1. Overview

In Linux, there’s a delay after we enter a wrong password at login before getting prompted for another attempt. This incorrect password delay can occur during console login, sudo command execution, and the graphical login screen.

In this tutorial, we’ll look at how to modify the wrong password delay timeout value for those three cases. All commands have been tested on Debian Buster and should work on most Linux distributions.

2. Introduction to the Problem

When we enter an incorrect password at login, there’s a delay before the system tells us so:

# login
pc01 login: baeldung
Password:

<delay for few seconds...>
Login incorrect
pc01 login:

The same thing happens when we try to run a command with sudo:

$ sudo apt update
[sudo] password for baeldung:

<delay for few seconds...>

Sorry, try again.
[sudo] password for baeldung:

The delay also occurs when we enter an incorrect password at the graphical login screen.

3. The Purpose of the Delay

The failed authentication delay is basically for security reasons, such as to prevent timing attacks on string comparison or brute-force attacks.

However, computers these days are so fast that timing attacks aren’t feasible. As for brute-force attacks, instead of waiting for the delay, the attacker could just spawn another login or sudo instance to make another attempt.

Having said that, security should be an aspect of all layers, and every approach has pros and cons with different weights that we need to consider.

4. Modifying the Delay

We can modify the length of the delay in the Pluggable Authentication Modules (PAM) configuration files:

$ ls /etc/pam.d
chfn                           cron                    login             samba
chpasswd                       cups                    mate-screensaver  sddm
chsh                           gdm-autologin           newusers          sddm-autologin
cinnamon-screensaver           gdm-fingerprint         other             sddm-greeter
common-account                 gdm-launch-environment  passwd            su
common-auth                    gdm-password            polkit-1          sudo
common-password                lightdm                 ppp               su-l
common-session                 lightdm-autologin       runuser           systemd-user
common-session-noninteractive  lightdm-greeter         runuser-l         xscreensaver

PAM config files define the connection between applications (services) and the PAMs that perform the actual authentication tasks.

Let’s modify the delay for the console login, sudo, and the graphical login screen.

4.1. Modifying the Delay for Console Login

The delay timeout configuration for console login is in the login config file:

$ cat /etc/pam.d/login
...
auth optional pam_faildelay.so delay=3000000
...
@include common-auth
...

As we can see, the delay is three million microseconds, or three seconds.

The minimum delay that we can set is two million microseconds, or two seconds. If we set it to less than two seconds, it uses the default value from the pam_unix.so module, which is two seconds.

The pam_unix.so module is configured in the common-auth file that the login file includes:

$ cat /etc/pam.d/common-auth
...
auth [success=1 default=ignore] pam_unix.so nullok_secure
...

If we want less than two-second delay, we can set the delay value in the login file, and update common-auth by adding nodelay at the end of this line:

$ sudo vi /etc/pam.d/common-auth
...
auth [success=1 default=ignore] pam_unix.so nullok_secure nodelay
...

We should note that, after this change, all config files that inherit common-auth without adding their own delay will have no delay.

4.2. Modifying the Delay for sudo

The delay timeout configuration for sudo is in the sudo config file:

$ cat /etc/pam.d/sudo
#%PAM-1.0

@include common-auth
@include common-account
@include common-session-noninteractive

As we can see, it doesn’t have its own failed authentication delay. It includes common-auth which will call the pam_unix.so module. The module has a default two-second delay timeout .

However, we can add a shorter or longer delay if we want. For example, here’s how we can make it longer (five seconds):

$ sudo vi /etc/pam.d/sudo
#%PAM-1.0

auth optional pam_faildelay.so delay=5000000

@include common-auth
@include common-account
@include common-session-noninteractive

Or if we want to remove the delay, we can copy the content of common-auth and paste it in sudo so it won’t affect other config files that inherit it, and then add nodelay:

$ sudo vi /etc/pam.d/sudo
#%PAM-1.0

# content of common-auth:
auth [success=1 default=ignore] pam_unix.so nullok_secure nodelay
auth requisite pam_deny.so
auth required pam_permit.so

@include common-account
@include common-session-noninteractive

Consequently, the changes above will cause no delay for failed authentication for sudo.

4.3. Modifying the Delay for Simple Desktop Display Manager (SDDM)

The delay timeout configuration for SDDM or the graphical login screen is in the sddm config file:

$ cat /etc/pam.d/sddm
...
@include common-auth
...

The sddm config file is similar to sudo – it doesn’t have its own delay for failed authentication. However, we can add a shorter or longer delay if we want, just as we did for sudo earlier.

5. Conclusion

In this article, we learned about modifying the delay timeout for failed authentication using PAM.

Comments are closed on this article!