pam_timestamp
Grant passwordless access after authentication
SYNOPSIS
The pam_timestamp module is not a standalone command but is configured within PAM service files, typically located in /etc/pam.d/.
Its typical usage in a PAM configuration file looks like this:auth sufficient pam_timestamp.so [module options]
Where auth
is the module interface type, sufficient
is the control flag, and pam_timestamp.so
is the module library.
PARAMETERS
debug
Logs verbose debugging information to syslog.
verbose
Logs more information than default, but less than debug, to syslog.
timestamp_timeout=N
Sets the timeout duration for the timestamp in minutes. The default is 5 minutes. If set to 0, the timestamp will never expire. A value of -1 makes the timestamp permanent, never expiring unless explicitly removed.
timestamp_type=type
Specifies how timestamps are generated and stored. Possible values are: tty (default, one timestamp per terminal), ppid (one timestamp per parent process ID), or user (one timestamp per user, shared across all sessions/ttys).
timestamp_dir=DIR
Specifies the directory where timestamp files are stored. The default directory is usually /var/run/sudo/ts.
audit
Logs all re-authentications (when a password is required due to an expired timestamp) to syslog.
nolog
Prevents the module from logging authentication attempts to syslog. This can be useful to reduce log noise for very frequent operations.
disallow_null_tty
If a TTY cannot be determined for the current session, this option will cause the module to return PAM_AUTH_ERR immediately, preventing authentication.
no_is_a_tty
By default, pam_timestamp expects the process to be attached to a TTY. This option disables that requirement, allowing the module to function in non-TTY environments.
service_name=NAME
Overrides the default PAM service name used when constructing the timestamp file path. This is useful for sharing timestamps between different services or for custom configurations.
module_name=NAME
Used primarily for debugging, this option sets the module name reported in syslog messages, making it easier to identify logs from this specific instance of the module.
DESCRIPTION
The pam_timestamp module is a Pluggable Authentication Module (PAM) component for Linux systems. Its primary purpose is to manage timestamp files that allow users to perform certain actions (like running sudo commands) without re-authenticating for a specified grace period. This significantly improves user convenience by reducing repetitive password prompts for frequent operations.
When a user successfully authenticates through a service configured with pam_timestamp, a timestamp file is created or updated. Subsequent attempts to use that service within the configured timeout period will check this timestamp file. If it's valid and unexpired, authentication can proceed without requiring the user to re-enter their password. If the timestamp has expired or is invalid, the user will be prompted for authentication again.
It is commonly used with the sudo command to implement its password caching behavior, where a user can execute multiple commands as root after authenticating just once. The module is configured within PAM service files, typically in the auth stack, for services like sudo.
CAVEATS
pam_timestamp significantly improves convenience but introduces a potential security risk: if a terminal is left unlocked after an initial authentication, anyone with physical access can perform privileged actions within the grace period without re-entering the password.
The module relies on a properly configured PAM environment. Misconfiguration can lead to unexpected authentication behavior or deny legitimate access. It is not a standalone executable command; its functionality is solely within the PAM framework.
PAM CONFIGURATION
To enable pam_timestamp, you need to edit the relevant PAM service file(s) in /etc/pam.d/. For example, to integrate it with sudo, you might add a line in /etc/pam.d/sudo within the auth stack, typically before the actual authentication module. The sufficient
control flag is often used, meaning that if the timestamp is valid, PAM authentication is considered successful and no further auth modules are processed for that request. If the timestamp is invalid or expired, the module fails, and subsequent auth modules in the stack (e.g., pam_unix.so) are invoked to request a password.
TIMESTAMP FILE LOCATION AND NAMING
By default, timestamp files are typically stored in /var/run/sudo/ts/. The exact filename depends on the timestamp_type option. For example, with timestamp_type=tty, files are named after the terminal's hash (e.g., /var/run/sudo/ts/tty/0D9D7C2C92C3D3C9D5A2F2B4C3D3C3D3C9D3C3D3C9). With timestamp_type=user, they are named after the user's UID (e.g., /var/run/sudo/ts/user/1000).
HISTORY
The pam_timestamp module is part of the Linux-PAM project, a widely used implementation of Pluggable Authentication Modules. Its functionality directly addresses the common need for password caching, particularly relevant for tools like sudo, which historically implemented similar timeout mechanisms internally. pam_timestamp provides a standardized, modular way for any PAM-aware service to leverage this timestamp-based authentication grace period, promoting consistency and reusability across different applications.