pam_timestamp
Grant passwordless access after authentication
SYNOPSIS
pam_timestamp.so [debug] [nowarn] [dir=directory] [prefix=prefix] [timestamp_timeout=seconds] [grace=seconds] [purge=age]
PARAMETERS
debug
Enables verbose debugging output to syslog.
nowarn
Suppresses warning messages.
dir=directory
Specifies the directory where timestamp files are stored. The default is /var/run/timestamp.
prefix=prefix
Specifies a prefix for the timestamp filenames. The full filename is usually prefix.username.
timestamp_timeout=seconds
Specifies the maximum age of the timestamp file in seconds for access to be granted.
If timestamp file is older than this value, access is denied. Default value is 300 seconds.
grace=seconds
Specifies a grace period in seconds. The timestamp file should be created with "now - grace" time, so access will be allowed for "grace + timestamp_timeout" duration. Default value is 0 seconds.
purge=age
Specifies the maximum age in seconds of timestamp files before they are purged/deleted. Useful for cleanup.
DESCRIPTION
The pam_timestamp PAM module provides a mechanism for granting access based on the existence and age of a timestamp file. This module can be used to implement time-based access control, where users are granted access only after performing some action (e.g., running a specific program) that updates the timestamp. The module verifies if a timestamp file associated with the user exists and its age is within a defined threshold. If the file exists and is recent enough, access is granted. Otherwise, access is denied. This can be used for tasks like granting temporary root privileges after a password change or requiring a specific program to be run before a service can be accessed.
The module offers flexibility through its configuration options, allowing administrators to customize the location of the timestamp files, the age limit, and the behavior when the timestamp is missing or too old. It's primarily used for granting specific privileges based on previous actions, improving security by reducing the window of opportunity for abuse.
CAVEATS
Incorrect configuration can lead to unintended denial of access. Proper file permissions on the timestamp directory are critical for security. If directory is world writable, an attacker can create a timestamp file and gain access.
USE CASES
pam_timestamp is often used in conjunction with other mechanisms like sudo. For example, after successfully authenticating through sudo, a timestamp file can be created. Subsequent attempts to elevate privileges using sudo within the specified timeout will be granted based on the timestamp, without requiring repeated password entry.
EXAMPLE USAGE
To use pam_timestamp, you need to configure it in a PAM configuration file (e.g., /etc/pam.d/sudo). An example entry might look like this:auth sufficient pam_timestamp.so dir=/run/sudo prefix=admin timestamp_timeout=600
This configuration specifies that if a timestamp file exists in /run/sudo with the prefix 'admin' and is less than 600 seconds old, authentication will succeed without requiring a password.
SEE ALSO
pam(8)