== Turning off delays on failed password authentications

Today I got around to something on my office and home workstations that
I should have done years ago: I turned off all delays after you mistype
a password, both for ssh logins and for local things like _su_.

I've been an advocate against network authentication delays [[for quite
some time ../sysadmin/NetworkAuthDelays]]. Over time I've come to
realize that the same logic more or less applied to local authentication
delays too. In theory they're there to slow down mass password guessing
attacks, but in practice all they were doing was irritating me.

(They generally didn't slow me down because I was well trained that if
_su_ wasn't instantly successful, I'd mistyped the password and I should
open up another 'su to root' window and do it again.)

As you'd expect (and hope), on Linux this is controlled through PAM.
On Fedora 17, it's sufficient to change the 'auth' usage of the
((pam_unix.so)) module to have the '_nodelay_' parameter; this tells it
to not ask the whole PAM system for a standard delay if authentication
fails. I had to change both _/etc/pam.d/passwd-auth_ (apparently used by
sshd) and _/etc/pam.d/system-auth_ (used by su). A typical line is now:

.pn prewrap on
>  auth   sufficient    pam_unix.so  nullok try_first_pass nodelay

(On my Fedora 17 machines both files have big warnings about their
contents being autogenerated and they'll get overwritten by authconfig.
Since I can't remember the last time that I ran authconfig, I didn't let
this worry me.)

This gives you no delay at all. If you'd still like a little bit of
delay you need to add a mention of the ((pam_faildelay.so)) module.
I believe that it goes before ((pam_unix.so)) and it should look
something like:

>  auth   optional     pam_faildelay.so delay=250000

(This delay is a quarter of a second. See the manpage.)

I haven't tested an Ubuntu system, but inspection shows that it does
things a little bit differently. Based on looking at files, it appears
that you want to modify _/etc/pam.d/common-auth_ and then either remove
the mention of ((pam_faildelay.so)) from _/etc/pam.d/login_ or modify
the delay time.

Having no delay on local password authentication is a potential security
exposure to local users; it allows a local user to automate guessing
attacks as fast as a program can run _su_, _passwd_, or the like. If
this concerns you, use ((pam_faildelay.so)) to add a small delay; even a
tenth of a second of delay will drastically slow down an attacker.

PS: my excuse for not doing anything about network authentication delays
on my own systems for so long is that I just use SSH keys, so sshd almost
never asks me for a password in the first place.