pam_unix: Fix delay UX

[Timmmm]

PAM's pam_unix has a default fixed delay of approximately 2 seconds. As far as I can tell most software and distros stick with this and use it for everything - ssh, sudo, login, etc.

From a usability point of view that sucks. It's a significant amount of time to wait when you make a typo and it add dubious security benefits. There are no security benefits at all for sudo (you can just use unix_chkpwd), and I'm dubious about sshd - I expect you can get around it just by creating a load of parallel connections (though I haven't tried it).

I would like to fix this annoying paper cut. I can think of the following solutions and wanted your feedback on what you would accept:

1. Just change the default delay to 0.5s. This is short enough to be not annoying to users making typos but isn't really going to change any security properties (nobody is going to care about waiting 4x longer to brute force a login). This also has the advantage of being really really easy to do.
2. Add a parameter to faildelay to have increasing delays, and store the current delay count as part of the session (if that is possible; I couldn't quite figure it out and it seems like a bad idea to use global variables). This isn't much work either.
3. Add a parameter to faildelay to have increasing delays, and persist the fail information to disk in the same way that faillock does. This is a ton of work. I'll probably give up if this is the only acceptable solution.
4. Add a parameter to faillock to have increasing delays.
5. Add a way to decrease the delay. The issue with API at the moment is that modules in the PAM stack can only increase the delay. The way Debian has the configs set up, there's a default config with the 2s delay, which means you can't e.g. force it back to 0 for sudo. It's not ideal to have the default delay as 0 because that isn't fail-safe. Every config except sudo then has to remember to set the delay.

My preference is 1. What do you think?

[Teerath-Agarwal]

I was annoyed by the delay and was thinking opening a PR today itself, when I came across this issue. I support your idea more or less, but I think, we can keep a count of number of times the password has been incorrectly entered consecutively. If its less than three, then a 0.1 second delay is enough. Otherwise, (0.5*count) second delay. Doesn't that sound better?

[Timmmm]

Yes, that is clearly the best way to do it, and it's how most password systems work. I think Windows has done it since at least XP.

However because PAM has a weird architecture (it's a library in the client rather than a single persistent system component) it's quite difficult to store persistent information. The faillock plugin does it by writing fail counts (but not times) to disk, but it's quite complex.

So you would either need to make a new plugin with a similar complexity to faillock, or patch faillock, which doesn't seem ideal because that's not what it's meant for.

Doable but quite a lot of work, whereas changing the default is a one line change. It also wouldn't require distros to change their configs so we might actually get a (suboptimal) fix before I die!

Glad someone else agrees anyway! I'm going to make a PR. If you want to make a PR for a new exponential delay plugin go ahead. I did start writing one but I hate C so...

[meribold]

I agree that lowering the default delay would be a considerable UX improvement. While something more elaborate may be even better, I feel that having the simple fix now would be great regardless (it doesn't preclude further improvements in the future). IIRC, I used to lower the delay with a line like auth optional pam_faildelay.so delay=100000 in /etc/pam.d/system-auth, but that doesn't seem to work anymore. Currently the only option seems to be to remove the delay completely.