Password fail delay is too long - Linux Mint 17












0















The delay after a failed password is very long.



In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.



This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.



Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.



How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?



EDIT:



grep '^auth' /etc/pam.d/*


/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0


EDIT:
Commenting out pam_faildelay.so has no effect.



EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.










share|improve this question




















  • 1





    What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

    – Gilles
    Dec 30 '14 at 10:02













  • @Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

    – user80551
    Dec 30 '14 at 12:17
















0















The delay after a failed password is very long.



In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.



This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.



Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.



How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?



EDIT:



grep '^auth' /etc/pam.d/*


/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0


EDIT:
Commenting out pam_faildelay.so has no effect.



EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.










share|improve this question




















  • 1





    What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

    – Gilles
    Dec 30 '14 at 10:02













  • @Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

    – user80551
    Dec 30 '14 at 12:17














0












0








0








The delay after a failed password is very long.



In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.



This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.



Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.



How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?



EDIT:



grep '^auth' /etc/pam.d/*


/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0


EDIT:
Commenting out pam_faildelay.so has no effect.



EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.










share|improve this question
















The delay after a failed password is very long.



In /etc/pam.d/login, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000 however, actual delay is about 12s.



This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.



Even canceling a su/sudo password prompt in terminal with ^C or ^D takes a long time.



How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?



EDIT:



grep '^auth' /etc/pam.d/*


/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0


EDIT:
Commenting out pam_faildelay.so has no effect.



EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.







linux-mint login password pam delay






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 15 at 5:20









Rui F Ribeiro

40.7k1479137




40.7k1479137










asked Dec 29 '14 at 6:48









user80551user80551

5592818




5592818








  • 1





    What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

    – Gilles
    Dec 30 '14 at 10:02













  • @Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

    – user80551
    Dec 30 '14 at 12:17














  • 1





    What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

    – Gilles
    Dec 30 '14 at 10:02













  • @Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

    – user80551
    Dec 30 '14 at 12:17








1




1





What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02







What log messages are generated on a failed login? The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace where 1234 is the PID of su, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).

– Gilles
Dec 30 '14 at 10:02















@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17





@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks

– user80551
Dec 30 '14 at 12:17










1 Answer
1






active

oldest

votes


















0














@Giles




The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.




Yep, commenting it out solved the problem.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f176375%2fpassword-fail-delay-is-too-long-linux-mint-17%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    @Giles




    The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.




    Yep, commenting it out solved the problem.






    share|improve this answer




























      0














      @Giles




      The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.




      Yep, commenting it out solved the problem.






      share|improve this answer


























        0












        0








        0







        @Giles




        The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.




        Yep, commenting it out solved the problem.






        share|improve this answer













        @Giles




        The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.




        Yep, commenting it out solved the problem.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 30 '14 at 12:16









        user80551user80551

        5592818




        5592818






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f176375%2fpassword-fail-delay-is-too-long-linux-mint-17%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀