pam_timestamp_check

pam_timestamp_check.so [debug] [nowarn] [timestamp_dir=/path/to/timestamps] [timestamp_timeout=seconds] [timestamp_user=username] [timestamp_group=groupname] [set_ownership] [use_uid] [audit] [background] [verbose] [onerr=[success | fail]]

debug
    Enables debugging mode, which produces more verbose output to the system log.

nowarn
    Suppresses warning messages.

timestamp_dir=/path/to/timestamps
    Specifies the directory where timestamp files are stored. The default directory is often `/var/run/sudo`.

timestamp_timeout=seconds
    Sets the lifetime (in seconds) for which a timestamp is considered valid. After this timeout, the timestamp is considered stale, and authentication will require full credentials.

timestamp_user=username
    Specifies the user who owns the timestamp files. This is important for setting the correct permissions. Defaults to root.

timestamp_group=groupname
    Specifies the group who owns the timestamp files. This is important for setting the correct permissions. Defaults to root.

set_ownership
    Attempts to set the ownership of timestamp files to the specified user and group.

use_uid
    Use UID instead of username for the timestamp file.

audit
    Log failed attempts to use a timestamp to the system log.

background
    Run the timestamp creation process in the background.

verbose
    Provide more verbose output to the system log.

onerr=[success | fail]
    Specifies the action to take if an error occurs. The default action is to `fail`, this parameter allows the administrator to set it to `success` and permit access even with errors.

The pam_timestamp_check module is a Pluggable Authentication Module (PAM) that checks the existence and validity of timestamp files. These files can be used to grant temporary privileges or bypass certain authentication checks based on prior successful authentications.
The module determines if the user should be granted access based on the timestamp file's existence and age. If the timestamp is valid, authentication may succeed without requiring full credentials. This is often used to allow users to execute commands requiring elevated privileges (e.g., using `sudo`) without needing to repeatedly enter their password within a specified time window.
The module offers options to configure the directory where timestamp files are stored, the lifetime of the timestamp, and the user and group ownership of these files. It is a key component in implementing passwordless sudo or similar privilege escalation mechanisms.

Incorrect configuration of timestamp directories, timeouts, or ownership can lead to security vulnerabilities, such as unauthorized privilege escalation or denial of service.

This module is typically configured in the PAM configuration files located in `/etc/pam.d/`. The appropriate file depends on the service being configured (e.g., `/etc/pam.d/sudo` for sudo). The module should be included in the `auth` section to check timestamps during authentication.

An example configuration line in `/etc/pam.d/sudo` might look like this:
`auth sufficient pam_timestamp_check.so timestamp_dir=/var/run/sudo timestamp_timeout=300`
This configuration allows a user to use `sudo` without a password if they have successfully authenticated within the last 300 seconds, and the timestamp files are stored in `/var/run/sudo`.

pam(8), sudo(8), su(1)