Category: Security

Change The ‘sudo’ Password Timeout

Today’s article is going to be a pretty basic article about sudo, where we learn how to change the sudo password timeout. It’s pretty easy to change the sudo password timeout value, and reasonably safe to do so if you use visudo. So, with that in mind, read on!

When you use sudo you’re given a grace period. During that time, you can use sudo again without being asked to type your password again. This is an arbitrary value, typically 15 minutes (I think), and you can customize that value for your particular environment. It’s not difficult.

This is something people may want to change if they’re slow, doing a lot with sudo, or have good physical security. This is also something that someone might want to change for the opposite reason. Some people may want to decrease the length of time that they have with sudo because they work in a shared environment. Who knows? It’s your computer, you can do what you want!

So, what is sudo? It’s how you temporarily use elevated permissions. In fact, I wrote a whole article on this subject, which you can read if you’re so inclined – and I’d suggest doing so if you’re new to Linux:

So, What Is ‘sudo’ Anyhow?

Well then, I mentioned another application. I mentioned ‘visudo’ above.

This may come as a surprise, but I actually wrote an article about visudo! You can read that as well, especially if you’re new to Linux:

Use visudo To Edit The sudoers File

Huh… It’s almost as if I’ve been waiting to write this article for a while and that I took the time to write articles that explain all these things. For a brief moment, one might be fooled into thinking I am good at preparing things. Little do you know… It’d be far more accurate to just say that I’ve written a bunch of articles already. I’d prefer it if you thought it was the former, but there’s definitely a touch of the latter.

Change The sudo Password Timeout:

If you clicked on either of the two links above, you’d know that those tools are used in the terminal. You didn’t click them, did you? Well, you’re going to need an open terminal. In most distros, you can just press CTRL + ALT + T and your default terminal should open. 

With your terminal now open, we’re going to use visudo to edit your sudoers file. In my particular case, we’ll be using Nano. (See? Yet another article you can rely on for more information about Nano!) The command to start banging away on your sudoers file would be simply this:

Now, I can’t say for sure that you’ll be using Nano for this. As you didn’t click the links above, I’ll remind you that visudo uses your default text editor. So, you’ll need to be prepared for that. Your default text editor may be Vim, for example, and you’ll need to know the basics to change your sudo password timeout.

NOTE: If you want, you can change your default text editor. (Did you see that? I did it again!)

Anyhow…

With your sudoers file now open for editing, you just enter the following on a new line:

As far as I can tell, most distros default to 15 minutes. So, you can use sudo and then you won’t be asked for the password again for the next fifteen minutes. In the above, you replace the obvious with the obvious. If you wanted 10 minutes leeway without retyping the password, you’d use this command:

If you wanted an hour’s worth of leeway without typing your sudo password again, then the command would just be this:

See? It’s not very complicated at all.

If you want to be fancy, you could include a comment. A comment starts with an # symbol and is thus ignored by the system. You might want to enter something like this:

By adding a comment, you’ll be reminded of what changes you’ve made from the default configuration. This is generally a good idea, especially if you’re going to heavily modify your system.

As this is Nano, you can finish editing the sudoers file by pressing the CTRL + X, then Y, and then the ENTER button. That will save the changes with Nano. If you’re not using Nano, you’ll need to refer to the manual (unless you already know how to save an edited file).

Closure:

And there you go! You can now change your sudo password timeout value to whatever it is you desire, assuming it’s whole minutes. I do not believe it works with fractions of minutes. You shouldn’t need to reboot or anything. It should take effect immediately and be the new timeout value the very next time you use a command that starts with sudo.

Of course, this comes with some security considerations. If this is a public kiosk, you’d have to be a fool to make this longer. You’d have to be a fool to have sudo access to begin with! That’s why they make guest accounts!

But, if you’re home alone and the neighbors aren’t going to sneak in to steal your wifi password, you’re probably good to go. Heck, if you are daring, you can use sudo without a password. I don’t recommend that, but you can… 

Also, this article contains a whole lot of links to other articles. Google will be pleased! I think it speaks to how many articles I’ve already written more than any foresight on my part.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Change DNS Servers

Today’s article shouldn’t be all that difficult for even our newest users but is limited to those who want to change DNS servers to something other than the default. This is easy enough to do, but obscure enough to warrant an article of its own. 

First, let’s have some fun. I’m going to ask ChatGPT to tell you about DNS in just two paragraphs. So, let’s see what the AI has to say:

First, what is DNS?

DNS, or the Domain Name System, is a fundamental protocol used in computer networks to translate human-readable domain names into machine-readable IP addresses. It serves as a decentralized directory system that enables users to access websites, send emails, and perform various network activities using familiar domain names instead of numerical IP addresses. When a user enters a domain name in their web browser, the DNS resolver (typically provided by the Internet Service Provider or ISP) initiates a series of queries to locate the corresponding IP address. The resolver communicates with DNS servers, starting from the root servers, then the top-level domain servers, and finally the authoritative name servers associated with the requested domain. Through this hierarchical process, DNS ensures efficient and accurate resolution of domain names, facilitating seamless internet connectivity.

DNS operates through a distributed database system known as the DNS namespace. This namespace is organized hierarchically, with the root domain at the top, followed by top-level domains (TLDs) like .com, .org, or country-specific domains such as .us or .uk. Beneath the TLDs, there are second-level domains, and further subdivisions like subdomains. Each domain has authoritative name servers that store the IP addresses associated with the domain names they manage. DNS resolution occurs through recursive queries, where the resolver traverses the DNS hierarchy to find the authoritative name servers responsible for the domain. Once the IP address is obtained, the resolver caches it for future use, reducing the need for repetitive queries. DNS plays a crucial role in the functioning of the internet by providing a scalable and efficient method for translating domain names to IP addresses, enabling seamless communication and accessibility across the network.

Wow! That’s pretty accurate. I’d have just resorted to describing DNS as the telephone book of the internet. You look up the name you want to reach and DNS tells you the number. In this case, the number is the IP address.

All in all, I’d say ChatGPT did a pretty fine job.

Change DNS Servers:

There are a variety of reasons why someone would want to change DNS servers to something else. They may get updated more quickly, weed out junk domains, or even remove ads and things like that. Maybe you want to weed out inappropriate material because you have children. Perhaps you have some custom configurations needed to traverse your complex local network. There are all sorts of reasons why you might want to change DNS servers.

See, as alluded to above, it’s perfectly possible to run your own DNS server (see Pi-hole for one such example). You can also use DNS servers provided by various third parties. For example, CloudFlare and Google offer their own DNS servers that are free for you to use. There are other choices, but this isn’t an encyclopedia writ large, so I’m going to just include those two. You can use your favorite search engine to find more.

So, let’s say you don’t like using a DNS server provided by your ISP. Perhaps you do this because of privacy issues, though you can look into DNS over HTTPS if you’d like. Perhaps you just don’t find them updated quickly enough or you’ve found they contain errors. (They do sometimes have issues and have even been known to be exploited in the past.)

NOTE: We’ll be using ‘nano‘ for this exercise. We’ll also default to Google’s public DNS servers, but you can substitute with whatever you find available.

Well, the first step you’re going to take is opening your terminal. You can do that by just pressing CTRL + ALT + T. In most distros, that will open the default terminal emulator. If your distro doesn’t do so, start mucking about with the keybindings until it does!

The file we’ll be editing doesn’t actually exist on most distros. That’s not a problem, because we’ll be making that file with nano. With your terminal open, enter the following command:

That should be a perfectly blank file and you’ll want to enter the following (again, using Google’s public DNS servers) to change DNS servers:

Then, you’ll save the file with Nano. That’s pretty easy. To save this new resolv.conf file with nano, you just press CTRL + X, then Y, and then ENTER.

Next, you’ll need to reboot. I know this will pain some of you, but I’ve yet to have a sure way to effect these changes other than rebooting. So, you’ve gotta do that. Try this command:

Now that you’ve managed to change DNS servers, you should be able to browse around much as you normally would. Remember, the people in charge of the DNS servers are the ones that decide where you go when you enter an address into the address bar and smash that enter button.

Be sure to use a company you trust to provide those services and be sure to verify your internet is still working properly. If it’s not working, you can remove the file and reboot or you can edit it again and try rebooting again. It shouldn’t be a problem in reality, this isn’t anything all that complicated.

Closure:

So, there you have it. It’s yet another article. This time around we discussed how to change DNS servers – along with some reasons as to why you might want to. If you have a spare bit of hardware kicking about, you can make your own DNS server and point to that with the internal addresses you’d be using. It’s nothing too painful and I think even beginning Linux users can follow along easily enough.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Use visudo To Edit The sudoers File

Today’s article may take a different format than most, as it’s just an article telling you to use visudo to edit the sudoers file. This type of article doesn’t lend itself to my normal formatting and should be considered akin to a Public Service Announcement. 

So, let’s start with the basics:

What Is The sudoers File?

Very simply, the sudoers file is the file on your system that decides who has permission to use elevated permissions via sudo. The sudoers file is pretty important and it’s easy to make mistakes while editing it. Fortunately, there’s some protection you can use while editing the sudoers file.

If you’re curious, we normally recommend using sudo instead of using root because sudo only gives the command elevated permissions while root always has elevated permissions. Those folks reading my site are generally fairly new to Linux and, as such, I strongly suggest using sudo instead of just logging in as root. Sure, it’s more of a hassle, but it’ll help save you from yourself.

What is visudo?

The visudo command will open your sudoers file with your default text editor. In many cases that will be Vim, but Nano is starting to be the default for more distros. I prefer the latter.

The visudo command defines itself like so:

visudo — edit the sudoers file

Further, and helpfully, you’ll find this in the description:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors before installing the edited file. If the sudoers file is currently being edited you will receive a message to try again later.

So, as you can see, using visudo will help protect you from mistakes.

NOTE: While visudo can save you from syntax mistakes, it will do nothing to prevent you from entering the wrong information. If you open a second terminal and pre-authenticate for sudo, and do so quickly enough, you can then use that second terminal to fix it (re-editing the sudoers file).

Use visudo To Edit The sudoers File:

The sudoers file is located at /etc/sudoers and is a plain text file. It’s just a configuration file, like so many other configuration files. But, as described above, it’s a very important file. It’s also possible to mount the drive with a live Linux instance to edit the file, but that’s not something I’d recommend. Besides, if you use visudo to edit the sudoers file that shouldn’t be a problem.

You don’t need to specify anything when you want to edit the sudoers file. You don’t have to specify the file’s location. The visudo command knows where your sudo file is (unless you’ve modified this, as you can make a second config file and edit that) all by itself. If you want to use visudo to edit the sudoers file, you simply need this command in your favorite terminal:

The very first line of that file says this:

This file MUST be edited with the ‘visudo’ command as root.

I realize what it says, but in this case, you can replace ‘root’ with ‘sudo’ which will elevate your permissions to those of root. So, we’re sort of still using root to edit the file, but we’re technically just using sudo.

Closure:

There is my PSA about using visudo to edit that sudoers file. You must do so, especially if you’re new. You might be able to avoid a syntax error, but there’s no reason to not use visudo which will check for that sort of stuff.

I suppose the name comes from a time when Vi was still popular and it’s not a complete solution. You can still enter garbage and get garbage results. If you’re unprepared for the potential consequences, you might want to avoid editing the sudoers file until you’ve gained some confidence and have more familiarity with the tools Linux provides.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Let’s Password Protect A File

Today’s article is a fun one, where we’ll learn how to password protect a file using something called GPG. It’s not complicated. You can learn how to password protect a file in just a few minutes. You can then send these files out and other people can decrypt them – assuming you’ve shared the password with them.

We all have secrets. They’re not all digital, but they could be. We may also want to be able to share files that have private information in them, meaning you only want people with the password to open it. Though, I suppose, brute force is always an option – but you can at least make it difficult by using a complex password, preferably one that you didn’t generate yourself.

So, what is GPG? GPG stands for “GNU Privacy Guard”. It’s fairly standard and used quite a bit. There are other applications, like PGP, but I think all of you folks that use a ‘full’ distro will have GPG installed by default. It’s one of those tools that you might not use all that often, but it seems to be included by default in a lot of places. I suspect that’s because other things rely on GPG, but I’m way too lazy inept to look that up.

By the way, the GPG man page describes it as:

gpg – OpenPGP encryption and signing tool

That GPG is what we’re going to be using for this exercise. Trust me, it’s easier than you might think. 

Password Protect A File:

Do I have to mention it? Of course I do! It’s time for your favorite thing, an open terminal ready for your commands. You can open your default terminal by pressing CTRL + ALT + T.

With your terminal now open, the command to password protect a file would be:

The -c flag stands for encryption. It should then ask you for a password, that you’ll need to enter twice, and then it will make an encrypted copy of the file with a .gpg extension. The original file will still exist, so this isn’t encrypting that original file. It’s making an encrypted copy and you’ll want to safely delete the original file if that’s your intention.

Now, to open the new <file_name>.gpg file, you’ll need to use the following command:

Now, when I went to open that with the same computer and the same session it didn’t ask for a password. I shipped it to another computer and it did just that. I do not know why.

When you successfully open the password protected file, it will ask you if you want to overwrite the original. This shouldn’t happen when you ship it to someone else unless they happen to already have a file with that specific name. It also will let you say don’t want to overwrite the file and let you pick a new file name for the unencrypted content.

Closure:

You can actually do this with a folder if you’d prefer. It’s just specifying a folder instead of a file. The process is exactly the same. So, like I said in the start, it’s a really easy task to password protect a file. The terminal is useful for all sorts of stuff.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Encrypt A USB Drive

So, today’s article will be a bit different, as I answer a question posed to me by way of the contact form – which is how to encrypt a USB drive. Being the nice guy I am, I answered the question. As I’m also often busy (or lazy), I also decided to turn this into an article. Why not?

I normally frown on people asking me questions directly. My usual suggestion is that they visit a forum and ask there. I usually direct them to Linux.org, where there’s a good forum filled with all sorts of smart people. That’s usually a sufficient answer, but this time I had a few spare minutes and typed out a response to them.

First of all, this was their question (I’ve removed all the superfluous stuff):

How would you encrypt a USB drive?

There were several sentences, a preemptive thanks, and some commentary about reading the site regularly. I decided to tackle this question but I was limited strictly to text because I was using email as my format.

But, if we start with the question, we can see an immediate problem. The question was ‘how would you’… Well, I’d crack open the terminal and use a tool called cryptsetup. That’s what I’d do. It’s a great tool and I’m familiar with its use.

However… That’s not what I’d suggest to the person asking the question. I did mention this to them in my reply, leaving the door open for more questions or for them to hit up their favorite search engine. Instead, I detailed another way to encrypt a USB drive. Yes, they used the word ‘drive’ and not ‘thumbdrive’. That doesn’t matter.

How To Encrypt A USB Drive:

The first thing you’re going to need for this is ‘Gnome Disks’. So, let’s go ahead and ensure you’ve got that installed, open your terminal by pressing CTRL + ALT + T and install the application. If you’re using apt you’d use the following command, but you’ll need to edit it for your package manager. (It’s almost certainly available in your default repos.)

Using Gnome Disks is a good idea. It’s fairly ubiquitous, easy to install, and doesn’t pull in a ton of dependencies when you install it. That means you can easily use Gnome Disks with pretty much any desktop environment out there with ease and very little fanfare.

Now, insert the USB drive. Don’t worry if it automatically mounts. Gnome Disks is smart enough to deal with that. Any data on this disk will be lost. It will be irrevocably lost. There’s no ‘oops’ button involved.

With Gnome Disks now installed (do not ask me why the command to open the application is different than the command to install the application), you can open it with the following:

There you go, you’re in a GUI now. You won’t need the terminal for anything else. (This would be easier with images, but I couldn’t really include images in the email reply without a lot of work and them potentially never even seeing the images due to reading the email in plain text format.)

On the lefthand part of the Gnome Disks window, pick the USB drive you want to encrypt.

On the right-hand part of Gnome Disks, click on the ‘gears’ icon and select the ‘Format Partition’ option.

Add a name for your encrypted USB drive in the next window. Then, say it is an internal disk (it’s all good) and tick the button to password-protect the volume.

In the next window, you will type your password twice. You’ll type it once and then type it again below that. This is to make sure you typed it properly. It’s a good idea to remember this password, ’cause this isn’t something you can just back out of and still have your data.

At this point, Gnome Disks will give you a warning about data loss. In the upper right, click the ‘Format’ button. Be certain about what you’re doing because this will erase data. Gnome Disks doesn’t care if the drive contained the only copies of your child’s birthday pictures.

Gnome Disks is kinda like a wolverine. Approach it with caution because it does not give a crap about your feelings.

Assuming the winds are in your favor, you should now have an encrypted USB drive. Test this by unplugging your USB drive and plugging it back in. When you plug it back in, it should ask you for a password. Enter your password to ensure you typed it properly in an earlier step. If all goes well, enjoy your encrypted USB drive.

Closure:

By the way, happy Mother’s Day (for those who qualify).

And so, that was more or less my answer to the inquisitive user. I don’t mind questions. I just don’t always have time for that, and often don’t know the answers. Of course, I did make a few changes. The actual reply I sent them was worded a bit differently in places. I think the above reads better and is more concise.

In this case, I think I got it right and they were able to encrypt their USB drive. I haven’t heard back from them since. It’d be nice if they let me know but they left me hanging. Ah well… If it’s wrong, someone will leave me a comment!

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Subscribe To Our Newsletter
Get notified when new articles are published! It's free and I won't send you any spam.
.
Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.