After entering an incorrect password at a login prompt, there s an approximately 3-second delay. How can I change that on a Linux system with PAM?
Asked
Active
Viewed 2.3k times
36
2 Answers
23
I assume you are using Linux and pam. The delay is probably caused by pam_faildelay.so. Check your pam configuration in /etc/pam.d using pam_faildelay, e.g:
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
To change the time adjust the delay parameter. If you want to get rid of the delay you can delete/comment the complete line.
Another source for the delay may be pam_unix.so. To disable the delay caused by pam_unix.so add the nodelay parameter, and optionally add a line calling pam_faildelay.so to add a (variable) delay instead, e.g.:
auth optional pam_faildelay.so delay=100000
Tim
- 183
Ulrich Dangel
- 25,369
-
3There is no mention of delay anywhere in
/etc/pam.d/*. The closest thing I see ispam_tally.sowhich allows locking after some number of attempts. But I do have n/etc/login.defs, which might be what I need. – Shawn J. Goff Jun 16 '12 at 16:53 -
@ShawnJ.Goff
pam_tally.sodoes not cause an delay as far as i know. Another source for the dealy may bepam_unix.so- you can disable it with thenodelayoption - see http://linux.die.net/man/8/pam_unix for more details – Ulrich Dangel Jun 16 '12 at 17:07 -
1Adding the
nodelayoption topam_unix.soand adding a new entry withpam_faildelay.so delay=$some_numberlets me set whatever I want. Thanks! – Shawn J. Goff Jun 16 '12 at 22:13 -
2Running fedora 23, I had to disable the
pam_unix.sodelay and start using thepam_faildelay.soone as @ShawnJ.Goff says. However, mostpam.dconfigs have "This file is auto-generated. User changes will be destroyed the next time authconfig is run." So where can I permanently configure the delay? – jozxyqk Jan 29 '16 at 07:34
13
You need to pass the nodelay parameter to the auth pam_unix.so.
Depending on how your'e authenticating, where you need to set the parameter varies. However most linux distrubtions have something like /etc/pam.d/system-auth which is included by all the different files.
So for example in /etc/pam.d/system-auth you might have a line that looks like this:
auth sufficient pam_unix.so try_first_pass nullok
This should be changed to:
auth sufficient pam_unix.so try_first_pass nullok nodelay
The pam_unix.so module is what performs authentication against /etc/passwd and /etc/shadow. If youre using LDAP or some other password backend, you likely should still be setting nodelay on the pam_unix.so as that is what controls the prompt (when pam_unix.so fails to auth, it usually just passes the password it obtained to the next module).
You can read more about pam_unix.so by doing man pam_unix
phemmer
- 71,831
pam_unixwith thenodelayoption andpam_tally2withdeny=5 unlock_time=15; this allows for 5 immediate retries, but denies access (even with a successful password) for 15 seconds. I still intend to try writing the described model, but now it's a back-burner project, because this would not be suitable if your primary access to the system is network-based since it makes a DOS attack trivial. – Shawn J. Goff Jun 20 '12 at 22:25