Get rid of wrong password delay in Linux

The password delay when typing the wrong password (su, sudo, ..) seems to be hard-coded to 2 seconds - see pam_unix(8). You can, however, easily disable this often just annoying feature.

Disable delay in Ubuntu and Debian

Edit /etc/pam.d/common-auth and add nodelay to the line with auth ... pam_unix.so. E.g.:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure

change to

auth    [success=2 default=ignore]      pam_unix.so nullok_secure nodelay

Disable delay in CentOS, RHEL and Fedora

Edit /etc/pam.d/system-auth and add nodelay to the line with auth ... pam_unix.so, e.g.:

auth        sufficient    pam_unix.so nullok try_first_pass

change to

auth        sufficient    pam_unix.so nullok try_first_pass nodelay

If brute-forcing scares you

You can have users locked out for a specified amount of time (or until you manually let them in again) if they type the wrong password a specified number of times. Look up pam_tally(8), but beware - many configuration examples that you find scattered on message boards just won't work, not least because the order of the PAM directives is important. (Trust me, I spent too much time googling this.)

In Ubuntu and Debian, the following will lock out users from SSH (but not from local logins) for 120 seconds after typing the wrong password 3 times:

1. Open /etc/pam.d/sshd in a text editor.
2. Right before @include common-auth, add the following on its own line: auth required pam_tally.so onerr=fail deny=3 unlock_time=120
3. Right before @include common-account, add the following on its own line: account required pam_tally.so reset

Use pam_tally to check a user:

# pam_tally --user foobar
User foobar (1000)  has 4

You can also reset the counter manually:

# pam_tally --user foobar --reset

See also /var/log/auth.log.

2010-10-07 · linux · pam · password