You want sudo always to prompt for a password.
When controlled by superuser:
/etc/sudoers: Defaults timestamp_timeout = 0 systemwide Defaults:smith timestamp_timeout=0 per sudo user
When controlled by end-user, write a script that runs sudo -k after each sudo invocation. Call it "sudo" and put it in your search path ahead of /usr/bin/sudo:
~/bin/sudo: #!/bin/sh /usr/bin/sudo $@ /usr/bin/sudo -k
After invoking sudo, your authorization privileges last for some number of minutes, determined by the variable timestamp_timeout in /etc/sudoers. During this period, you will not be prompted for a password. If your timestamp_timeout is zero, sudo always prompts for a password.
This feature can be enabled only by the superuser, however. Ordinary users can achieve the same behavior with sudo -k, which forces sudo to prompt for a password on your next sudo command. Our recipe assumes that the directory ~/bin is in your search path ahead of /usr/bin.