Fedora Linux

The value for this timeout is expressed in minutes.

8.5.3.2. ...voluntarily giving up the password timestamp?

The user can voluntarily give up the timestamp at any time using the -k option:

$ sudo -k

This is useful if the terminal will be unattended for a while.

8.5.3.3. ...disabling the root password entirely (like a Debian or Ubuntu system)?

The Fedora community has discussed this idea and ultimately opted to keep a root password. Fedora's consolehelper PAM configuration relies on a root password, and using a root password can in some cases provide one additional obstacle to gaining superuser access.

8.5.4. Where Can I Learn More?

? The manpages for sudo , sudoers , and visudo

8.6. Configuring PAM and consolehelper

Fedora uses the Pluggable Authentication Module (PAM) system to handle user authentication and identity changes. As the name implies, PAM is modular and configurable, enabling you to change the authentication (and authorization) setup on your system without programming.

8.6.1. How Do I Do That?

PAM configuration files are stored in /etc/pam.d , with one file per configured service. Each file is written in plain text and consists of at least three fields separated by spaces. The entries in these files are divided into four categories according to the first field, which identifies the module type . Possible values are:

auth

Authentication configuration (determining who is logging in).

account

Non-authentication-based access control, such as restricting activities by time of day.

password

Password changes or other authentication token updates (such as recording a new retinal scan or fingerprint).

session

Setup of the post-login session and environment.

The entries for a given module type are executed in sequence. For example, when performing authentication, the modules listed on the auth lines are executed in sequence.

The second field in each entry is called the control flag and determines the action taken when the module succeeds or fails. Possible values are:

required

The module must succeed for the module type to succeed. Regardless of whether the module fails or succeeds, processing will continue with the next line (other modules of the same module type will be executed), but at the end of all of the processing, a failure will be recorded.

requisite

The module must succeed for the module type to succeed. If it fails, processing stops immediately. If it succeeds, processing continues with the next line.

sufficient

If the module succeeds, then the module type succeeds and processing stops immediately. If it fails, processing continues with the next line.

optional

The module is executed, but the failure or success of the module is ignored.

include

In place of a module name, another configuration file is given. All of the lines of the same type from that configuration file are treated as if they were present in this configuration file.

It is also possible to use a complex expression as a control flag, but this feature is not used in the default Fedora Core configuration.

The remaining fields on the line contain the name of the module and any arguments to it (except when the control flag is include , in which case the third argument is the included file).

Here's an example. This is the content of /etc/pam.d/sshd , the configuration file for the SSH server daemon:

#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so