Password fail delay is too long - Linux Mint 17
The delay after a failed password is very long.
In /etc/pam.d/login
, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000
however, actual delay is about 12s.
This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.
Even canceling a su/sudo password prompt in terminal with ^C
or ^D
takes a long time.
How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?
EDIT:
grep '^auth' /etc/pam.d/*
/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
EDIT:
Commenting out pam_faildelay.so has no effect.
EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.
linux-mint login password pam delay
add a comment |
The delay after a failed password is very long.
In /etc/pam.d/login
, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000
however, actual delay is about 12s.
This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.
Even canceling a su/sudo password prompt in terminal with ^C
or ^D
takes a long time.
How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?
EDIT:
grep '^auth' /etc/pam.d/*
/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
EDIT:
Commenting out pam_faildelay.so has no effect.
EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.
linux-mint login password pam delay
1
What log messages are generated on a failed login? The only potential culprit I see in your configuration ispam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Runsu
as a non-root user, then switch to a root terminal and runltrace -T -p 1234 -o su.ltrace
where 1234 is the PID ofsu
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).
– Gilles
Dec 30 '14 at 10:02
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17
add a comment |
The delay after a failed password is very long.
In /etc/pam.d/login
, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000
however, actual delay is about 12s.
This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.
Even canceling a su/sudo password prompt in terminal with ^C
or ^D
takes a long time.
How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?
EDIT:
grep '^auth' /etc/pam.d/*
/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
EDIT:
Commenting out pam_faildelay.so has no effect.
EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.
linux-mint login password pam delay
The delay after a failed password is very long.
In /etc/pam.d/login
, FAIL_DELAY is configured as auth optional pam_faildelay.so delay=3000000
however, actual delay is about 12s.
This affects all places where a password is required - terminal/mdm login, su/sudo in terminal, cinnamon-screensaver (lockscreen), pkexec - everywhere.
Even canceling a su/sudo password prompt in terminal with ^C
or ^D
takes a long time.
How can I reduce this failed-password delay time to the actual 3s configured in /etc/pam.d/login ?
EDIT:
grep '^auth' /etc/pam.d/*
/etc/pam.d/chfn:auth sufficient pam_rootok.so
/etc/pam.d/chsh:auth required pam_shells.so
/etc/pam.d/chsh:auth sufficient pam_rootok.so
/etc/pam.d/cinnamon-screensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_ecryptfs.so unwrap
/etc/pam.d/common-auth:auth optional pam_cap.so
/etc/pam.d/login:auth optional pam_faildelay.so delay=3000000
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
/etc/pam.d/login:auth requisite pam_nologin.so
/etc/pam.d/login:auth optional pam_group.so
/etc/pam.d/mdm:auth requisite pam_nologin.so
/etc/pam.d/mdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/mdm:auth optional pam_gnome_keyring.so
/etc/pam.d/mdm-autologin:auth requisite pam_nologin.so
/etc/pam.d/mdm-autologin:auth required pam_permit.so
/etc/pam.d/ppp:auth required pam_nologin.so
/etc/pam.d/proftpd:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
/etc/pam.d/su:auth sufficient pam_rootok.so
/etc/pam.d/sudo:auth required pam_env.so readenv=1 user_readenv=0
/etc/pam.d/sudo:auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
EDIT:
Commenting out pam_faildelay.so has no effect.
EDIT:
Changing it to 0 has no effect.
Changing it to 10000000 has no effect.
linux-mint login password pam delay
linux-mint login password pam delay
edited Feb 15 at 5:20
Rui F Ribeiro
40.7k1479137
40.7k1479137
asked Dec 29 '14 at 6:48
user80551user80551
5592818
5592818
1
What log messages are generated on a failed login? The only potential culprit I see in your configuration ispam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Runsu
as a non-root user, then switch to a root terminal and runltrace -T -p 1234 -o su.ltrace
where 1234 is the PID ofsu
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).
– Gilles
Dec 30 '14 at 10:02
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17
add a comment |
1
What log messages are generated on a failed login? The only potential culprit I see in your configuration ispam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Runsu
as a non-root user, then switch to a root terminal and runltrace -T -p 1234 -o su.ltrace
where 1234 is the PID ofsu
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).
– Gilles
Dec 30 '14 at 10:02
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17
1
1
What log messages are generated on a failed login? The only potential culprit I see in your configuration is
pam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su
as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace
where 1234 is the PID of su
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).– Gilles
Dec 30 '14 at 10:02
What log messages are generated on a failed login? The only potential culprit I see in your configuration is
pam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Run su
as a non-root user, then switch to a root terminal and run ltrace -T -p 1234 -o su.ltrace
where 1234 is the PID of su
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).– Gilles
Dec 30 '14 at 10:02
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17
add a comment |
1 Answer
1
active
oldest
votes
@Giles
The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.
Yep, commenting it out solved the problem.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f176375%2fpassword-fail-delay-is-too-long-linux-mint-17%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
@Giles
The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.
Yep, commenting it out solved the problem.
add a comment |
@Giles
The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.
Yep, commenting it out solved the problem.
add a comment |
@Giles
The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.
Yep, commenting it out solved the problem.
@Giles
The only potential culprit I see in your configuration is pam_ldap, if LDAP is misconfigured somehow.
Yep, commenting it out solved the problem.
answered Dec 30 '14 at 12:16
user80551user80551
5592818
5592818
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f176375%2fpassword-fail-delay-is-too-long-linux-mint-17%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What log messages are generated on a failed login? The only potential culprit I see in your configuration is
pam_ldap
, if LDAP is misconfigured somehow. Try commenting it out. If that's not it, we need to investigate deeper. Runsu
as a non-root user, then switch to a root terminal and runltrace -T -p 1234 -o su.ltrace
where 1234 is the PID ofsu
, then type a wrong password and press Enter. Post the resulting trace (it might contain your host name and your root password hash, you can replace those by placeholders).– Gilles
Dec 30 '14 at 10:02
@Gilles Yep, the problem was ldap. commenting it out solved the problem. Thanks
– user80551
Dec 30 '14 at 12:17