Turning off delays on failed password authentications
Today I got around to something on my office and home workstations that
I should have done years ago: I turned off all delays after you mistype
a password, both for ssh logins and for local things like
I've been an advocate against network authentication delays for quite some time. Over time I've come to realize that the same logic more or less applied to local authentication delays too. In theory they're there to slow down mass password guessing attacks, but in practice all they were doing was irritating me.
(They generally didn't slow me down because I was well trained that if
su wasn't instantly successful, I'd mistyped the password and I should
open up another 'su to root' window and do it again.)
As you'd expect (and hope), on Linux this is controlled through PAM.
On Fedora 17, it's sufficient to change the 'auth' usage of the
pam_unix.so module to have the '
nodelay' parameter; this tells it
to not ask the whole PAM system for a standard delay if authentication
fails. I had to change both
/etc/pam.d/passwd-auth (apparently used by
/etc/pam.d/system-auth (used by su). A typical line is now:
auth sufficient pam_unix.so nullok try_first_pass nodelay
(On my Fedora 17 machines both files have big warnings about their contents being autogenerated and they'll get overwritten by authconfig. Since I can't remember the last time that I ran authconfig, I didn't let this worry me.)
This gives you no delay at all. If you'd still like a little bit of
delay you need to add a mention of the
I believe that it goes before
pam_unix.so and it should look
auth optional pam_faildelay.so delay=250000
(This delay is a quarter of a second. See the manpage.)
I haven't tested an Ubuntu system, but inspection shows that it does
things a little bit differently. Based on looking at files, it appears
that you want to modify
/etc/pam.d/common-auth and then either remove
the mention of
/etc/pam.d/login or modify
the delay time.
Having no delay on local password authentication is a potential security
exposure to local users; it allows a local user to automate guessing
attacks as fast as a program can run
passwd, or the like. If
this concerns you, use
pam_faildelay.so to add a small delay; even a
tenth of a second of delay will drastically slow down an attacker.
PS: my excuse for not doing anything about network authentication delays on my own systems for so long is that I just use SSH keys, so sshd almost never asks me for a password in the first place.