Red Hat Bugzilla – Bug 1003189
sudo: RFE: tie identification and expiration to logind session, not tty
Last modified: 2017-03-31 08:38:06 EDT
Description of problem:
If I have two terminal emulators open, in the same X instance, sudo will ask for each password separately. If sudo could somehow know that this is the same session (in the X sense, and in the systemd-logind sense), that would be great.
Security wouldn't be diminished, because if somebody/something can write to one pty, it can write to the other one just as well.
Also, sudo should expire the authentication tickets based on the logind session inactivity, as exposed by the IdleHintSince property of session objects
(see Session Objects in http://www.freedesktop.org/wiki/Software/systemd/logind/). If I'm reading documentation in one window, and "confirm" my presence by scrolling every few minutes, than the sudo session in one of the windows would not expire.
Those two changes would improve administrator's experience with more complicated tasks when multiple windows are open. I hope that the logind1 dbus api is sufficient. If not, than we can certainly extend it so that it suffices for this use case, because certianly other similar ones will appear.
Version-Release number of selected component (if applicable):
I'm not sure what you really want.
Try to disable tty_tickets in sudoers, I think it would be sufficient.
With tty_tickets disabled, I'd get a single ticket per user, which is too broad. With tty_tickets enabled, I get asked for a password in every tab of gnome-terminal, which gives me no additional security but is annoying. I guess that despite the name it's asking once per pty.
I'm asking for the sudo authentication to be tied to an actual login session, as registered by logind. In that case I'd get separate authentication for logins on different physical seats and kernel ttys, much more meaningful.