如何延长 sudo 保存密码的时间?

我们都知道,当执行完 sudo 命令并完成授权后,会有15分钟的免密时间,超时后需重新输入密码。但是在测试环境,如果不想频繁地输入密码,但又不希望免密执行,那有没有办法可以延长免密时间,甚至每次登录只需要输入一次 sudo 密码呢?

答案当然是肯定的。

首先我们来看一下 sudo 的帮助文件,其中有这么一段:

huangzz@ubuntu:~$ man sudo
...
Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authenti‐
cation.  By default, the sudoers policy caches credentials on a per-terminal basis for 15 minutes.  See the timestamp_type and
timestamp_timeout options in sudoers(5) for more information.  By running sudo with the -v option, a user can update the cached cre‐
dentials without running a command.
...

这段话的意思是默认保留授权只有15分钟,如果需要查看更多配置,可查看 sudoers 的帮助文档。

那好,我们再来看一下 sudoers 的帮助文件,并找到 timestamp_timeout 相关选项:

huangzz@ubuntu:~$ man sudoers
...
sudoers uses per-user time stamp files for credential caching.  Once a user has been authenticated, a record is written containing
the user-ID that was used to authenticate, the terminal session ID, the start time of the session leader (or parent process) and a
time stamp (using a monotonic clock if one is available).  The user may then use sudo without a password for a short period of time
(15 minutes unless overridden by the timestamp_timeout option).  By default, sudoers uses a separate record for each terminal, which
means that a user's login sessions are authenticated separately.  The timestamp_type option can be used to select the type of time
stamp record sudoers will use.
...
timestamp_timeout
        Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout may include a fractional
        component if minute granularity is insufficient, for example 2.5.  The default is 15.  Set this to 0 to always
        prompt for a password.  If set to a value less than 0 the user's time stamp will not expire until the system is re‐
        booted.  This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” re‐
        spectively.
...

第一段基本是重复了 sudo 帮助文档中的说明,第二段配置说明中,阐明了可通过定义 timestamp_timeout 来控制超时时间,单位是分钟,其中设置为 0 可以一直免密到系统重启。至于如何配置,只需要执行 sudo visudo 加入 Defaults timestamp_timeout=0 即可。(嗯,前面都是凑字数的,只有这一句才是干货。😀)