Bug#463113: marked as done (login: delay when password was typed incorrectly is security measure of the past)

Tue, 29 Jan 2008 15:36:17 -0800 

Your message dated Wed, 30 Jan 2008 00:29:18 +0100
with message-id <[EMAIL PROTECTED]>
and subject line [Pkg-shadow-devel] Bug#463113: login: delay when password was 
typed incorrectly is security measure of the past
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: login
Version: 1:4.0.18.1-11
Severity: wishlist


login: delay when password was typed incorrectly is security measure of the past
please make this delay configurable


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23pps-nodeb.pps-nodeb (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages login depends on:
ii  libc6                         2.7-5      GNU C Library: Shared libraries
ii  libpam-modules                0.99.7.1-5 Pluggable Authentication Modules f
ii  libpam-runtime                0.99.7.1-5 Runtime support for the PAM librar
ii  libpam0g                      0.99.7.1-5 Pluggable Authentication Modules l

login recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Hello,

On Tue, Jan 29, 2008 at 05:19:15PM +0100, [EMAIL PROTECTED] wrote:
> 
> login: delay when password was typed incorrectly is security measure of the 
> past
> please make this delay configurable

The delay is not set by login, but by PAM.

It can be disabled by adding the nodelay option to the pam_unix auth module.

However, I do not recommend to use this.
A delay when a password is incorrect is a very efficient security
measure against password brute force.
I was very efficient, and with the time (and CPU resources or bandwidth
being more and more cheap for the attacker and for an attacked server) it
is more and more efficient.

Kind Regards,
-- 
Nekral

--- End Message ---

Reply via email to