36

After entering an incorrect password at a login prompt, there s an approximately 3-second delay. How can I change that on a Linux system with PAM?

countermode
  • 7,373
  • 5
  • 31
  • 58
Shawn J. Goff
  • 45,338
  • 25
  • 134
  • 145
  • 1
    I get the need for a delay from a security perspective, but the default delay *is* rather annoying – Mike Pennington Jun 16 '12 at 21:41
  • 3
    This has been interesting; maybe I'll write a module that allows N tries with no delay followed by any number of tries with a long delay. – Shawn J. Goff Jun 16 '12 at 23:27
  • 1
    Instead of a new module (suggested in my previous comment), I used `pam_unix` with the `nodelay` option and `pam_tally2` with `deny=5 unlock_time=15`; this allows for 5 immediate retries, but denies access (even with a successful password) for 15 seconds. I still intend to try writing the described model, but now it's a back-burner project, because this would not be suitable if your primary access to the system is network-based since it makes a DOS attack trivial. – Shawn J. Goff Jun 20 '12 at 22:25
  • 1
    if you are concerned about a network DoS from timeouts, use fail2ban... in fact use it even if you think you're safe :-). i use two day ban times – Mike Pennington Jun 20 '12 at 23:18

2 Answers2

23

I assume you are using Linux and pam. The delay is probably caused by pam_faildelay.so. Check your pam configuration in /etc/pam.d using pam_faildelay, e.g:

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

To change the time adjust the delay parameter. If you want to get rid of the delay you can delete/comment the complete line.

Another source for the delay may be pam_unix.so. To disable the delay caused by pam_unix.so add the nodelay parameter, and optionally add a line calling pam_faildelay.so to add a (variable) delay instead, e.g.:

auth       optional   pam_faildelay.so  delay=100000
Tim
  • 183
  • 5
Ulrich Dangel
  • 25,079
  • 3
  • 80
  • 80
  • 3
    There is no mention of delay anywhere in `/etc/pam.d/*`. The closest thing I see is `pam_tally.so` which allows locking after some number of attempts. But I do have n `/etc/login.defs`, which might be what I need. – Shawn J. Goff Jun 16 '12 at 16:53
  • @ShawnJ.Goff `pam_tally.so` does not cause an delay as far as i know. Another source for the dealy may be `pam_unix.so` - you can disable it with the `nodelay` option - see http://linux.die.net/man/8/pam_unix for more details – Ulrich Dangel Jun 16 '12 at 17:07
  • 1
    Adding the `nodelay` option to `pam_unix.so` and adding a new entry with `pam_faildelay.so delay=$some_number` lets me set whatever I want. Thanks! – Shawn J. Goff Jun 16 '12 at 22:13
  • 2
    Running fedora 23, I had to disable the `pam_unix.so` delay and start using the `pam_faildelay.so` one as @ShawnJ.Goff says. However, most `pam.d` configs have "*This file is auto-generated. User changes will be destroyed the next time authconfig is run.*" So where can I permanently configure the delay? – jozxyqk Jan 29 '16 at 07:34
13

You need to pass the nodelay parameter to the auth pam_unix.so.

Depending on how your'e authenticating, where you need to set the parameter varies. However most linux distrubtions have something like /etc/pam.d/system-auth which is included by all the different files.

So for example in /etc/pam.d/system-auth you might have a line that looks like this:

auth            sufficient      pam_unix.so try_first_pass nullok

This should be changed to:

auth            sufficient      pam_unix.so try_first_pass nullok nodelay

The pam_unix.so module is what performs authentication against /etc/passwd and /etc/shadow. If youre using LDAP or some other password backend, you likely should still be setting nodelay on the pam_unix.so as that is what controls the prompt (when pam_unix.so fails to auth, it usually just passes the password it obtained to the next module).

You can read more about pam_unix.so by doing man pam_unix

phemmer
  • 70,657
  • 19
  • 188
  • 223