Bug 119874

Summary: failed password in gnome-screensaver takes waaaaaay too long
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Pete Goodall <pete>
Component: GNOMEAssignee: Rodrigo Moya <rodrigo>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jsuchome, security-team
Version: RC 4   
Target Milestone: ---   
Hardware: i686   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Pete Goodall 2005-10-03 15:22:59 UTC 
Why is it that gnome-screensaver takes so long to tell me that my password is
wrong, but takes less that a second to tell me I'm right?  Is the intention to
hold me in suspense?  Is it searching some unknown password database with deep
encryption that must be decrypted to compare passwords?  If there is no
technical reason for this to occur can we please make that wait much shorter?
Comment 1 Mark Gordon 2005-10-03 16:13:27 UTC 
I think it's to make a brute-force attempt to guess your password take longer
than it would otherwise.  It's very useful against net-based attacks; I'm not
sure it's necessary for local logins.
Comment 2 JP Rosevear 2005-10-04 14:53:40 UTC 
Yes, thats what's happening - it a general PAM setting.  There is a yast
setting, Security and Users -> Local Security, "Delay after Incorrect Login
Attempt".  Changing the default is a yast team and security team issue.  I
personally think 3 seconds is too high.
Comment 3 Klaus Kämpf 2005-10-04 14:58:37 UTC 
Well, YaST just displays whats in the sysconfig file.  I'm not aware that YaST 
actually defines this value.
Comment 4 Jiří Suchomel 2005-10-04 15:11:31 UTC 
It's FAIL_DELAY in /etc/login.defs -> Thorsten, what do you think about changing
the default value?
Comment 5 Michael Gross 2005-10-04 15:20:24 UTC 
Do I get this right? This is an enhancement according to the standard-value of
LOGIN_DELAY in /etc/login.defs?

Actually, the default-value was always 3 seconds as long as I can think... but
indeed one of the first things I ordinarily do after an installation is to
reduce this value. Because for normal purposes it _is_ to high.

Would nice to lower this value to, let's say, 1? Assigning this to the
yast2-security-maintainer.
Comment 6 Pete Goodall 2005-10-04 15:32:16 UTC 
I'm all for changing the value, but the wait in gnome-screensaver is definitely
longer than 3 seconds.  I just typed in the wrong password twice (purposely) and
counted the time it took.  With a slow count I got 11 and 15 seconds.  I can
time it more accurately if you like, but it seems there is something else
causing a further delay.
Comment 7 Jiří Suchomel 2005-10-04 15:33:44 UTC 
I'm not responsible for the default value (YaST doesn't set the default);
Thorsten is.
Comment 8 Thorsten Kukuk 2005-10-05 06:46:41 UTC 
If somebody does not like the default, he can change it. Since there always a
few people who don't like a default, I will not change it.
Comment 9 Pete Goodall 2005-10-05 16:35:07 UTC 
Ok... Thorsten, I don't think this has anything to do with the FAIL_DELAY value,
so don't worry about that.  I just changed the FAIL_DELAY value to 4, 1, 0 and
even 30(!), and there was absolutely no affect what so ever.  Afaict this has
nothing to do with FAIL_DELAY.

In addition, I timed the delay slightly more accurately by using a stop watch. 
Without fail it took about 11.14 seconds to return the message of "Password
check failed!".  That is timing from the time I press the [ Enter ] key on the
keyboard to the time I get that message.  There is something else going on here.
Comment 10 Thorsten Kukuk 2005-10-05 16:40:26 UTC 
So we should adjust the rest of the report.
Comment 11 JP Rosevear 2005-10-10 15:43:41 UTC 
gnome-screensaver (and xscreensaver) fail over to also trying the root password,
which would add additional time.
Comment 12 Pete Goodall 2005-10-10 16:06:33 UTC 
That doesn't really explain why it seems to ignore FAIL_DELAY, does it?
Comment 13 JP Rosevear 2005-10-10 20:29:57 UTC 
Each attempt would presumably have the failed delay - ie your user and the the
root user.
Comment 14 JP Rosevear 2005-10-18 13:04:16 UTC 
I misunderstood, you'd already reduced the delay.  Rodrigo, can you check this out?
Comment 15 Rodrigo Moya 2005-10-18 16:00:24 UTC 
gnome-screensaver just calls /sbin/unix2_chkpwd command. Maybe that is the one delaying?
Comment 16 JP Rosevear 2005-10-18 18:19:50 UTC 
Could be - the setup seems a little odd.  man unix2_chkpwd indicates it only works with the pam_unix module - shouldn't we just be using the regular pam stuff?

OTOH, we (suse distro) apparently wrote this support, so I'm not clear on the history here.
Comment 17 Ludwig Nussel 2005-10-19 09:37:21 UTC 
IIRC pam_unix2 is more versatile (NIS+ etc) and not as broken as pam_unix according to it's author. One major application visible difference between the two is that pam_unix2 does not fork authentication helpers by itself to read eg /etc/shadow. You always have to call pam_unix2 with sufficient permissions. Therefore the setgid shadow unix2_chkpwd helper is used. The helper is really only suitable for simple password based authentication though, it doesn't offer a full pam interface.
Comment 18 JP Rosevear 2005-10-20 13:03:53 UTC 
The fact that it doesn't offer a full pam interface leads me to believe we should no longer be using it because of upcoming active directory and edir support for logins (among other things).
Comment 19 Rodrigo Moya 2006-02-21 13:43:06 UTC 
*** Bug 152357 has been marked as a duplicate of this bug. ***
Comment 20 Rodrigo Moya 2006-02-22 16:10:06 UTC 
This is fixed in upstream g-s which is now submitted to autobuild