我们都知道,当执行完 sudo 命令并完成授权后,会有15分钟的免密时间,超时后需重新输入密码。但是在测试环境,如果不想频繁地输入密码,但又不希望免密执行,那有没有办法可以延长免密时间,甚至每次登录只需要输入一次 sudo 密码呢?
答案当然是肯定的。
首先我们来看一下 sudo 的帮助文件,其中有这么一段:
huangzz@ubuntu:~$ man sudo
...
Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authenti‐
cation. By default, the sudoers policy caches credentials on a per-terminal basis for 15 minutes. See the timestamp_type and
timestamp_timeout options in sudoers(5) for more information. By running sudo with the -v option, a user can update the cached cre‐
dentials without running a command.
...这段话的意思是默认保留授权只有15分钟,如果需要查看更多配置,可查看 sudoers 的帮助文档。
那好,我们再来看一下 sudoers 的帮助文件,并找到 timestamp_timeout 相关选项:
huangzz@ubuntu:~$ man sudoers
...
sudoers uses per-user time stamp files for credential caching. Once a user has been authenticated, a record is written containing
the user-ID that was used to authenticate, the terminal session ID, the start time of the session leader (or parent process) and a
time stamp (using a monotonic clock if one is available). The user may then use sudo without a password for a short period of time
(15 minutes unless overridden by the timestamp_timeout option). By default, sudoers uses a separate record for each terminal, which
means that a user's login sessions are authenticated separately. The timestamp_type option can be used to select the type of time
stamp record sudoers will use.
...
timestamp_timeout
Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional
component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always
prompt for a password. If set to a value less than 0 the user's time stamp will not expire until the system is re‐
booted. This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” re‐
spectively.
...第一段基本是重复了 sudo 帮助文档中的说明,第二段配置说明中,阐明了可通过定义 timestamp_timeout 来控制超时时间,单位是分钟,其中设置为 0 可以一直免密到系统重启。至于如何配置,只需要执行 sudo visudo 加入 Defaults timestamp_timeout=0 即可。(嗯,前面都是凑字数的,只有这一句才是干货。😀)
