2

When using sudo, su, or simply the login screen from Linux Mint Cinnamon or Debian with Cinnamon, they all hang for a second when you enter an incorrect password.

For me, the fact that it hangs tells me "it's incorrect" already, making me Ctrl+C a sudo command and then retry with uparrow -> Enter, or close a login dialog with Escape and start typing to try again. This works just fine.

It appears to be an attempt at rate limiting, but it does not work because an attacker can just setup parallel guesses. If it actually wanted to rate limit, it should limit how many queries can be inputted per time period, not how long it takes before the output is returned (and it's only delayed in the failure case, another dead giveaway).

What is the reasoning behind doing it this way?

Luc
  • 3,610
  • 1
    This (with ssh, which also shows this behaviour) is a great way to remotely identify a Linux system. BSDs do not do this. – Kusalananda Jul 30 '16 at 15:04
  • @Kusalananda I didn't know that, might come in handy with pen testing some day. Thanks! – Luc Jul 30 '16 at 15:20
  • 1
    @Kusalananda Nice find, I looked for "sleep", "hang" and "hangs" in combination with sudo but didn't find this one. None of the answers answer my question though because the focus of the question is different. It asks "why does it delay" rather than "how is this supposed to help". Still, it helps me search for more info since it mentions some keywords like FAIL_DELAY. Thanks! – Luc Jul 30 '16 at 15:44
  • "It appears to be an attempt at rate limiting, but it does not work because an attacker can just setup parallel guesses." - they'll run into a connection limit, though, and the delay limits how many guesses they can do on each connection (the delay may get longer with each attempt across all connections, too, I'm not sure). – Random832 Jul 30 '16 at 18:25

1 Answers1

5

Those programs talk to PAM - Pluggable Authentication Modules for Linux for login access and password authentication. The default policy of those pam modules on your distro makes the delay in seconds for failed logins.

If you need to know more: 

man pam

and take a look under: 

/etc/pam.d
ebal
  • 465
  • 2
  • 6