Commands.page Logo

What Does the Sudo -k Flag Do in Ubuntu Linux

This article explains the function of the -k flag when used with the sudo command in Ubuntu. You will learn how this option invalidates your current security timestamp, requiring you to re-enter your password for the next privileged command. It is a useful tool for enhancing security when stepping away from your terminal.

How Sudo Timestamps Work

To understand the -k flag, you must first understand how sudo handles authentication. When you successfully enter your password for a sudo command, Ubuntu creates a timestamp file. This file records the time of your last authentication. By default, this timestamp remains valid for 15 minutes. During this window, you can run additional sudo commands without typing your password again.

The Function of the -k Flag

The -k flag stands for “kill.” When you execute sudo -k, it invalidates the current user’s timestamp file immediately. It does not remove the file from the system, but it sets the recorded timestamp to the past. Consequently, the next time you attempt to run a command with sudo, the system will ignore the cached credentials and prompt you to enter your password again.

How to Use the Command

Using the flag is straightforward. Open your terminal and type the following command:

sudo -k

You will not see any output upon success. To verify it worked, try running a privileged command immediately after, such as updating package lists:

sudo apt update

Instead of executing immediately, the terminal will request your user password.

Security Benefits

The primary purpose of sudo -k is security. If you need to step away from your computer but want to leave your terminal open, running this command ensures that no one else can execute administrative tasks using your existing privileges. It forces re-authentication, protecting your system from unauthorized changes during your absence.

Difference Between -k and -K

It is important not to confuse -k with -K. While -k invalidates the user’s timestamp, the -K flag removes the timestamp file entirely. Both achieve the goal of requiring a password for the next command, but -k is the standard option for simply locking your current sudo session.