Feature request: FAIL_DELAY-support for sshd

Darren Tucker dtucker at zip.com.au
Tue Feb 8 18:47:39 EST 2005

Bjoern Voigt wrote:
> Ok, but unfortunately there is probably not a configure option for this
> in Linux PAM. I did not found one.

It's trivial to write one, so:

It turns out I should have invoked Google *before* vi, because someone 
beat me to it by many years (timestamps are 1997):

> You already said, that it's possible
> to write such an PAM module. But does it help, if very few people use
> such an un-official PAM module?

Perhaps that's because few people want it?  There's been a module 
available since last century...

> Also lots of Unix systems have no
> PAM-system or no pam_fail_delay() function. 

OK, I've thought about this and here's my opinion:

a) sshd should not insert arbitrary delays.

b) sshd should not arbitrarily override pam_fail_delay() either.  If you 
want to configure PAM do it via a PAM config file.  That's what they're for.

c) maybe sshd could read AUTH_FAIL from login.defs[1] *IF* it's 
sufficiently standardized.  The facts that the Linux vendors can't agree 
on it and the API isn't public are not in its favour.

c) maybe sshd should have a generic option to insert a delay on failed 
password-based auths.  If so it should default to disabled.  If enabled it 
would be reasonable to supply it to pam_fail_delay() on platforms that 
have it.

[1] reading /etc/default/login on Solaris/Sinix is a precedent for this 
sort of thing.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list