Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28839

Remove delay on incorrect password for sudo

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.2.0
    • pam
    • None
    • Moderate
    • sst_idm_sssd
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • All
    • None

      When you use `sudo` but get your password wrong there an approximately 2 second delay (it's actually randomised a bit).

      This serves no security purpose. In theory it would prevent dictionary attacks against your own password if an attack has access to your account. However that's nonsense for two reasons:

      1. If an attacker has access to your account it's completely trivial to get your password - just alias `sudo` to `mitm_sudo` and wait.
      2. You can check the current user's password using `unix_chkpwd` (which is how PAM does it). That program has no delay at all.

      Therefore all the delay does is give a very annoying illusion of security.

      Please can you disable the delay? I believe this can be done by removing this line in `/etc/pam.d/system-auth`:

          auth        required                                     pam_faildelay.so delay=2000000

      It may make sense to keep the delay for local logins but not sudo. I'm not entirely sure how the `pam.d` configs work, but there is a `sudo` file in there (and also `sudo-i`?) so maybe that is possible.

            ipedrosa@redhat.com Iker Pedrosa
            tdhutt@gmail.com Tim Hutt (Inactive)
            Iker Pedrosa Iker Pedrosa
            Anuj Borah Anuj Borah
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: