Hi, I've been trying to change the sudo/pam_timestamp timeout with mixed success. The default of 5 minutes is really too short for my use (home machine), though obviously more suitable for an office (if not even too long there). I thought I'd try 1/2 hour for now. What I have found is: Adding 'Defaults timestamp_timeout=30' to sudoers seems to be correct for sudo, the man page specifying the time in minutes. I had to add 'timestamp_timeout=1800' to each call of pam_timestamp.so in /etc/init.d. There were 85 of these on my system. Initially I tried 'timestamp_timeout=30' because the pam_timestamp manpage doesn't mention units and I thought it might be the same as sudoers, but apparently not - this one's in seconds. It's not clear if I need to edit pam_timestamp calls for both 'auth' and 'session', or just 'auth'. I guess the latter, but did all to be sure. (Besides, that was easier.) Anyhow, this now seems to work and I can start root programs up to 1/2hr after the last. Now I'm stuck on pam-panel-icon. This seems to have it's own notion of how long the timestamp is valid for - and therefore is still stuck on 5 minutes. It appears to call pam_timestamp_check which makes the decision, but I can't see any way to train this to use the longer time. Hence the panel icon is now rather useless. So down to the questions: 1. Am I going about this the right way or did I miss something? 2. Is it possible to change the timeout for the pam-panel-icon/ pam_timestamp_check? 3. Why do the pam.d files not all leverage off a single pam file using pam_stack? eg. They could pam_stack to system-auth-timed which could add the pam_timestamp call and then pam_stack to system-auth. Is this possible? If so this would rather reduce the ridiculous 85 places to edit. 4. The panel icon comes up with two buttons when you click on it - keep or discard authorisation. Keep really ought to reset the timestamp to get you another n minutes, but doesn't. 5. Are the changes to the pam.d files going to be preserved by RPM when I upgrade? They all seem to be marked as 'config' so I'm am guessing they will. 6. I don't think sudo -k is called by default when you log out so I've added it on mine. Probably this should be done. I really feel it should be much easier to change this timeout - it really ought to be configured from one place (or 2 if you allow sudo its own). A file with a setting in /etc/sysconfig/ would do the trick. What's more important is that if I wanted to disable it that doesn't seem any easier. Cheers, Martin. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
