How does one change the delay that occurs after entering an incorrect password?

After entering an incorrect password at a login prompt, there s an approximately 3-second delay. How can I change that on a Linux system with PAM?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I assume you are using Linux and pam. The delay is probably caused by pam_faildelay.so. Check your pam configuration in /etc/pam.d using pam_faildelay, e.g:

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

To change the time adjust the delay parameter. If you want to get rid of the delay you can delete/comment the complete line.

Another source for the delay may be pam_unix.so. To disable the delay caused by pam_unix.so add the nodelay parameter, and optionally add a line calling pam_faildelay.so to add a (variable) delay instead, e.g.:

auth       optional   pam_faildelay.so  delay=100000

Method 2

You need to pass the nodelay parameter to the auth pam_unix.so.

Depending on how your’e authenticating, where you need to set the parameter varies. However most linux distrubtions have something like /etc/pam.d/system-auth which is included by all the different files.

So for example in /etc/pam.d/system-auth you might have a line that looks like this:

auth            sufficient      pam_unix.so try_first_pass nullok

This should be changed to:

auth            sufficient      pam_unix.so try_first_pass nullok nodelay

The pam_unix.so module is what performs authentication against /etc/passwd and /etc/shadow. If youre using LDAP or some other password backend, you likely should still be setting nodelay on the pam_unix.so as that is what controls the prompt (when pam_unix.so fails to auth, it usually just passes the password it obtained to the next module).

You can read more about pam_unix.so by doing man pam_unix

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0