Why is pam_faildelay.so not taking effect if user clicks cancel button?

yyilmaz · 11-03-2021, 05:10 AM

Hi all, there is a problem to validate PAM faildelay rule on CentOS 7 Server with GUI installation. I have added one minute delay between failed login attempts. The first two lines in system-auth-ac and password-auth-ac files are as below:

Code:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=60000000

I have performed a test scenario as below:
- User enters wrong password
Now, signin button and password input field are inactive and login animation will be continuing during one minute ( I saw that login animation has ended after one minute if I have been waiting)
- User clicks the cancel button for example after ten seconds
Now, user selection screen is shown again (gnome login screen)
- User is selected again and enters wrong password

pam_faildelay.so is not taking effect if user clicks cancel button. What is the problem ? Are there any other pam files to edit in order to apply faildelay rule succesfully?

Thanks in advance

rigor · 11-18-2021, 03:41 PM

If I understood correctly, what you described, it sounded to me as though you thought the faildelay should be activated when the User presses the Cancel button. Naturally I could be wrong, but my understanding is that "fail" is considered to be an incorrect password; that pressing the Cancel button is not classified as a "fail".

yyilmaz · 11-19-2021, 12:52 AM

I have thought the same before I have decided to ask this question. pam_faildelay process should start as soon as wrong password is entered, shouldn't it ? If this attempt's owner is an attacker ? Can we say that attackers can enter wrong password then immediately can cancel how much they want?

For example, let's think that pam_faildelay time is set 60 seconds; attackers attempt to login, can understand the password is not correct because they are waiting unexpected time; then immediately can cancel. They can do this how much they want, can't ?

Thanks for your opinions.

rigor · 11-20-2021, 09:11 PM

Quote:

Originally Posted by yyilmaz

I have thought the same before I have decided to ask this question. pam_faildelay process should start as soon as wrong password is entered, shouldn't it ? If this attempt's owner is an attacker ? Can we say that attackers can enter wrong password then immediately can cancel how much they want?

For example, let's think that pam_faildelay time is set 60 seconds; attackers attempt to login, can understand the password is not correct because they are waiting unexpected time; then immediately can cancel. They can do this how much they want, can't ?

Thanks for your opinions.

Sorry, in your original post, I wasn't sure if you were saying that pam_faildelay wasn't working the way it was intended to work, or not as it should work. Sadly the two can be different. I was saying I thought the way it seems to be working, is the way that I thought it was intended to work. Naturally, as you described, as much as possible, there should be something which prevents someone from trying an endless number of incorrect passwords.