Password fail delay is too long

Password fail delay is too long - Linux Mint 17

The delay after a failed password is very long.

In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.

This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.

Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.

How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?

EDIT:

grep '^auth' /etc/pam.d/*





/etc/pam.d/chfn:auth        sufficient  pam_rootok.so

/etc/pam.d/chsh:auth       required   pam_shells.so

/etc/pam.d/chsh:auth        sufficient  pam_rootok.so

/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so

/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_ldap.so use_first_pass

/etc/pam.d/common-auth:auth requisite           pam_deny.so

/etc/pam.d/common-auth:auth required            pam_permit.so

/etc/pam.d/common-auth:auth optional    pam_ecryptfs.so unwrap

/etc/pam.d/common-auth:auth optional            pam_cap.so 

/etc/pam.d/login:auth       optional   pam_faildelay.so  delay=3000000

/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

/etc/pam.d/login:auth       requisite  pam_nologin.so

/etc/pam.d/login:auth       optional   pam_group.so

/etc/pam.d/mdm:auth    requisite       pam_nologin.so

/etc/pam.d/mdm:auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

/etc/pam.d/mdm:auth    optional        pam_gnome_keyring.so

/etc/pam.d/mdm-autologin:auth    requisite       pam_nologin.so

/etc/pam.d/mdm-autologin:auth    required        pam_permit.so

/etc/pam.d/ppp:auth required    pam_nologin.so

/etc/pam.d/proftpd:auth       required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

/etc/pam.d/su:auth       sufficient pam_rootok.so

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 user_readenv=0

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

EDIT:
Commenting out pam_faildelay.so has no effect.

EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

1

What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02

@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17

add a comment |

The delay after a failed password is very long.

In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.

This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.

Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.

How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?

EDIT:

grep '^auth' /etc/pam.d/*





/etc/pam.d/chfn:auth        sufficient  pam_rootok.so

/etc/pam.d/chsh:auth       required   pam_shells.so

/etc/pam.d/chsh:auth        sufficient  pam_rootok.so

/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so

/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_ldap.so use_first_pass

/etc/pam.d/common-auth:auth requisite           pam_deny.so

/etc/pam.d/common-auth:auth required            pam_permit.so

/etc/pam.d/common-auth:auth optional    pam_ecryptfs.so unwrap

/etc/pam.d/common-auth:auth optional            pam_cap.so 

/etc/pam.d/login:auth       optional   pam_faildelay.so  delay=3000000

/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

/etc/pam.d/login:auth       requisite  pam_nologin.so

/etc/pam.d/login:auth       optional   pam_group.so

/etc/pam.d/mdm:auth    requisite       pam_nologin.so

/etc/pam.d/mdm:auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

/etc/pam.d/mdm:auth    optional        pam_gnome_keyring.so

/etc/pam.d/mdm-autologin:auth    requisite       pam_nologin.so

/etc/pam.d/mdm-autologin:auth    required        pam_permit.so

/etc/pam.d/ppp:auth required    pam_nologin.so

/etc/pam.d/proftpd:auth       required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

/etc/pam.d/su:auth       sufficient pam_rootok.so

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 user_readenv=0

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

EDIT:
Commenting out pam_faildelay.so has no effect.

EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

1

What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02

@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17

add a comment |

The delay after a failed password is very long.

In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.

This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.

Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.

How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?

EDIT:

grep '^auth' /etc/pam.d/*





/etc/pam.d/chfn:auth        sufficient  pam_rootok.so

/etc/pam.d/chsh:auth       required   pam_shells.so

/etc/pam.d/chsh:auth        sufficient  pam_rootok.so

/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so

/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_ldap.so use_first_pass

/etc/pam.d/common-auth:auth requisite           pam_deny.so

/etc/pam.d/common-auth:auth required            pam_permit.so

/etc/pam.d/common-auth:auth optional    pam_ecryptfs.so unwrap

/etc/pam.d/common-auth:auth optional            pam_cap.so 

/etc/pam.d/login:auth       optional   pam_faildelay.so  delay=3000000

/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

/etc/pam.d/login:auth       requisite  pam_nologin.so

/etc/pam.d/login:auth       optional   pam_group.so

/etc/pam.d/mdm:auth    requisite       pam_nologin.so

/etc/pam.d/mdm:auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

/etc/pam.d/mdm:auth    optional        pam_gnome_keyring.so

/etc/pam.d/mdm-autologin:auth    requisite       pam_nologin.so

/etc/pam.d/mdm-autologin:auth    required        pam_permit.so

/etc/pam.d/ppp:auth required    pam_nologin.so

/etc/pam.d/proftpd:auth       required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

/etc/pam.d/su:auth       sufficient pam_rootok.so

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 user_readenv=0

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

EDIT:
Commenting out pam_faildelay.so has no effect.

EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

The delay after a failed password is very long.

In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.

This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.

Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.

How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?

EDIT:

grep '^auth' /etc/pam.d/*





/etc/pam.d/chfn:auth        sufficient  pam_rootok.so

/etc/pam.d/chsh:auth       required   pam_shells.so

/etc/pam.d/chsh:auth        sufficient  pam_rootok.so

/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so

/etc/pam.d/common-auth:auth [success=2 default=ignore]  pam_unix.so nullok_secure

/etc/pam.d/common-auth:auth [success=1 default=ignore]  pam_ldap.so use_first_pass

/etc/pam.d/common-auth:auth requisite           pam_deny.so

/etc/pam.d/common-auth:auth required            pam_permit.so

/etc/pam.d/common-auth:auth optional    pam_ecryptfs.so unwrap

/etc/pam.d/common-auth:auth optional            pam_cap.so 

/etc/pam.d/login:auth       optional   pam_faildelay.so  delay=3000000

/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

/etc/pam.d/login:auth       requisite  pam_nologin.so

/etc/pam.d/login:auth       optional   pam_group.so

/etc/pam.d/mdm:auth    requisite       pam_nologin.so

/etc/pam.d/mdm:auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

/etc/pam.d/mdm:auth    optional        pam_gnome_keyring.so

/etc/pam.d/mdm-autologin:auth    requisite       pam_nologin.so

/etc/pam.d/mdm-autologin:auth    required        pam_permit.so

/etc/pam.d/ppp:auth required    pam_nologin.so

/etc/pam.d/proftpd:auth       required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

/etc/pam.d/su:auth       sufficient pam_rootok.so

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 user_readenv=0

/etc/pam.d/sudo:auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

EDIT:
Commenting out pam_faildelay.so has no effect.

EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.

linux-mint login password pam delay

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

edited 18 mins ago

Rui F Ribeiro

40.1k1479135

asked Dec 29 '14 at 6:48

user80551

5442718

asked Dec 29 '14 at 6:48

user80551

5442718

asked Dec 29 '14 at 6:48

user80551

5442718

1

What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02

@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17

add a comment |

1

What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02

@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17

What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02

@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17

add a comment |

1 Answer
1

active

oldest

votes

@Giles

The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.

Yep, commenting it out solved the problem.

answered Dec 30 '14 at 12:16

user80551

5442718

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f176375%2fpassword-fail-delay-is-too-long-linux-mint-17%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

@Giles

The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.

Yep, commenting it out solved the problem.

answered Dec 30 '14 at 12:16

user80551

5442718

add a comment |

@Giles

The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.

Yep, commenting it out solved the problem.

answered Dec 30 '14 at 12:16

user80551

5442718

add a comment |

@Giles

The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.

Yep, commenting it out solved the problem.

answered Dec 30 '14 at 12:16

user80551

5442718

@Giles

The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.

Yep, commenting it out solved the problem.

answered Dec 30 '14 at 12:16

user80551

5442718

answered Dec 30 '14 at 12:16

user80551

5442718

answered Dec 30 '14 at 12:16

user80551

5442718

answered Dec 30 '14 at 12:16

user80551

5442718

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Yrurtj