LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-23-2011, 09:39 AM   #1
ranban282
LQ Newbie
 
Registered: Jul 2006
Location: Hyderabad
Distribution: Fedora 8
Posts: 28

Rep: Reputation: 1
Why does it take ages to re-enter the password in linux login screens?


When I try to log in to virtually any linux system through the gui, and I enter the correct password, the desktop initialization starts immediately. But when the password entered is incorrect, it takes a couple of seconds to say that the password is incorrect, and another second or so before I can enter my password again.I have seen this in ubuntu 10.04 and various versions of fedora. Any clues?
 
Old 06-23-2011, 09:49 AM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,570

Rep: Reputation: 510Reputation: 510Reputation: 510Reputation: 510Reputation: 510Reputation: 510
Security feature to stymie brute-force logins
 
1 members found this post helpful.
Old 06-23-2011, 11:28 AM   #3
MTK358
LQ 5k Club
 
Registered: Sep 2009
Posts: 6,443
Blog Entries: 3

Rep: Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713Reputation: 713
Quote:
Originally Posted by ranban282 View Post
Any clues?
It's actually a security feature to slow down password crackers that try to enter different passwords until one happens to match.
 
1 members found this post helpful.
Old 07-03-2011, 01:17 PM   #4
ranban282
LQ Newbie
 
Registered: Jul 2006
Location: Hyderabad
Distribution: Fedora 8
Posts: 28

Original Poster
Rep: Reputation: 1
From a security point of view, how would it be if 3 successive attempts had no delay and exponential delays thereafter?

Second question - Since we are talking about a login screen, we are talking about manual brute-force attempts, right? Or is there some automated way to brute-force?
 
Old 07-03-2011, 01:30 PM   #5
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,970

Rep: Reputation: 848Reputation: 848Reputation: 848Reputation: 848Reputation: 848Reputation: 848Reputation: 848
Quote:
Originally Posted by ranban282 View Post
...
Second question - Since we are talking about a login screen, we are talking about manual brute-force attempts, right? Or is there some automated way to brute-force?
Yes there are such ways.

Markus
 
0 members found this post helpful.
Old 07-03-2011, 11:14 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ranban282 View Post
From a security point of view, how would it be if 3 successive attempts had no delay and exponential delays thereafter?
Well, you'd have to do the math to know for sure, but in all honestly it sounds to me like it could be a reasonable approach for some people. I mean, as long as the exponential delay doesn't reach the point where this can be used to DoS someone, of course.

Quote:
Second question - Since we are talking about a login screen, we are talking about manual brute-force attempts, right? Or is there some automated way to brute-force?
Yeah, it wouldn't take a rocket scientist to use a computer (be it hand-held, PC, smartphone, whatever) to hook up via USB and spoof a keyboard (which will use automation to brute-force).
 
Old 07-04-2011, 04:20 AM   #7
Nominal Animal
Senior Member
 
Registered: Dec 2010
Location: Finland
Distribution: Xubuntu, CentOS, LFS
Posts: 1,723
Blog Entries: 3

Rep: Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942
Quote:
Originally Posted by ranban282 View Post
From a security point of view, how would it be if 3 successive attempts had no delay and exponential delays thereafter?
There are two sources for the delay in current Linux distributions: Pluggable Authentication Module pam_faildelay (usually configured in /etc/pam.d/login, but may vary between distributions), and the failure delay requested by PAM applications themselves via the pam_fail_delay() function. (Of course login programs can do additional delays, but e.g. gdm-2.30.6 does not. The only delay it has is an exponential backoff when it cannot connect to the X server, but that has nothing to do with login failures.)

The reason pam_faildelay implements a fixed delay is that there really is no state shared between different login attempts. That means there is no notion of "succession", or of when or if another attempt succeeded or failed. Each attempt is a separate event, independent of all others. The PAM architecture is such that sharing state between authentication attempts is not easy. To implement different delay levels, some kind of shared state is needed.

I believe it would not be worth the effort.

Perhaps you could just tune down the delay a bit in your /etc/pam.d/login file? The delay= option contains the failure delay in microseconds, 1000000Ás=1s.

Quote:
Originally Posted by ranban282 View Post
Second question - Since we are talking about a login screen, we are talking about manual brute-force attempts, right? Or is there some automated way to brute-force?
Yes, there is, and it costs maybe 20 USD, and works with any USB HID (Human Interface Device), as long as you can write for example a compact C program that generates the HID event data.

Fortunately, even a one second delay per failed attempt -- whether password or some other method like fingerprinting -- does make any such device pretty much impotent. You cannot really say they won't work, because they might, if there are few enough candidates. A three-day weekend has a quarter of a million seconds, so having a strong password is still important.
 
  


Reply

Tags
delay, login, password, security, startup


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] New connection set up OK but where do I enter my ISP login user name and password? micok Fedora - Installation 3 04-06-2011 03:16 PM
Unable to enter password in terminal to enter as root.. ANISHKUMAR.R Linux - Newbie 5 08-07-2010 07:46 AM
Unable to login --- Can't enter the password. paragkalra Linux - Software 12 03-17-2008 10:12 AM
'Whatever' login takes ages... Worstje Slackware 7 10-15-2004 03:06 PM
Login problems, cant enter password pdigga Linux - Newbie 1 04-20-2004 09:10 PM


All times are GMT -5. The time now is 01:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration