On one box I test configuration edits and backups, I find myself using doas around once every 7-9 minutes, exceeding the 5 minute limit. Another box is basically a gateway, so I don't exceed 2 minutes between doas runs.
It would be nice to have the option of deviating from the default, and the "persist" feature seems incomplete without the ability to adjust the timeout from a fixed 5 minutes. I didn't say anything until now, because I was under the impression there was something else planned for the "persist" feature, but there has I haven't seen anything about this in the mailing lists since this: https://marc.info/?l=openbsd-tech&m=147314077009745 Since the first release with this feature will be 6.1, it seems logical to make any syntax changes now rather than later. No kernel changes needed here, since the timeout can be set with TIOCSETVERAUTH, so I don't see any harm in giving admins the option of setting the timeout with doas.conf instead of it being hard-coded into doas itself. On Sun, 12 Mar 2017 10:20:46 -0600 "Theo de Raadt" <dera...@openbsd.org> wrote: > I'll ask the question: Why are you sure you need that? > > > Are there plans (or perhaps code already being worked on) to allow > > doas(1) 'persist' to have a different time other than 5 minutes? I > > am thinking of writing a patch for this, but I do not want to > > duplicate effort if the devs have other/similar plans ahead. > > > > I would like to configure the timeout to be 1 minute on one of my > > boxes, and 5-10 minutes on another box. > > > > For instance, something like: > > > > # 90-second persistence > > permit persist=90 :wheel > > permit nopass keepenv root > > > > # 5-minute persistence > > permit persist :captain > > > > Or even: > > > > # 90-seconds; timeout must be specified. > > permit persist 90 :wheel