pam_timestamp_check

pam_timestamp_check [timestamp_file]

timestamp_file
    Optional path to timestamp file (defaults to ~/.pam_timestamp in user home).

pam_timestamp_check is a helper utility for the pam_timestamp Pluggable Authentication Module (PAM) in Linux. It verifies if a timestamp file—used to cache successful authentication credentials for a limited time—is still valid. This enables passwordless access for tools like sudo and su during the configured timeout, improving usability without compromising long-term security.

The command examines the file's modification time against the timestamp_timeout value from PAM configuration (default 900 seconds). It runs silently as the invoking user, checking file ownership and permissions. Exit code 0 indicates a valid (non-expired) timestamp; 1 means expired, missing, or invalid.

Typically invoked by PAM-aware applications via the auth sufficient pam_timestamp.so stack. The file, usually ~/.pam_timestamp, stores service-specific hashes and timestamps. This prevents replay attacks via file permissions (must be 0600, user-owned).

Useful in multi-command sessions to avoid repeated prompts, but relies on accurate system time.

Requires user-owned file with 0600 permissions; sensitive to clock skew; no output, only exit status; not for interactive use.

0: valid timestamp
1: expired, missing, or invalid file

Uses timestamp_timeout from PAM config (default 900s); service-specific subdirs possible.

Introduced in Linux-PAM 0.76 (2002) as part of timestamp caching feature; evolved with PAM standards for sudo/su integration.

pam_timestamp(8), sudo(1), su(1)