like granting temporary root privileges after a password change or requiring a specific program to be run before a service can be accessed.

The module offers flexibility through its configuration options, allowing administrators to customize the location of the timestamp files, the age limit, and the behavior when the timestamp is missing or too old. It's primarily used for granting specific privileges based on previous actions, improving security by reducing the window of opportunity for abuse.

Incorrect configuration can lead to unintended denial of access. Proper file permissions on the timestamp directory are critical for security. If directory is world writable, an attacker can create a timestamp file and gain access.

pam_timestamp is often used in conjunction with other mechanisms like sudo. For example, after successfully authenticating through sudo, a timestamp file can be created. Subsequent attempts to elevate privileges using sudo within the specified timeout will be granted based on the timestamp, without requiring repeated password entry.

To use pam_timestamp, you need to configure it in a PAM configuration file (e.g., /etc/pam.d/sudo). An example entry might look like this:

auth sufficient pam_timestamp.so dir=/run/sudo prefix=admin timestamp_timeout=600

This configuration specifies that if a timestamp file exists in /run/sudo with the prefix 'admin' and is less than 600 seconds old, authentication will succeed without requiring a password.

pam(8)