Reduce timeout after failed password in i3lock

mithrial · 20 August 2023 13:57

Hi!

I’m using i3 and i3lock-color from the AUR as the session locker (it is a fork of i3lock).

My problem is that there is a 30 second delay for the next try if I enter a wrong password. I know this is a security feature but for me 3 seconds would be enough.
I often type my password wrongly because I switch keyboards from the laptop without a numpad to an actual keyboard with a numpad. The laptop keyboard thinks it should then enable the numpad and remaps the keys => wrong password.

Waiting for 30 seconds for the next try is really stupid, especially with my ~~sausage fingers~~ complicated password that I sometimes mistype.

Which option can I set to remove this delay to the default (?) 3 seconds?

The file /etc/security/faillock does not contain a delay option, I’ve only changed the deny = 5 (from = 3 ) because it would lock me for 15 minutes after 3 attempts.

In the /etc/pam.d directory, there is nothing about delay and I’m very careful with changing these files.
Especially, there is nothing loading the pam_faildelay.

When logging in from a TTY, the fail delay is around 5 seconds that I counted it my head (it might be 3, I’m not sure).

I looked around and found this on unix.stackexchange about changing the file /etc/pam.d/system-auth:

auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok

to:

auth       [success=1 default=bad]     pam_unix.so          try_first_pass nodelay nullok

However, I don’t think this is the solution because the man pam_unix page tells me that the default delay is 2 seconds, not 30.

 nodelay
           This argument can be used to discourage the authentication component from requesting a delay should the authentication as a
           whole fail. The default action is for the module to request a delay-on-failure of the order of two second.

linux-aarhus · 20 August 2023 15:25

i3lock provides a login config in /etc/pam.d/login

github.com

i3/i3lock/blob/main/pam/i3lock#L1-L6


      
          #
          # PAM configuration file for the i3lock screen locker. By default, it includes
          # the 'login' configuration file (see /etc/pam.d/login)
          #
          
          auth include login

https://man.archlinux.org/man/i3lock.1.en

# The length of the interval during which the consecutive
# authentication failures must happen for the user account
# lock out is <replaceable>n</replaceable> seconds.
# The default is 900 (15 minutes).
# fail_interval = 900
#
# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
# unlock_time = 600

– faillock.conf(5) — Arch manual pages

mithrial · 20 August 2023 15:40

Thanks, the order of includes is:
login -> system-local-login -> system-login -> system-auth

(the last one is the one above)

The two settings you mention are not for my case:

fail_interval: total lock of the user if failed tries appear in a 15 minutes interval

unlock_time: unlocking after a total lock

I’m not locked out, the “login” for a wrong password takes 30 seconds.

linux-aarhus · 20 August 2023 15:44

I don’t remember i3lock work like that. I had the understanding that you got locked out - my apology.

As I remember you input the password and press enter. The fancy circle lights up on keypress - I really don’t remember there being a 30s disgrace on wrong passwd.

EDIT @mithrial
The man page for faillog.conf states that you can append a nodelay option to the config

nodelay
    Don't enforce a delay after authentication failures.

mithrial · 20 August 2023 18:00

I’ll try but the man page indicates that this delay is 2 seconds.

mithrial · 31 August 2023 13:36

I reinstalled on a new machine and the “fail” message appears now after the default 3 seconds delay.

I’m sorry, I don’t know the actual solution to this