| ▲ | timhh 7 hours ago | |||||||
> Yes, for local password authentication. It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid. If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing. It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all. > Change both the config files and you can remove the delay if you want. This is extremely complicated. See the comments in the issue for details. | ||||||||
| ▲ | onraglanroad 3 hours ago | parent [-] | |||||||
No, it's very simple. Do what I said in my comment. Add nodelay to the options for pam_unix.so and set pam_faildelay.so delay=0 That's it. You didn't link to any issue and the weird mistakes and justifications you're making feels like arguing with an LLM. You obviously can't run unix_chkpwd against a local account without root. | ||||||||
| ||||||||