Turning off delays on failed password authentications

March 6, 2013

Today I got around to something on my office and home workstations that I should have done years ago: I turned off all delays after you mistype a password, both for ssh logins and for local things like su.

I've been an advocate against network authentication delays for quite some time. Over time I've come to realize that the same logic more or less applied to local authentication delays too. In theory they're there to slow down mass password guessing attacks, but in practice all they were doing was irritating me.

(They generally didn't slow me down because I was well trained that if su wasn't instantly successful, I'd mistyped the password and I should open up another 'su to root' window and do it again.)

As you'd expect (and hope), on Linux this is controlled through PAM. On Fedora 17, it's sufficient to change the 'auth' usage of the pam_unix.so module to have the 'nodelay' parameter; this tells it to not ask the whole PAM system for a standard delay if authentication fails. I had to change both /etc/pam.d/passwd-auth (apparently used by sshd) and /etc/pam.d/system-auth (used by su). A typical line is now:

auth   sufficient    pam_unix.so  nullok try_first_pass nodelay

(On my Fedora 17 machines both files have big warnings about their contents being autogenerated and they'll get overwritten by authconfig. Since I can't remember the last time that I ran authconfig, I didn't let this worry me.)

This gives you no delay at all. If you'd still like a little bit of delay you need to add a mention of the pam_faildelay.so module. I believe that it goes before pam_unix.so and it should look something like:

auth   optional     pam_faildelay.so delay=250000

(This delay is a quarter of a second. See the manpage.)

I haven't tested an Ubuntu system, but inspection shows that it does things a little bit differently. Based on looking at files, it appears that you want to modify /etc/pam.d/common-auth and then either remove the mention of pam_faildelay.so from /etc/pam.d/login or modify the delay time.

Having no delay on local password authentication is a potential security exposure to local users; it allows a local user to automate guessing attacks as fast as a program can run su, passwd, or the like. If this concerns you, use pam_faildelay.so to add a small delay; even a tenth of a second of delay will drastically slow down an attacker.

PS: my excuse for not doing anything about network authentication delays on my own systems for so long is that I just use SSH keys, so sshd almost never asks me for a password in the first place.

Written on 06 March 2013.
« Why you should never use '/bin/sh -c ...' in configuration files
How we make Exim cut off bounce loops »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Mar 6 00:26:14 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.