adclient.sudo.clear.passwd.timestamp

This configuration parameter is used together with the tty_tickets parameter in the sudoers configuration file (/etc/sudoers) to specify whether users must re-authenticate with sudo after logging out.

When a user authenticates with sudo, a ticket is temporarily created that allows sudo to run without re-authentication for a short period of time. If a user logs out and the ticket is not cleared, the ticket is reused when the user logs back in, and the user does not need to re-authenticate. If a user logs out and the ticket is cleared, the user must re-authenticate with sudo when logging back in.

Starting with release 2015, the way that you configure whether re-authentication is required depends on the tty_tickets parameter in the sudoers configuration file (/etc/sudoers.conf). In some situations, re-authentication requirements are also controlled by this parameter. Details are as follows:

  • If tty_tickets is enabled, tickets are always removed when a sudo user logs out, regardless of whether this parameter is set to true or false. That is, when tty_tickets is enabled, this parameter has no effect, and sudo users must always re-authenticate.
  • If tty_tickets is disabled, the requirement for sudo users to re-authenticate is controlled by this parameter and the Force sudo re-authentication when relogin group policy.

Tickets are cleared, and sudo re-authentication is required, under these scenarios:

  • The tty_ticket parameter in the sudoers configuration file is enabled (it is enabled by default), or
  • The tty_ticket parameter in the sudoers configuration file is disabled and the adclient.sudo.clear.passwd.timestamp parameter is set to true, or
  • The tty_ticket parameter in the sudoers configuration file is disabled and the Force sudo re-authentication when relogin group policy is enabled.

Tickets are not cleared, and sudo re-authentication is not required, under these scenarios:

  • The tty_ticket parameter in the sudoers configuration file is disabled and the adclient.sudo.clear.passwd.timestamp parameter is set to false, or
  • The tty_ticket parameter in the sudoers configuration file is disabled and the Force sudo re-authentication when relogin group policy is disabled.

The default parameter value is false.

For example:

adclient.sudo.clear.passwd.timestamp: false

You can also set this parameter using group policy.