6. PAM and Administrative Credential CachingA variety of graphical administrative tools under Red Hat Enterprise Linux give users elevatedprivileges for up to five minutes via the pam_timestamp.so module. It is important to understandhow this mechanism works because a user who walks away from a terminal whilepam_timestamp.so is in effect leaves the machine open to manipulation by anyone withphysical access to the console.Under the PAM timestamp scheme, the graphical administrative application prompts the user forthe root password when it is launched. Once authenticated, the pam_timestamp.so modulecreates a timestamp file within the /var/run/sudo/ directory by default. If the timestamp filealready exists, other graphical administrative programs do not prompt for a password. Instead,the pam_timestamp.so module freshens the timestamp file — reserving an extra five minutes ofunchallenged administrative access for the user.The existence of the timestamp file is denoted by an authentication icon in the notification areaof the panel. Below is an illustration of the authentication icon:Figure 16.1. The Authentication Icon6.1. Removing the Timestamp FileIt is recommended that before walking away from a console where a PAM timestamp is active,the timestamp file be destroyed. To do this from within a graphical environment, click on theauthentication icon on the panel. When a dialog box appears, click on the Forget Authorizationbutton.Figure 16.2. Authentication Icon DialogIf logged into a system remotely using ssh, use the /sbin/pam_timestamp_check -k rootcommand to destroy the timestamp file.NoteYou must be logged in as the user who originally invoked the pam_timestamp.somodule in order to use the /sbin/pam_timestamp_check command. Do not login as root to issue this command.For information about destroying the timestamp file using pam_timestamp_check, refer to thepam_timestamp_check man page.6.2. Common pam_timestamp DirectivesChapter 16. Pluggable Authent...304
