sudo won't remember password [SOLVED]

New to Debian (Or Linux in general)? Ask your questions here!

sudo won't remember password [SOLVED]

Postby PatM » 2019-04-05 22:46

Just so anyone else looking doesn't have to wade through all the replies.

The problem was that I was connecting to the linux box using SSH and keys. Locally the timeout worked fine (when I finally tried it).

The answer was found by looking at a Raspbian setup I had working - add a file to /etc/sudoers.d that specified my user can use sudo without a password when logged in over SSH. Here's the contents of the Rasbian /etc/sudoers.d directory.

Code: Select all
pi@WeatherStation:~$ ls /etc/sudoers.d
010_at-export  010_pi-nopasswd  README


010_pi-nopasswd contains
Code: Select all
pi ALL=(ALL) NOPASSWD: ALL


Change "pi" to your username and sudo won't always ask for a password.

Original post:
====================================================
I've been using Raspbian for a long time but haven't used Debian for years. I just installed it again and after all the updating I quickly realized that having sudo require a password at every use is quite tiresome.

I went looking and everything I see says to add timestamp_timeout=x to the Defaults env_reset line using sudo visudo.

I've done that and it has no effect. Tried logging out and back in, still no change. Rebooted and checked, still no effect.

Went through 10 pages of google results and found nothing except the above. Did a search here on all boards for timestamp_timeout and got nothing either.

How do I get sudo to stop asking every time I use the command even if it's 2 seconds apart?
Last edited by PatM on 2019-04-06 17:55, edited 2 times in total.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby PatM » 2019-04-06 00:41

Found a bit more in the man page. Apparently it's supposed to be looking in /var/run/sudo/ts for the timestamps and that the directory has to be owned by root. While /var/run existed, there was no sudo/ts in there so I su'd to root and created them. No change. Logged out/in no change. Looked in ts to see if there was a file and the directories I made weren't there.

Took a moment and I realized these were very temporary files so there's no reason to write them to disk. Googled a bit and discovered they're basically in ram and that I needed to create them with /usr/lib/tmpfiles/sudo.conf.

Looked and they were set to be created in /var/lib rather than /var/run so I changed that and rebooted.

Directories where there but no timestamp. Had a look and sure enough it had been created in /varlib/sudo/ts.

So I guessed that sudo creates the timestamps in /var/lib/sudo/ts but looks in /var/run/sudo/ts for it. Copied the file to the /var/run/sudo/ts directory and switched to the regular sudoer - no change.

So all I know for sure is sudo is putting the timestamp file in /var/lib instead of /var/run.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby GarryRicketson » 2019-04-06 02:09

Using code boxes, show us what those files actually have, what changes you actually made, this has me wondering :
add timestamp_timeout=x to the Defaults env_reset line

In code boxes, like this:
Code: Select all
 timestamp_timeout=x

Show us what you added, changed, etc,...seems like you have modified several files in various directories, but it is not clear exactly in what way.
everything I see says to add timestamp_timeout=x

What value did you use in place of "x", ? if you just copied/pasted it like you posted it here,
Code: Select all
  timestamp_timeout=x
, I don't think that would do work or do anything,...
see:https://manpages.debian.org/jessie/sudo/sudoers.5.en.html
(you don't mention the version of Debian, if it is not jessie, change that to what ever version it is, IE: stretch)
timestamp_timeout
Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's time stamp will never expire. This can be used to allow users to create or delete their own time stamps via “sudo -v” and “sudo -k” respectively.


As root, use su, show the output of:
Code: Select all
grep Defaults /etc/sudoers

Please use code boxes to post the output.
I have a urgent phone call, and have to go,... maybe more later
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: sudo won't remember password

Postby PatM » 2019-04-06 02:49

Sorry, Debian 9 installed yesterday and updated this morning.

Of course "x" was just to indicate your desired timeout in minutes

Code: Select all
Defaults        env_reset,timestamp_timeout=5
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"


I had the same problem with timeout on Kubuntu but didn't bother looking into it since I decided to go Debian instead.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby GarryRicketson » 2019-04-06 05:06

I normally do not used sudo, so am no expert at all, I did install it sometime ago, trying to help someone else , and I needed to have it installed so I could try some things, mine is basically default, other then when I added myself to sudoers. So any way, what you show is far from being default anymore, and seems to be missing a lot of things, combined with your moving and changing other files,...I think you have made a rather big mess, and should restore everything to default, use the back up you made before mucking around, (hope you made one)
One thing:
there was no sudo/ts in there so I su'd to root and created them.

The files in
Code: Select all
garry# pwd
/var/run/sudo/ts
garry# less garry
"garry" may be a binary file.  See it anyway? 

Those files are binary files,
So what you did, "there was no sudo/ts in there so I su'd to root and created them", is NOT the correct way to do that, and would not work.
Looked and they were set to be created in /var/lib rather than /var/run so I changed that and rebooted.

Good grief, so you need to change that back to the way it was as well,... and so on, it really is confusing as to what all you have done.
I just logged in as root, cd /etc, and used visudo, and added the line:
Code: Select all
Defaults env_reset,timestamp_timeout=6

saved and exited, and it works just fine, if I use sudo again in less then 6 min, I don't need a password.
Here is what my default sudoers file looks like, as you can see, yours is missing a lot:
Code: Select all
 sudo grep Defaults /etc/sudoers
# Defaults specification
Defaults env_keep +="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"
Defaults env_reset,timestamp_timeout=6
Defaults:%wsrc env_keep +="DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF"
Defaults:%wsrc env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR"
Defaults:%wsrc env_keep +="PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY"
Defaults:%wsrc env_keep +="SUBPACKAGE WRKOBJDIR SUDO_PORT_V1"
#Defaults env_keep +="ftp_proxy http_proxy"
#Defaults !lecture
#Defaults:%wheel !env_reset
 

Note, where it says: Defaults env_reset,timestamp_timeout=6 But it could be 5 , 10, 15 , whatever.
I spent way more time on this then I should have,
I did also take a look at various manuals,and tutorials, did a search , and NONE of them say anything about doing this:
So I guessed that sudo creates the timestamps in /var/lib/sudo/ts but looks in /var/run/sudo/ts for it. Copied the file to the /var/run/sudo/ts directory and switched to the regular sudoer - no change.

So you gessed wrong, you need to restore everything to default and try again, sorry
===== edited ===
I followed this very straightforward and simple guide, http://linuxg.net/change-sudo-password-timeout/
And it worked just fine, I will admit, since I am not very good with the "vi" editor, nor "visudo", I did munge the line on the first try, and was give a warning that there was a syntex error, close to line 23,
so I exited with out saving the change, on the second try it saved fine, and works fine. NO NEED to be creating files and directories , nor moving other things around. It is important that you use "visudo" and
not just any random editor though, also you must run it as root.
User avatar
GarryRicketson
 
Posts: 5877
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: sudo won't remember password

Postby Head_on_a_Stick » 2019-04-06 08:19

PatM wrote:How do I get sudo to stop asking every time I use the command even if it's 2 seconds apart?

The default behaviour (in both Debian and *buntu) is for the timeout to be set to 15 minutes.

Please post the output of
Code: Select all
sudo -l

as your normal user.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10675
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudo won't remember password

Postby PatM » 2019-04-06 14:38

I know the default behaviour is to ask a sudoer for a password after 15 minutes but that's the point. Fresh installs of Debian 9 and Kubuntu aren't doing this. So don't get all condescending and self righteous. It's nice that your setup is working but my new install does not. If the only contribution to the discussion you can make is to denigrate the poster, why do you bother?

/var/run is what the SUDO manual says is the correct location for /sudo/ts so since it wasn't working in the default of using /var/lib I tried changing it to what the manual says and it didn't work. So as I said above, the only thing I actually know is that the sudo timeout is not working as of yesterday's update to Debian 9.

And yes, I did change it back after going with what the manual said failed.

Edit: I added what you said was missing but no change after relogging and no change after rebooting.

Code: Select all
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_keep +="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"
Defaults env_reset,timestamp_timeout=6
Defaults:%wsrc env_keep +="DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF"
Defaults:%wsrc env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR"
Defaults:%wsrc env_keep +="PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY"
Defaults:%wsrc env_keep +="SUBPACKAGE WRKOBJDIR SUDO_PORT_V1"

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
Last edited by PatM on 2019-04-06 14:58, edited 2 times in total.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby PatM » 2019-04-06 14:46

sudo -l gives me

Code: Select all
env_reset, timestamp_timeout=5, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby Head_on_a_Stick » 2019-04-06 15:08

PatM wrote:the only thing I actually know is that the sudo timeout is not working as of yesterday's update to Debian 9.

The last update to the sudo package was back in June 2017.

Was the timeout working as expected when the system was first installed?

Can we see the output of
Code: Select all
apt policy

I've just tested the latest "live" version of Debian stretch and the timeout is still 15 minutes so nothing has changed there.

And I wasn't trying to denigrate you, your OP didn't make it clear that you knew the default behaviour.

EDIT: Garry is running OpenBSD, that's why his file is different. Those extra Defaults lines aren't present in the "live" system.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10675
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudo won't remember password

Postby PatM » 2019-04-06 15:42

Was the timeout working as expected when the system was first installed?

Nope. I have a thought about that too. I supplied a root password in the installer so the user account was not automatically added to sudoers. I added it with
Code: Select all
usermod -aG sudo <name>


I've got little invested in this install so I think I'll try again without supplying a root password and see if it makes the user a sudoer with the timeout working.

P.S. Burnt the iso to a USB stick so it actually goes a lot faster.

And I wasn't trying to denigrate you, your OP didn't make it clear that you knew the default behaviour.

Sorry, that was for Garry, not you. You didn't say anything bad at all. Thanks
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password

Postby Head_on_a_Stick » 2019-04-06 16:25

PatM wrote:I added it with
Code: Select all
usermod -aG sudo <name>

Hmmm, the Debian wiki page for sudo recommends
Code: Select all
useradd $user sudo

And I would use
Code: Select all
gpasswd -a $user sudo

Not sure what differences your command would make though.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10675
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudo won't remember password

Postby PatM » 2019-04-06 16:53

Well I missed a very important point. I didn't mention that I'm using SSH with keys to connect over the lan. It's never been a problem with the various Raspberry distros I've used over the last several years so it didn't occur to me that it could be a factor.

I tried sudo locally and the timeout works. It's only through SSH that it doesn't. Reading up on it to see if I can find a fix. Probably something about hosts being local only somewhere.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54

Re: sudo won't remember password [SOLVED]

Postby PatM » 2019-04-06 17:02

That is it. I need to change the sudoer file to make it work with SSH. Instead of changing the original file I'm doing what it says to do and adding /etc/sudoers.d/<myacctname> to hold the changes.

For now I found I can use
Code: Select all
<user> ALL=NOPASSWD: ALL


and it doesn't ask me for a password. I'll have to keep looking to see if there's a way to make it just use the timeout rather than never ask for a password.

edit: Had a brainstorm and did the obvious thing that I should have thought of in the first place. I checked one of my Raspberrys to see what it did differently.

in /etc/sodoers.d I found:

Code: Select all
010_at-export  010_pi-nopasswd  README

010_pi-nopasswd contains
Code: Select all
pi ALL=(ALL) NOPASSWD = ALL


The pi does ask for passwords after the timeout so I modified mine to be the same.
PatM
 
Posts: 9
Joined: 2016-03-09 18:54


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable