debian/patches/463_login_delay_obeys_to_PAM


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

Goal: Do not hardcode pam_fail_delay and let pam_unix do its
      job to set a delay...or not

Fixes: #87648

Status wrt upstream: Forwarded but not applied yet

Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs

--- a/src/login.c
+++ b/src/login.c
@@ -512,7 +512,6 @@
 #if !defined(USE_PAM)
 	char ptime[80];
 #endif
-	unsigned int delay;
 	unsigned int retries;
 	bool subroot = false;
 #ifndef USE_PAM
@@ -537,6 +536,7 @@
 	pid_t child;
 	char *pam_user = NULL;
 #else
+	unsigned int delay;
 	struct spwd *spwd = NULL;
 #endif
 	/*
@@ -701,7 +701,6 @@
 	}
 
 	environ = newenvp;	/* make new environment active */
-	delay   = getdef_unum ("FAIL_DELAY", 1);
 	retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
 
 #ifdef USE_PAM
@@ -717,8 +716,7 @@
 
 	/*
 	 * hostname & tty are either set to NULL or their correct values,
-	 * depending on how much we know. We also set PAM's fail delay to
-	 * ours.
+	 * depending on how much we know.
 	 *
 	 * PAM_RHOST and PAM_TTY are used for authentication, only use
 	 * information coming from login or from the caller (e.g. no utmp)
@@ -727,10 +725,6 @@
 	PAM_FAIL_CHECK;
 	retcode = pam_set_item (pamh, PAM_TTY, tty);
 	PAM_FAIL_CHECK;
-#ifdef HAS_PAM_FAIL_DELAY
-	retcode = pam_fail_delay (pamh, 1000000 * delay);
-	PAM_FAIL_CHECK;
-#endif
 	/* if fflg, then the user has already been authenticated */
 	if (!fflg) {
 		unsigned int failcount = 0;
@@ -771,12 +765,6 @@
 			bool failed = false;
 
 			failcount++;
-#ifdef HAS_PAM_FAIL_DELAY
-			if (delay > 0) {
-				retcode = pam_fail_delay(pamh, 1000000*delay);
-				PAM_FAIL_CHECK;
-			}
-#endif
 
 			retcode = pam_authenticate (pamh, 0);
 
@@ -1110,14 +1098,17 @@
 		free (username);
 		username = NULL;
 
+#ifndef USE_PAM
 		/*
 		 * Wait a while (a la SVR4 /usr/bin/login) before attempting
 		 * to login the user again. If the earlier alarm occurs
 		 * before the sleep() below completes, login will exit.
 		 */
+		delay = getdef_unum ("FAIL_DELAY", 1);
 		if (delay > 0) {
 			(void) sleep (delay);
 		}
+#endif
 
 		(void) puts (_("Login incorrect"));
 
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -77,7 +77,6 @@
 	{"ENV_PATH", NULL},
 	{"ENV_SUPATH", NULL},
 	{"ERASECHAR", NULL},
-	{"FAIL_DELAY", NULL},
 	{"FAILLOG_ENAB", NULL},
 	{"FAKE_SHELL", NULL},
 	{"FTMP_FILE", NULL},