One year ago I tried to adjust the delay that I have to wait if I introduce a bad password when executing "sudo echo 1".

Usually you have to wait 2 seconds for being able to introduce the password again and this is too much for me. You can configure the PAM and set a parameter that is called NODELAY, that means exactly that: you wont have to wait any delay if you make a typo while writing your password. The problem? That if you are trying to make login thru SSH this rule applies too, and it allows brute force attacks or maybe DoS doing huge SSH login atempts.

Finally I've found how to configure this option! You have to edit the file /etc/pam.d/common-auth that look like this (comments have been removed):

auth    [success=1 default=ignore]    pam_unix.so nullok_secure  
auth    requisite            pam_deny.so  
auth    required            pam_permit.so  
auth    optional            pam_cap.so

And it have to end up looking like that. The order of the lines is important! Notice that in the second line we have added a new parameter nodelay.

auth       optional   pam_faildelay.so  delay=250000  
auth    [success=1 default=ignore]    pam_unix.so nullok_secure
nodelay  
auth    requisite            pam_deny.so  
auth    required            pam_permit.so  
auth    optional            pam_cap.so

In the line "auth       optional   pam_faildelay.so  delay=250000" we are defining the time we will wait in microseconds. So 250000 are 250 milliseconds or 0.25 seconds.

And this is it!

Note: This post is the continuation of the posts sudo su" sin espera ( nodelay ) and Clase de buceo  of my old blog.