Disable or drastically shorten pause on incorrect password

I'm using plasma 5 right now ^{(on Fedora 22, if that matters)} and whenever I enter my password incorrectly at the lock screen I have to wait around five seconds before it will let me try to enter text into the password input again.

I feel this is too long and was wondering if anyone knew whether this timeout was defined in a config file somewhere _{(hopefully only affecting the lock/login screens and not other software where the timeout is a good bot-bruteforce deterrent)}

Hashbrown

Posted 2015-09-23T03:40:57.930

Reputation: 1 720

not sure if this is the right place to discuss it, but plasma5 is new, so it's probably that I'm just first one to come across and want to use it. Just like kde-4 before it, I don't doubt that this tag will be used a lot as the new KDE starts getting used by more people. That was the thinking when I made it, it's now in the communities hands whether it's used or dies – Hashbrown – 2015-09-23T05:37:43.587

Answers

The delay is added by the pam_unix authentication module.

Open /etc/pam.d/system-auth, find the "auth … pam_unix.so" module in there, then add the nodelay option to the line. (See "man pam_unix" for information about all options, and examples of how to specify them.)

user1686

Posted 2015-09-23T03:40:57.930

Reputation: 283 655

That didn't appear to work, the screen still said Unlocking failed and disabled interaction with the textbox for several seconds (is there something I have to do to get the system to realise I edited the config?). Had it worked, this file seems like it'd affect more than only the lock screen, is it safe to disable delay here? – Hashbrown – 2015-09-23T05:46:03.090

Try doing the same replacement in other similar files? (system-auth isn't used directly, it is usually imported from a service-specific config like /etc/pam.d/kde or such.) – user1686 – 2015-09-23T05:49:34.020

Other than system-auth, only password-auth had auth..pam_unix in them (I tried it to no avail). The files kscreensaver and kde only included or 'substack'd other files like system-auth. – Hashbrown – 2015-09-23T06:10:52.467

The files all say they are auto-generated by authconfig. I ran authconfig --test and it gave me a password dialog; typing in the wrong password had it instantly re-ask. I changed the config files back to remove nodelay and authconfig started pausing between wrong passwords. So the setting is working, but not on the lock screen at all – Hashbrown – 2015-09-23T06:12:38.277

The reason updating the pam_unix.so entry does not work (see grawity's answer) does not work is to be found within the source code of kscreenlocker:

Before forwarding a received password to the authentication program (that is, kcheckpass) the KScreenLocker greeter application will start a three-second “grace lock timer” and will refuse any further unlock attempts until that counter has expired. That three-second number being hard-coded of course. So when you attempt to remove the PAM-level time, as suggested in the other answer, all you'll actually do is wait proportionally longer on this timer instead.

The only solution here is to recompile KScreenLocker with the given timer patched to some low value (setting it to 0 might me racy; I haven't checked).
Or try proposing a different value to upstream. From I know they aren't very open on making stuff on the screen locker configurable, so you may be out of luck there.

ntninja

Posted 2015-09-23T03:40:57.930

Reputation: 220