Sudo Settings

Use the group policies under Sudo Settings to specify whether users must re-authenticate with sudo after logging out.

Force sudo Re-Authentication when Relogin

Specify whether users must authenticate again with sudo after logging out.

When a user authenticates with sudo, a ticket is temporarily created that allows sudo to run without re-authentication for a short period of time. If a user logs out and the ticket is not cleared, the ticket is reused when the user logs back in, and the user does not need to re-authenticate. If a user logs out and the ticket is cleared, the user must re-authenticate with sudo when logging back in.

Starting with release 2015, the way that you configure whether re-authentication is required depends on the tty_tickets parameter in the sudoers configuration file (/etc/sudoers.conf). In some situations, re-authentication requirements are also controlled by this policy. Details are as follows:

  • If tty_tickets is enabled, tickets are always removed when a sudo user logs out, regardless of whether this policy is enabled or disabled. That is, when tty_tickets is enabled, this policy has no effect, and sudo users must always re-authenticate.
  • If tty_tickets is disabled, the requirement for sudo users to reauthenticate is controlled by this policy and the adclient.sudo.clear.passwd.timestamp setting in the agent configuration file.

Tickets are cleared and sudo re-authentication is required in the following scenarios:

  • The tty_ticket parameter in the sudoers configuration file is enabled (it is enabled by default)
  • The tty_ticket parameter in the sudoers configuration file is disabled and this group policy is enabled
  • The tty_ticket parameter in the sudoers configuration file is disabled and the adclient.sudo.clear.passwd.timestamp parameter is set to true

Tickets are not cleared and sudo re-authentication is not required in the following scenarios:

  • The tty_ticket parameter in the sudoers configuration file is disabled and this group policy is disabled
  • The tty_ticket parameter in the sudoers configuration file is disabled and the adclient.sudo.clear.passwd.timestamp parameter is set to false

By default, this policy clears tickets in the /var/run/sudo directory. To clear tickets in a different directory, use the adclient.sudo.timestampdir parameter in the agent configuration file as described in the Configuration and Tuning Reference Guide. This group policy modifies the adclient.sudo.clear.passwd.timestamp setting in the agent configuration file.