2

I have searched everywhere and what people say is that you have to give the nodelay argument to the pam_unix.so in /etc/pam.d/system-auth to remove delay. I tried doing that and it didn't work. I even added nodelay to every pam_unix.so in the /etc/pam.d/ folder and it didn't work either. When that didn't work I tried adding this line: auth optional pam_faildelay.so delay=0 in /etc/pam.d/system-auth and it didn't work either. On the other hand, if I set the delay to more than 3 seconds it adds the delay but below 3 seconds it does not work. I am really confused and would appreciate if someone could answer me.

I also tried changing the FAIIL_DELAY to 0 in my /etc/login.defs and that also didn't work. Lastly, I looked for the auth required pam_unix.so try_first_pass nullok line in my /etc/pam.d/system-auth file but couldn't even find that line. The closest line that resembled that was this line: auth [success=2 default=ignore] pam_unix.so try_first_pass nullok. I then added the nodelay argument to that but it didn't work too.

Kareem Medhat
  • 23
  • This answer suggests that PAM will enforce a minimum delay of 2 seconds, but this one gives a slightly different /etc/pam.d/system-auth delay that could work. Can you try that and tell us how it goes? If it works, we can mark this as a duplicate. – terdon Jul 17 '21 at 17:16
  • I followed this answer's steps first by changing the FAIL_DELAY to 0 in my /etc/login.defs but that didn't change anything. I then looked for the auth required pam_unix.so try_first_pass nullok line in my /etc/pam.d/system-auth but I didn't find that exact line. However I found another similar line that read auth [success=2 default=ignore] pam_unix.so try_first_pass nullok. I then added the nodelay argument at the end of the line but that didn't work either. – Kareem Medhat Aug 12 '21 at 16:43
  • Please [edit] your question and include all this in case someone else can help more. – terdon Aug 12 '21 at 18:29

2 Answers2

1

Through some experimentation I discovered how to remove the incorrect password delay on arch.

In /etc/pam.d/system-auth, add nodelay to auth lines that mention the pam_faillock.so or pam_unix.so PAM modules.

In other words:

auth       required                    pam_faillock.so      preauth nodelay                                                
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok nodelay                                  
-auth      [success=1 default=ignore]  pam_systemd_home.so                                                                 
auth       [default=die]               pam_faillock.so      authfail nodelay

...

Many answers suggest adding the nodelay option to pam_unix, but it looks like pam_faillock has recently acquired a nodelay option as well.

webninja
  • 28
0

After some additional experimentation it seems that faillock has a config file where you can put nodelay.

This works for me on Arch linux: adding nodelay to the line with pam_unix.so in /etc/pam.d/system-auth

auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok nodelay

and appending nodelay to /etc/security/faillock.conf, just adding nodelay at the end of the file works fine.

Here you can additionally set deny to a higher number.

Also check:

man pam_unix
man pam_faillock

For me it wasn't so much to remove the delay when cancelling sudo but moreso for logging in. This also removes the delay for authentication.

Reverie
  • 21
  • 3