Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Remove the authentication timeout delay System
Apple set a timeout which will remember the authentication for 300 seconds. This may be handy for a personal computer which is only used by one user. Of course, it is a security risk in a network with full of students having a lot of bad ideas in their heads. You can remove the timeout by editing the file /etc/authorization with your favourite text editor and changing the timeout integer key to 0. Since it is an XML file, it might be handy to open it in Property List Editor. I use the following command to do so:
 % open -a "Property List Editor.app" /etc/authorization
If you remove the timeout key, then the authentication well never timeout. Be careful - you are editing a file which is mainly responsible for the security of your system!. I recommend backing up the file, before you change it:
 % sudo cp -p /etc/authorization /etc/authorization.original
Some users reported that after a login of an admin user, the Finder does not request for authentication if you modify system files within the first five minutes. This is a result of the timeout value of 300 seconds set in /etc/authorization. After changing the value to 0, this security bug is gone. In general, I use my account without admin rights and was surprised that if you su to an admin user in a shell, the Finder does not ask for any authentication if you modify System files. The even more problematic security bug is that the Finder still remembers the authentication even if you exited the admin session in the shell properly with exit, therefore I recommend to set the timeout to 0 on client computers, especially on computers where admins and regular users are working together.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (4 votes cast)
 
[12,374 views]  

10.3: Remove the authentication timeout delay | 6 comments | Create New Account
Click here to return to the '10.3: Remove the authentication timeout delay' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Remove the authentication timeout delay
Authored by: seann on Dec 01, '03 03:24:16PM

unfortunatly it's at random when this works, I was looking forward to use it.



[ Reply to This | # ]
Set timeout to 10-20 seconds !!
Authored by: Steff-X on Dec 02, '03 05:10:33AM
The Finder uses the default timeout (at the end of the /etc/authorization file). It is certainly not a good idea to modify it unless we have more information about the consequences it can have on the whole system. A timeout of 10-20 seconds would be safer ! (and it works pretty well for me)

Also keep in mind that a single Finder action may result in multiple UNIX actions. With a null timeout, the Finder may prompt for a password several times, i.e. for each UNIX action that requires it.

[ Reply to This | # ]
10.3: Remove the authentication timeout delay
Authored by: cilly on Dec 02, '03 10:21:56AM

Additional info:

I changed all timeout values from 300 to 1 and all shared values from true to false.

I tested it for one week and it works perfectly.

---
cilly @ http://www.cilly.dyndns.org/

[ Reply to This | # ]

10.3: Remove the authentication timeout delay
Authored by: arg on Dec 02, '03 04:23:07PM

Um... I had a MAJOR problem with this. Setting the authorization timeout to 0 made it impossible for me to edit anything in the Directory Access application. I don't know what happens with the timeout set to other values, but I'd use this one with EXTREME caution.



[ Reply to This | # ]
10.3: Remove the authentication timeout delay
Authored by: Jaharmi on Mar 09, '04 05:48:00PM

By the way, your Keychain is kept open and unlocked for a period of time after login, which may be controlled by this value.

This will not happen if you chain your default user keychain (the one named after your short username) to use a passphrase that is different from your login account's password. (By default, the keychain password is set to the same password as your login account, but it can be different.) This could be a problem for you if you allow people to sit in front of your computer and you've set many items on your keychain to always allow access.

I would also consider the issue of the timeout one of a security compromise (for functionality), not necessarily a security flaw. The fact that there is a timeout value at all does indicate that thought was put into the setting. To exploit this in a meaningful way, it really looks like you'd need to have local access to the computer, and if you have that, well, all bets are off anyway.

Jeremy



[ Reply to This | # ]
10.3: Remove the authentication timeout delay
Authored by: johnsawyercjs on Mar 10, '04 01:46:48AM

What about doing just the opposite--setting the timeout to some very high figure, like 16 hours, for Macs that are NEVER used by anyone else but their owner, and never connected to a network, and used by someone who knows what they're doing and won't trash important System files, etc? Would this allow you to enter your admin password just once a day, the first time the OS wants it that day, and then it won't ask you again all day, to install software, etc? Or is this a bad idea for reasons other than security?



[ Reply to This | # ]