How to reduce the delay after mistype my password when running sudo?

Ask Fedora
1

When I run sudo and I am asked for my password. sometimes I make a typo. That leads to a several seconds long delay before I can try again. I read this: How to use Authselect to configure PAM in Fedora Linux - Fedora Magazine and came up with these commands to achieve this change:

sudo authselect create-profile lowdelay --base-on=local
sudo sed -i -E 's/delay=.000000/delay=100000/g' /etc/authselect/custom/lowdelay/system-auth /etc/authselect/custom/lowdelay/password-auth
sudo authselect select custom/lowdelay
sudo authselect apply-changes

Yet it does not seem to work even though the changes were applied:

grep "delay" /etc/pam.d/*
/etc/pam.d/password-auth:auth        required                                     pam_faildelay.so delay=100000
/etc/pam.d/system-auth:auth        required                                     pam_faildelay.so delay=100000

Where am I making a mistake?

2

You probably need to set the nodelay option on pam_unix.

From man pam_unix:

       nodelay
           This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The
           default action is for the module to request a delay-on-failure of the order of two seconds.
3

Thank you for the suggestion, but this also does not work. In this line, I am actually lowering the default delay of 2s to 0.1s.

4

Setting both delay=100000 on pam_faildelay.so and nodelay on pam_unix.so in /etc/pam.d/system-auth worked for me (you should use authselect as you mentioned in your original post).

auth        required                                     pam_faildelay.so delay=100000
auth        sufficient                                   pam_unix.so nullok nodelay
1 Like
5

Aha, so the problem is with autoselect or me using it. The way it works is that authselect apply changes somehow magically produces the appropriate files from my files living in /etc/authoselect/custom/lowdelay and puts them into /etc/authselect/ and links to them from /etc/pam.d. I am not able to reproduce my error but I must have been calling apply changes wrongly or possibly I misedited the files (I was not sure which pam_unix.so to add delay so I did to all, I havea suspicion it might have failed silently ignoring nonsense). Anyway, I was doing something wrong. Now I can confirm running (after removing /etc/authselect/custom):

sudo authselect create-profile nodelay --base-on=local
#this line does not do anything :-(
sudo sed -i -E 's/delay=.000000/delay=100000/g' /etc/authselect/custom/nodelay/system-auth /etc/authselect/custom/nodelay/password-auth
sudo sed -i -E 's/auth(.*)pam_unix\.so/auth\1pam_unix.so nodelay/g' /etc/authselect/custom/nodelay/system-auth
sudo authselect select custom/nodelay
sudo authselect apply-changes

Works as intended.

Still, I think that it sounds like a bug that nodelay is needed and lowering the delay does not work on its own. I guess I will report that to Fedora?

1 Like
6

Is does seem like that configuration should be in one place or the other, not both. You could probably report that as a bug against the Authselect package and they should be able to address the problem in their default configurations.

7

Turns out this is an upstream bug and there is no way to decrease the delay without removing it altogether: pam_unix: Fix delay UX · Issue #778 · linux-pam/linux-pam · GitHub

Well, the maintainers seem to claim it is a feature, but their rationale is escaping me.

So not Fedora bug per se.

1 Like
8

Revisiting this for Fedora 43, the line

sudo sed -i -E 's/delay=.000000/delay=100000/g' /etc/authselect/custom/nodelay/system-auth /etc/authselect/custom/nodelay/password-auth

is actually crucial now, it seems. Without it, I was not able to get rid of the delay. Not sure what changed, in Fedora 42 the line had no effect.

Also, this rant in the above mentioned link report is illustrative: pam_unix: Fix delay UX · Issue #778 · linux-pam/linux-pam · GitHub