I'm using openssh and I'd like to have a delay between attempts if an
invalid password is opened. In other words, maybe 3 seconds between
each password attempt. I can't find if there is an easy way to do
this.

---

Request for Question Clarification by denco-ga on 18 Aug 2005 12:34 PDT

Howdy tedder-ga,

Could you please try the following and see if it works for you?


In auth-pam.c: sshpam_thread insert

    pam_fail_delay(sshpam_handle, 3000000 /* micro-seconds */ );

before

    sshpam_err = pam_authenticate(sshpam_handle, flags);


Please report back here how this works out for you, and if it works
for you, I can then post it as an answer to your question.  Thanks!

Looking Forward, denco-ga - Google Answers Researcher

---

Request for Question Clarification by denco-ga on 18 Aug 2005 13:04 PDT

Also, are you familiar with the "PAM_FAIL_DELAY" function?

The public interface to Linux-PAM
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html

Test harness for Pluggable Authentication Modules (PAM)
http://www.zipworld.com.au/~dtucker/patches/

Looking Forward, denco-ga - Google Answers Researcher

---

Clarification of Question by tedder-ga on 18 Aug 2005 13:46 PDT

(clarifying for denco-ga)

So you are saying I should place the pam_fail_delay here:

        buffer_init(&buffer);
        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
            (const void *)&sshpam_conv);
        if (sshpam_err != PAM_SUCCESS)
                goto auth_fail;
        pam_fail_delay(sshpam_handle, 3000000 /* micro-seconds */ );
        sshpam_err = pam_authenticate(sshpam_handle, flags);
        if (sshpam_err != PAM_SUCCESS)
                goto auth_fail;


Looking that up helped me find the answer- and the compiled default is
3 seconds- go figure.

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511

This seems to be enabled.. the issue now is being able to set the
delay. It seems like it should be possible without patching and
compiling openssh- i.e., just configuring it in PAM.

For instance, can it be done with pam_tally?
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.24

---

Request for Question Clarification by denco-ga on 18 Aug 2005 15:43 PDT

Howdy tedder-ga,

It doesn't appear that pam_tally will do what you need.  Rather, it handles
the "three strikes you are out" of the failed logon process, and how much
time must pass before a logon attempt can be made after logon is disallowed.

Good find on the Enterprise Networking Planet article.

The second link that I gave you appears to have the most promise.

Test harness for Pluggable Authentication Modules (PAM)
http://www.zipworld.com.au/~dtucker/patches/

"pam-test-harness.c: a heavily-instrumented PAM test application, intended
to help debug PAM/sshd problems and study the behaviour of PAM on various
platforms. It also seems to be useful for testing and debugging while
developing PAM modules.

You can control most aspects of the authentication, including not setting
the various options (the PAM service name, PAM_TTY, PAM_RHOST, PAM_USER) and
skipping the pam_authenticate call (this is common in sshd for non- password
authentications, but can confuse some modules).

...

pam_faildelay module for LinuxPAM

pam_faildelay.c: Allow an admin to change the setting of LinuxPAM's
pam_fail_delay from the PAM configuration file, possibly on a per-application
basis."

But, if the article you found is accurate, I don't know if the "Test Harness"
approach, or for that matter, anything short of a patch/compile, is going to
do what you seek.
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511

"Ignore the FAIL_DELAY directive in /etc/login.defs because it has no effect.
pam_unix.so is hard-coded to a 3-second delay."

From my reading, there are others that are either stymied or frustrated with
what appears to be the lack of either a properly implemented or a platform
wide implementation of pam_fail_delay.

You placed pam_fail_delay in the correct place.  You might try increasing
the delay to 10000000 and see what that does, but I don't think it will make
a difference.

Looking Forward, denco-ga - Google Answers Researcher

---

Clarification of Question by tedder-ga on 22 Aug 2005 14:19 PDT

denco, your solution seems to be the most optimal. Thanks for your
assistance on this.

---

Request for Question Clarification by denco-ga on 22 Aug 2005 14:48 PDT

Howdy tedder-ga,

Did you want me to post my comments as an answer?  Thanks!

Looking Forward, denco-ga - Google Answers Researcher

---

Clarification of Question by tedder-ga on 22 Aug 2005 15:46 PDT

yep, post as an answer.

Thanks.

Thanks for accepting the following as an answer to your
question, tedder-ga.

There are a few things that can be tried to increase the
delay between logons if an invalid password is used.  The
following involve the "pam_fail_delay" directive.

More on pam_fail_delay can be found on the Linux Kernel
Archives.
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html

A posting by Björn Voigt from a mailing list archive suggests
the following fix.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=110728735306428&w=2

"I played a bit with OpenSSH's source code to enable a FAIL_DELAY:

In auth-pam.c: sshpam_thread I inserted

    pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ );

before

    sshpam_err = pam_authenticate(sshpam_handle, flags);

This results in a 10 seconds delay after an login attempt with
an existing user, but a wrong password."

Darren Tucker's "Miscellaneous Patches" web page has the "Test
harness for Pluggable Authentication Modules (PAM)" approach to
the problem.
http://www.zipworld.com.au/~dtucker/patches/

"pam-test-harness.c: a heavily-instrumented PAM test application,
intended to help debug PAM/sshd problems and study the behaviour
of PAM on various platforms. It also seems to be useful for testing
and debugging while developing PAM modules.

You can control most aspects of the authentication, including not
setting the various options (the PAM service name, PAM_TTY, PAM_RHOST,
PAM_USER) and skipping the pam_authenticate call (this is common in
sshd for non- password authentications, but can confuse some modules).

...

pam_faildelay module for LinuxPAM

pam_faildelay.c: Allow an admin to change the setting of LinuxPAM's
pam_fail_delay from the PAM configuration file, possibly on a
per-application basis."

If you need any clarification, please feel free to ask.


Search strategy:

Google search on: openssh password delay OR pause
://www.google.com/search?q=openssh+password+delay+OR+pause

Google search on: openssh "pam_fail_delay"
://www.google.com/search?q=openssh+%22pam_fail_delay%22

Looking Forward, denco-ga - Google Answers Researcher

great followthrough on the question. Great job finding clarification
and being patient.

I don't see that this sort of thing helps if an attacker can run
multiple threads against you in parallel.

Greatly appreciate the kind words and 5 star rating, tedder-ga.

My pleasure!

Looking Forward, denco-ga - Google Answers Researcher