persist feature in OpenBSDs
doas(1) uses a new
which allows to create (
TIOCSETVERAUTH), clear (
TIOCCLRVERAUTH) and check
IOCCHKVERAUTH) authentications to the specific TTY with a timeout.
sudo(8) uses timestamp files to avoid having to enter the password repeatedly,
they are bound to the PPID
(Parent process identifier) or TTY number.
After investigating how
sudo(8) does it and reading old vulnerabilities in
I was a bit concerned about implementing it, but the quality of life improvements
of not having to enter the password on each command is really nice to have I decided to
implement timestamp files similarly to
sudo(8) and avoid all the previous issues
had with it.
One issue I had with timestamp files in
sudo(8) was that they were fairly easy to be reuse
on linux, as a PoC (proof of concept) I authenticated my self in a ssh session and used
which created a timestamp file for the specific pseudo tty and the PPID.
Then my PoC would open a new pseudo tty and would be assigned to the one that was free after
the ssh session was closed.
To match the PPID, I just called
clone(2) in a loop until I got the previous PPID of the sshd
This then allowed me to reuse the timestamp file from the ssh session and execute
the PoC without having to enter a password.
When I was thinking about how this could be fixed my Idea was to use the start time, of the TTYs session leader, the start time is a monotonic clock that can only go forwards from the time of boot.
There is no way to get the same TTY/PPID with the same start time of the session leader, other than rebooting the system, but there are other measures to avoid that.
I implemented this in OpenDoas and suggested the
sudo(8) maintainers to implement the same
mechanism to avoid this kind of “attack”. Within a few hours it landed in
every supported operating system
sudo(8) supports, has the capability to receive the
start time of a process so this new feature is not only limited to linux.
This new feature was added released
sudo(8) 1.8.22 in 2017.