From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Let pam_unix handle login failure delays

Fixes: #87648

Status wrt upstream: Forwarded but not applied yet

Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs

Gbp-Topic: debian
---
 lib/getdef.c |  1 -
 src/login.c  | 19 +++++--------------
 2 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/lib/getdef.c b/lib/getdef.c
index 30f54ba..21307bb 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -84,7 +84,6 @@ static struct itemdef def_table[] = {
 	{"ENV_PATH", NULL},
 	{"ENV_SUPATH", NULL},
 	{"ERASECHAR", NULL},
-	{"FAIL_DELAY", NULL},
 	{"FAKE_SHELL", NULL},
 	{"GID_MAX", NULL},
 	{"GID_MIN", NULL},
diff --git a/src/login.c b/src/login.c
index 9fed7b3..a5512d1 100644
--- a/src/login.c
+++ b/src/login.c
@@ -490,7 +490,6 @@ int main (int argc, char **argv)
 	const char     *tmptty;
 	const char     *cp;
 	const char     *tmp;
-	unsigned int   delay;
 	unsigned int   retries;
 	unsigned int   timeout;
 	struct passwd  *pwd = NULL;
@@ -500,6 +499,7 @@ int main (int argc, char **argv)
 	char           *pam_user = NULL;
 	pid_t          child;
 #else
+	unsigned int   delay;
 	bool is_console;
 	struct spwd *spwd = NULL;
 # if defined(ENABLE_LASTLOG)
@@ -669,7 +669,6 @@ int main (int argc, char **argv)
 	}
 
 	environ = newenvp;	/* make new environment active */
-	delay   = getdef_unum ("FAIL_DELAY", 1);
 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
 
 #ifdef USE_PAM
@@ -685,8 +684,7 @@ int main (int argc, char **argv)
 
 	/*
 	 * hostname & tty are either set to NULL or their correct values,
-	 * depending on how much we know. We also set PAM's fail delay to
-	 * ours.
+	 * depending on how much we know.
 	 *
 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
 	 * information coming from login or from the caller (e.g. no utmp)
@@ -695,10 +693,6 @@ int main (int argc, char **argv)
 	PAM_FAIL_CHECK;
 	retcode = pam_set_item (pamh, PAM_TTY, tty);
 	PAM_FAIL_CHECK;
-#ifdef HAS_PAM_FAIL_DELAY
-	retcode = pam_fail_delay (pamh, 1000000 * delay);
-	PAM_FAIL_CHECK;
-#endif
 	/* if fflg, then the user has already been authenticated */
 	if (!fflg) {
 		char          hostn[256];
@@ -736,12 +730,6 @@ int main (int argc, char **argv)
 			bool failed = false;
 
 			failcount++;
-#ifdef HAS_PAM_FAIL_DELAY
-			if (delay > 0) {
-				retcode = pam_fail_delay(pamh, 1000000*delay);
-				PAM_FAIL_CHECK;
-			}
-#endif
 
 			retcode = pam_authenticate (pamh, 0);
 
@@ -1032,14 +1020,17 @@ int main (int argc, char **argv)
 		free (username);
 		username = NULL;
 
+#ifndef USE_PAM
 		/*
 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
 		 * to login the user again. If the earlier alarm occurs
 		 * before the sleep() below completes, login will exit.
 		 */
+		delay = getdef_unum ("FAIL_DELAY", 1);
 		if (delay > 0) {
 			(void) sleep (delay);
 		}
+#endif
 
 		(void) puts (_("Login incorrect"));