How to Change Sudo Password Timeout in Mac OS X
Advanced users who spend a fair amount of time in the command line may wish to adjust their sudo password expiration to be more secure (or less secure, by extending the password grace period timeout). Typically this means removing any password timeout so that the default five minute password cache is abandoned, thus requiring the root password to be entered anytime a command is prefixed with sudo.
In order to change or remove the sudo password grace period timeout, we’ll be using visudo, this trick applies to Mac OS X as well as linux by the way.
This is truly only for advanced command line users. If you do not know what you’re doing with sudo, vim, or visudo, and are not very experienced at the command line, do not attempt to change any of this. A broken sudoers file can lead to a huge swath of problems and issues, and may require restoring from a backup. Adjust this setting exclusively at your own risk.
Adjusting the Sudo Password Expiration Timeout
From the command line, we’ll edit the sudoers file with the help of visudo – do not attempt to edit /etc/sudoers without visudo
sudo visudo
Use the arrow keys to navigate to the end of the sudoers file then enter the following syntax on a new line (feel free to include a comment by preceding with a hash # so you can reference it later)
Defaults timestamp_timeout=0
In this example we’re using ‘0’ as the timeout grace period, meaning sudo will only work on a per command basis and there will be no password caching for the default five minutes. The number is in minutes, so you can set it to whatever you want, but for the purposes here we’re using 0 to remove the sudo password grace period, you can also go the other direction with ‘-1’ which is not recommended under any circumstance, making the sudo grace period infinite.
When finished, hit the Escape (ESC) key, followed by colon : and then type ‘wq’ without the quotes followed by the return key to save and exit the changes from visudo.
Refresh the terminal and you’ll now have zero grace period with sudo, try it out by editing the hosts file or performing some other task which requires root access, and you’ll discover the next command immediately requires root authorization again.
You can also adjust timeouts to specific users, which is helpful if you have added a user to sudoers and want to set a specific password grace period for an individual user account. This is accomplished by adding a username to the defaults string like so:
Defaults:user timestamp_timeout=XX
Keep in mind you can also use ‘sudo -k’ for a temporary adjustment to sudo password timeout, which can be helpful for users who have set the timeout to 0 for higher security.
There is quite a bit more to learn about the sudoers file which may be relevant to advanced users on Mac OS X and linux platforms, exploring the man page is helpful and offers many other options.
If you are doing this for security purposes, another good trick is to log sudo activity
Defaults logfile=/var/log/sudo