PAM_FAIL_DELAY - Online Linux Manual PageSection : 3
Updated : 09/03/2021
Source : Linux-PAM Manual
Note : Linux-PAM Manual

NAMEpam_fail_delay − request a delay on failure

SYNOPSIS#include <security/pam_appl​.h>int pam_fail_delay(pam_handle_t *pamh, unsigned int usec);

DESCRIPTIONThe pam_fail_delay function provides a mechanism by which an application or module can suggest a minimum delay of usec micro−seconds​. The function keeps a record of the longest time requested with this function​. Should pam_authenticate(3) fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 50%) about this longest value​. Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application​. The delay occurs after all authentication modules have been called, but before control is returned to the service application​. When using this function the programmer should check if it is available with: #ifdef HAVE_PAM_FAIL_DELAY ​.​.​.​. #endif /* HAVE_PAM_FAIL_DELAY */ For applications written with a single thread that are event driven in nature, generating this delay may be undesirable​. Instead, the application may want to register the delay in some other way​. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires​. For this reason the delay function can be changed with the PAM_FAIL_DELAY item​. It can be queried and set with pam_get_item(3) and pam_set_item(3) respectively​. The value used to set it should be a function pointer of the following prototype: void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); The arguments being the retval return code of the module stack, the usec_delay micro−second delay that libpam is requesting and the appdata_ptr that the application has associated with the current pamh​. This last value was set by the application when it called pam_start(3) or explicitly with pam_set_item(3)​. Note that the PAM_FAIL_DELAY item is set to NULL by default​. This indicates that PAM should perform a random delay as described above when authentication fails and a delay has been suggested​. If an application does not want the PAM library to perform any delay on authentication failure, then the application must define a custom delay function that executes no statements and set the PAM_FAIL_DELAY item to point to this function​.

RATIONALEIt is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user​. In cases of short timeouts, it may prove possible to attempt a brute force dictionary attack −− with an automated process, the attacker tries all possible passwords to gain access to the system​. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process​. These latter attacks make use of procedural delays that constitute a covert channel of useful information​. To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process​. Preferable this value should be set by the application or a special PAM module​. Standard PAM modules should not modify the delay unconditional​.

EXAMPLEFor example, a login application may require a failure delay of roughly 3 seconds​. It will contain the following code: pam_fail_delay (pamh, 3000000 /* micro−seconds */ ); pam_authenticate (pamh, 0); if the modules do not request a delay, the failure delay will be between 1​.5 and 4​.5 seconds​. However, the modules, invoked in the authentication process, may also request delays: module #1: pam_fail_delay (pamh, 2000000); module #2: pam_fail_delay (pamh, 4000000); in this case, it is the largest requested value that is used to compute the actual failed delay: here between 2 and 6 seconds​.

RETURN VALUESPAM_SUCCESS Delay was successful adjusted​. PAM_SYSTEM_ERR A NULL pointer was submitted as PAM handle​.

SEE ALSOpam_start(3), pam_get_item(3), pam_strerror(3)

STANDARDSThe pam_fail_delay function is an Linux−PAM extension​.
0
Johanes Gumabo
Data Size   :   12,302 byte
man-pam_fail_delay.3Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   3 / 183,888
Visitor ID   :     :  
Visitor IP   :   3.145.110.145   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.