Recipe 5.5 Forcing Password Authentication in sudo

5.5.1 Problem

You want sudo always to prompt for a password.

5.5.2 Solution

When controlled by superuser:

/etc/sudoers:
Defaults timestamp_timeout = 0                systemwide
Defaults:smith  timestamp_timeout=0           per sudo user

When controlled by end-user, write a script that runs sudo -k after each sudo invocation. Call it "sudo" and put it in your search path ahead of /usr/bin/sudo:

~/bin/sudo:
#!/bin/sh
/usr/bin/sudo $@
/usr/bin/sudo -k

5.5.3 Discussion

After invoking sudo, your authorization privileges last for some number of minutes, determined by the variable timestamp_timeout in /etc/sudoers. During this period, you will not be prompted for a password. If your timestamp_timeout is zero, sudo always prompts for a password.

This feature can be enabled only by the superuser, however. Ordinary users can achieve the same behavior with sudo -k, which forces sudo to prompt for a password on your next sudo command. Our recipe assumes that the directory ~/bin is in your search path ahead of /usr/bin.

5.5.4 See Also

sudo(8), sudoers(5).