Arch Linux

jns-v

Member

Registered: 2020-10-23

Posts: 5

PAM disable delay after wrong password

Dear folks,

instead of necrobumping this thread I decided to open a new one.

I found that as a result to an issue on github a nodelay option for pam_faillock.so was introduced. Hence i changed my /etc/pam.d/system-auth:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth nodelay
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       optional                    pam_faildelay.so     delay=0
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok nodelay
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail nodelay
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc nodelay
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Apparrently this works for disabling the delay both on login as well as on sudo.

Maybe this post may serve as reference for others trying to get rid of the delay.
Of couse I'm open to any discussion regarding security implications of doing this. Actually my knowledge on PAM is minimal. SSH port is closed on my machine anyway so I figured
remote access shouldn't be an issue for me...

Best regards.

C0rn3j

Member

Registered: 2016-02-14

Posts: 25

Re: PAM disable delay after wrong password

As of PAM 1.5.1 (2020) this can be simplified(depending on your point of view) by adding `nodelay` to `/etc/security/faillock.conf`.

Then only one extra `nodelay` is needed in system-auth for the pam_unix.so module.

This makes for an easy Ansible regexp for the latter.

- name: Disable 2-second delay on wrong password 2/2
  ansible.builtin.lineinfile:
    path: /etc/pam.d/system-auth
    regexp: '^auth       \[success=1 default=bad\]     pam_unix.so          try_first_pass nullok'
    line: 'auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok nodelay'

Last edited by C0rn3j (2021-12-26 14:57:52)

android

Member

From: San Diego

Registered: 2003-04-18

Posts: 160

Re: PAM disable delay after wrong password

Adding the nodelay is a step forward, but it seems the ultimate embodiment would be to only nodelay on the first password attempt.

This way one wrong fat-finger doesn't invoke the delay, but multiple incorrect passwords do.

This was the behaviour long ago, does anyone know how to configure this behaviour now?

Didn't have luck trying to search for this. This thread seemed the most recent and on topic.

Hope someone can shine some light...

Thanks!

seth

Member

Registered: 2012-09-03

Posts: 60,922

Re: PAM disable delay after wrong password

You could go for nodelay and rely on https://man.archlinux.org/man/faillock.conf.5.en

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc