Home / server / Questions / 559543
Accepted
mbrownnyc
Asked: 2013-12-06 11:29:08 +0800 CST

What is the `sshd_config` parameter to set the time between password prompts?

  • 772

If I attempt a logon with bad credentials to an sshd server, I am greeted with Access denied after about a 2 second pause.

Is there a way to increase the time it takes to return the password entry prompt?

Note that I already have LoginGraceTime set to a value of 20s.

linux

1 Answers

  1. Best Answer

    This can be controlled with the pam_faildelay.so PAM module (man).

    Under RHEL 6, the following file applies to sshd:

    /etc/pam.d/sshd:

    #%PAM-1.0
auth       required     pam_sepermit.so
auth       optional     pam_faildelay.so delay=[N time in microseconds]
auth       include      password-auth


account    required     pam_nologin.so
account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

    If you don't want to set the delay within the pam module config you can set it in:

    /etc/login.defs:

     FAIL_DELAY    [N time in seconds]

    Note that, oddly, FAIL_DELAY accepts the time in seconds.

    To apply this to console logins, modify /etc/pam.d/password-auth and/or /etc/pam.d/system-auth. Also note, you must include the pam_faildelay.so line BEFORE any other auth lines (particularly pam_unix.so).

    • 7