How to Change Sudo Password Timeout in Mac OS X

May 5, 2016 - 1 Comment

Change sudo timeout for password expiration on Mac

Advanced users who spend a fair amount of time in the command line may wish to adjust their sudo password expiration to be more secure (or less secure, by extending the password grace period timeout). Typically this means removing any password timeout so that the default five minute password cache is abandoned, thus requiring the root password to be entered anytime a command is prefixed with sudo.


In order to change or remove the sudo password grace period timeout, we’ll be using visudo, this trick applies to Mac OS X as well as linux by the way.

This is truly only for advanced command line users. If you do not know what you’re doing with sudo, vim, or visudo, and are not very experienced at the command line, do not attempt to change any of this. A broken sudoers file can lead to a huge swath of problems and issues, and may require restoring from a backup. Adjust this setting exclusively at your own risk.

Adjusting the Sudo Password Expiration Timeout

From the command line, we’ll edit the sudoers file with the help of visudo – do not attempt to edit /etc/sudoers without visudo

sudo visudo

Use the arrow keys to navigate to the end of the sudoers file then enter the following syntax on a new line (feel free to include a comment by preceding with a hash # so you can reference it later)

Defaults timestamp_timeout=0

In this example we’re using ‘0’ as the timeout grace period, meaning sudo will only work on a per command basis and there will be no password caching for the default five minutes. The number is in minutes, so you can set it to whatever you want, but for the purposes here we’re using 0 to remove the sudo password grace period, you can also go the other direction with ‘-1’ which is not recommended under any circumstance, making the sudo grace period infinite.

When finished, hit the Escape (ESC) key, followed by colon : and then type ‘wq’ without the quotes followed by the return key to save and exit the changes from visudo.

Refresh the terminal and you’ll now have zero grace period with sudo, try it out by editing the hosts file or performing some other task which requires root access, and you’ll discover the next command immediately requires root authorization again.

You can also adjust timeouts to specific users, which is helpful if you have added a user to sudoers and want to set a specific password grace period for an individual user account. This is accomplished by adding a username to the defaults string like so:

Defaults:user timestamp_timeout=XX

Keep in mind you can also use ‘sudo -k’ for a temporary adjustment to sudo password timeout, which can be helpful for users who have set the timeout to 0 for higher security.

Change the sudo timeout

There is quite a bit more to learn about the sudoers file which may be relevant to advanced users on Mac OS X and linux platforms, exploring the man page is helpful and offers many other options.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS X, Security, Tips & Tricks

One Comment

» Comments RSS Feed

  1. JT TJ says:

    If you are doing this for security purposes, another good trick is to log sudo activity

    Defaults logfile=/var/log/sudo

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Recent Posts