Changing timeout on pam_timestamp/sudo/usermode

[Martin Ebourne]

Hi,

I've been trying to change the sudo/pam_timestamp timeout with mixed
success. The default of 5 minutes is really too short for my use (home
machine), though obviously more suitable for an office (if not even too
long there). I thought I'd try 1/2 hour for now.

What I have found is:

Adding 'Defaults timestamp_timeout=30' to sudoers seems to be correct
for sudo, the man page specifying the time in minutes.

I had to add 'timestamp_timeout=1800' to each call of pam_timestamp.so
in /etc/init.d. There were 85 of these on my system. Initially I tried
'timestamp_timeout=30' because the pam_timestamp manpage doesn't mention
units and I thought it might be the same as sudoers, but apparently not
- this one's in seconds.

It's not clear if I need to edit pam_timestamp calls for both 'auth' and
'session', or just 'auth'. I guess the latter, but did all to be sure.
(Besides, that was easier.) Anyhow, this now seems to work and I can
start root programs up to 1/2hr after the last.

Now I'm stuck on pam-panel-icon. This seems to have it's own notion of
how long the timestamp is valid for - and therefore is still stuck on 5
minutes. It appears to call pam_timestamp_check which makes the
decision, but I can't see any way to train this to use the longer time.
Hence the panel icon is now rather useless.

So down to the questions:

1. Am I going about this the right way or did I miss something?

2. Is it possible to change the timeout for the pam-panel-icon/
pam_timestamp_check?

3. Why do the pam.d files not all leverage off a single pam file using
pam_stack? eg. They could pam_stack to system-auth-timed which could add
the pam_timestamp call and then pam_stack to system-auth. Is this
possible? If so this would rather reduce the ridiculous 85 places to
edit.

4. The panel icon comes up with two buttons when you click on it - keep
or discard authorisation. Keep really ought to reset the timestamp to
get you another n minutes, but doesn't.

5. Are the changes to the pam.d files going to be preserved by RPM when
I upgrade? They all seem to be marked as 'config' so I'm am guessing
they will.

6. I don't think sudo -k is called by default when you log out so I've
added it on mine. Probably this should be done.

I really feel it should be much easier to change this timeout - it
really ought to be configured from one place (or 2 if you allow sudo its
own). A file with a setting in /etc/sysconfig/ would do the trick.

What's more important is that if I wanted to disable it that doesn't
seem any easier.

Cheers,

Martin.