pam_timestamp_check

pam_timestamp_check [options] [user]

-k
    Kill (remove) the timestamp file for the current user and tty. Useful for revoking a timestamp immediately.

-d
    Check if the timestamp directory (e.g., /var/run/pam_timestamp/) is present and has correct permissions. Exits non-zero if issues are found.

-u user
    Specify the username for which to check or manipulate the timestamp. Defaults to the current effective user.

-t tty
    Specify the TTY (terminal) for which to check or manipulate the timestamp. Defaults to the current TTY.

-s service
    Specify the PAM service name associated with the timestamp. This helps isolate timestamps for different services.

-r
    Renew the timestamp, extending its validity period. This effectively acts as a fresh authentication for the timestamp mechanism.

-N
    Perform no timestamp check; always exit successfully (exit code 0). Useful for forcelly allowing access or testing.

-n
    Perform no timestamp check; always exit with failure (exit code 1). Useful for forcelly denying access or testing.

-h
    Display a brief help message and exit.

-V
    Display version information and exit.

The pam_timestamp_check utility is a backend program primarily used in conjunction with the pam_timestamp.so PAM module. Its main purpose is to manage and verify authentication timestamp files, which are stored, typically, in /var/run/pam_timestamp/.

When a user successfully authenticates through a service configured with pam_timestamp.so, a timestamp file is created for that user and tty. Subsequent authentication attempts within a configured timeout period can then use this timestamp to allow access without requiring the user to re-enter their password, enhancing usability for operations like sudo. pam_timestamp_check can query these timestamps, remove them (e.g., when a session ends or explicitly by an administrator), or renew them. It's not typically run directly by end-users but invoked by PAM-aware applications or system scripts.

The timestamp mechanism, while convenient, introduces a potential security trade-off by extending authentication validity. Misconfiguration or reliance on insecure timestamp file locations can compromise system security. This utility relies heavily on the proper configuration of the pam_timestamp.so module in PAM service files. Timestamps are typically specific to a user and TTY, so activities on different terminals might require separate authentication.

Timestamp files are typically stored in /var/run/pam_timestamp/, although the specific path can be configured within the pam_timestamp.so module. Each file is named in a way that identifies the user, TTY, and optionally the service (e.g., user_tty_service) to which it applies. The directory and files must have appropriate permissions to prevent unauthorized access or manipulation, ensuring the integrity of the timestamp mechanism.

The primary goal of the timestamp mechanism is to improve user experience and reduce friction for frequent privileged operations. Instead of constantly asking for a password for every sensitive command, PAM can consult the timestamp. If a valid, non-expired timestamp exists, it can bypass the password prompt, balancing security with convenience. This is especially useful in environments where users frequently execute commands requiring elevated privileges.

pam_timestamp_check is an integral part of the Linux-PAM (Pluggable Authentication Modules for Linux) project, a robust framework for centralizing authentication services. It was developed to provide a flexible and configurable mechanism for session 'memory', allowing users to perform multiple privileged operations within a short period without repeated password prompts, similar to how sudo's timestamp_timeout option functions. Its design emphasizes integration with the PAM framework, offering system administrators fine-grained control over authentication policies.

pam_timestamp(8), pam(8), sudo(8)