From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ldv@altlinux.org>
Date: Mon, 25 Nov 2013 01:48:36 +0400
From: "Dmitry V. Levin" <ldv@altlinux.org>
To: kbd@lists.altlinux.org
Message-ID: <20131124214835.GC20405@altlinux.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [kbd] [PATCH 3/3] vlock: introduce short delays after non-fatal PAM
	errors
X-BeenThere: kbd@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Linux console tools development discussion <kbd@lists.altlinux.org>
List-Id: Linux console tools development discussion <kbd.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/kbd>,
	<mailto:kbd-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/kbd>
List-Post: <mailto:kbd@lists.altlinux.org>
List-Help: <mailto:kbd-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/kbd>,
	<mailto:kbd-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2013 21:48:38 -0000
Archived-At: <http://lore.altlinux.org/kbd/20131124214835.GC20405@altlinux.org/>
List-Archive: <http://lore.altlinux.org/kbd/>

Add a short delay after PAM errors like PAM_AUTH_ERR that are likely
to be non-fatal, so that in case when they are fatal, there would be
a delay between continuous attempts that are doomed to fail.

For example, fatal PAM configuration errors like unreadable
/etc/pam.d/vlock file usually result to immediate PAM_AUTH_ERR,
the same error as returned by more likely authentication error
due to incorrect password.
---
 src/vlock/auth.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/vlock/auth.c b/src/vlock/auth.c
index 76945c0..da135ce 100644
--- a/src/vlock/auth.c
+++ b/src/vlock/auth.c
@@ -35,6 +35,8 @@
 
 /* Delay after fatal PAM errors, in seconds. */
 #define	LONG_DELAY	10
+/* Delay after other PAM errors, in seconds. */
+#define	SHORT_DELAY	1
 
 static int
 do_account_password_management (pam_handle_t *pamh)
@@ -117,6 +119,7 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
 					fflush (stdout);
 					pam_end (pamh, rc);
 					pamh = 0;
+					sleep (SHORT_DELAY);
 					break;
 				}
 
@@ -135,7 +138,7 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
 				if (is_vt || isatty (STDIN_FILENO))
 				{
 					/* Ignore error. */
-					sleep (1);
+					sleep (SHORT_DELAY);
 					break;
 				}
 
@@ -162,6 +165,7 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
 			default:
 				printf ("%s.\n\n\n", pam_strerror (pamh, rc));
 				fflush (stdout);
+				sleep (SHORT_DELAY);
 		}
 	}
 }


-- 
ldv