Force sudo re-authentication when relogin

Force sudo re-authentication when relogin.

When users authenticate with sudo once, a ticket will be temporarily created per tty. This ticket allows sudo commands to run without re-authentication in a short period (e.g. 5 minutes), and this ticket will be re-used when user login again.

If this setting is enabled, the tickets will be removed when user logout. Thus users are forced to authenticate again once relogin and call sudo. Default is false, i.e. sudo tickets are not cleared when user logout.

1. A new flag called tty_tickets has been added since Sudo version 1.7.4. If set, users must authenticate on a per-tty basis. With this flag enabled, sudo will use a file named for the tty the user is logged in on in the user's time stamp directory. If disabled, the time stamp of the directory is used instead. This flag is on by default. To disable this re-authentication feature, we need to disable this group policy and set e.g. "Defaults !tty_tickets" in sudoers file.
2. This group policy will only clear ticket files under /var/run/sudo by default. However, on some platforms, sudo will store the ticket files to other directories instead (i.e. /var/db/sudo). In this case, we can configure Centrify DirectControl configuration parameter adclient.sudo.timestampdir so Centrify DirectControl Agent will clean up path other than the default /var/run/sudo.

This group policy modifies the adclient.sudo.clear.passwd.timestamp setting in the Centrify DirectControl configuration file.

Supported on:

Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Sudo
Value Nameadclient.sudo.clear.passwd.timestamp
Value TypeREG_SZ
Enabled Valuetrue
Disabled Valuefalse


Administrative Templates (Computers)

Administrative Templates (Users)