login slow w/bad password

login slow w/bad password

Post by Mike Batchel » Tue, 24 Sep 1996 04:00:00




Quote:>I do some junior sysadmining on an Ultra Sparc running Solaris 2.5.
>I've noticed that when I log in and mistype my password, there is a
>long delay before I'm given a new login: prompt (long as in 10 seconds
>or so).  This is much longer than any other Unix system I've used.
>This is not a function of load, as I'm often the only person using
>it...and I know the system doesn't have to look very far (only about a
>dozen people in /etc/passwd).  It can't take THAT long to run crypt(1)
>with a 143Mhz processor ;)
>Why so slow?  I notice that other Solaris machines do not have this
>problem.  This is almost certainly a function of my ignorance...any
>pointers on things to look at?

This is a feature, not a bug or a problem.  The delay is a defense
against password-guessing attacks.
 
 
 

login slow w/bad password

Post by Steve Col » Tue, 24 Sep 1996 04:00:00



Quote:> I've noticed that when I log in and mistype my password, there is a
> long delay before I'm given a new login: prompt (long as in 10 seconds
> or so).  This is much longer than any other Unix system I've used.

Thank your lucky stars.  This alone makes it 300% harder to break into
your system.  Less experienced/motivated hackers will become quickly
frustrated trying userid/password pairs compared to systems that
immediately pop up another login prompt.  Sun, rightly, put this function
in deliberately.

Cheers,
Steve      |President & Systems Administrator,  Kingston Online Services
           |(e pluribus unix)    Multiple-T1    URL: http://www.kos.net/
           |Business and Education partners in SouthEastern Ontario
           |
           |"Through the firewall, out the router, down the T1, across the
           | backbone, bounced from satellite, it's nothing but net."

 
 
 

login slow w/bad password

Post by Theron Smit » Tue, 24 Sep 1996 04:00:00




> > I've noticed that when I log in and mistype my password, there is a
> > long delay before I'm given a new login: prompt (long as in 10 seconds
> > or so).  This is much longer than any other Unix system I've used.

> Thank your lucky stars.  This alone makes it 300% harder to break into
> your system.  Less experienced/motivated hackers will become quickly
> frustrated trying userid/password pairs compared to systems that
> immediately pop up another login prompt.  Sun, rightly, put this function
> in deliberately.

> Cheers,
> Steve      |President & Systems Administrator,  Kingston Online Services
>            |(e pluribus unix)    Multiple-T1    URL: http://www.veryComputer.com/
>            |Business and Education partners in SouthEastern Ontario
>            |
>            |"Through the firewall, out the router, down the T1, across the
>            | backbone, bounced from satellite, it's nothing but net."

I think it's a pain in the *and i don't think we need it if we just
use good password sense.  maybe if you want it, you could set some
variable or something and it would pause...

as for me and my house...NOT WANTED!

 
 
 

login slow w/bad password

Post by James K. Lev » Tue, 24 Sep 1996 04:00:00



Quote:>I do some junior sysadmining on an Ultra Sparc running Solaris 2.5.
>I've noticed that when I log in and mistype my password, there is a
>long delay before I'm given a new login: prompt (long as in 10 seconds
>or so).  This is much longer than any other Unix system I've used.
>This is not a function of load, as I'm often the only person using
>it...and I know the system doesn't have to look very far (only about a
>dozen people in /etc/passwd).  It can't take THAT long to run crypt(1)
>with a 143Mhz processor ;)

>Why so slow?  I notice that other Solaris machines do not have this
>problem.  This is almost certainly a function of my ignorance...any
>pointers on things to look at?

I wondered the same thing and had the opportunity to ask one of the Sun
developers about it. He claimed that the delay is a design feature to
discourage password guessing attacks. If in fact that is true I would say
that it ought to work fairly well... It would take a really determined
attacker to persist long enough to guess any decent password.
 
 
 

login slow w/bad password

Post by Philip Polstr » Wed, 25 Sep 1996 04:00:00



> I do some junior sysadmining on an Ultra Sparc running Solaris 2.5.
> I've noticed that when I log in and mistype my password, there is a
> long delay before I'm given a new login: prompt (long as in 10 seconds
> or so).  This is much longer than any other Unix system I've used.
> This is not a function of load, as I'm often the only person using
> it...and I know the system doesn't have to look very far (only about a
> dozen people in /etc/passwd).  It can't take THAT long to run crypt(1)
> with a 143Mhz processor ;)

> Why so slow?  I notice that other Solaris machines do not have this
> problem.  This is almost certainly a function of my ignorance...any
> pointers on things to look at?

For one thing if you are attempting to log in as root your failed
attempted is logged so the "real" root can hunt you down.  It's a
security thing to slow down would-be hackers.

--
Philip Polstra

http://www.inetnow.net/~ppolstra      http://www.kcm-inc.com
My other car is an experimental aircraft:  Zenair 601HDS N721PT

 
 
 

login slow w/bad password

Post by w.. » Thu, 26 Sep 1996 04:00:00



Quote:>I think it's a pain in the *and i don't think we need it if we just
>use good password sense.  maybe if you want it, you could set some
>variable or something and it would pause...

>as for me and my house...NOT WANTED!

Well then if you don't wnat it, just turn it off.

Edit /etc/default/login and add this line to the end:

SLEEPTIME=0

At least under 2.5 this will set the delay to 0.  (If memory serves,
this was ineffective on some earlier releases of Solaris).

--
                                William LeFebvre
                                Group sys Consulting

                                +1 770 813 3224

 
 
 

login slow w/bad password

Post by Robert Wal » Thu, 26 Sep 1996 04:00:00



Quote:>> > I've noticed that when I log in and mistype my password, there is a
>> > long delay before I'm given a new login: prompt (long as in 10 seconds
>> > or so).  This is much longer than any other Unix system I've used.

>> Thank your lucky stars.  This alone makes it 300% harder to break into
>> your system.  Less experienced/motivated hackers will become quickly
>> frustrated trying userid/password pairs compared to systems that
>> immediately pop up another login prompt.  Sun, rightly, put this function
>> in deliberately.
>I think it's a pain in the *and i don't think we need it if we just
>use good password sense.  maybe if you want it, you could set some
>variable or something and it would pause...

Unless your machine is extremely heavily firewalled (e.g. not connected
to the net at all would be good) then "good password sense" is not
a solution because you can't know that _someone_ won't exhibit good
password sense.

Regards,
 Robert.
--

Sun Microelectronics                      Tel: +1-408-774-8116
2550 Garcia Avenue, MS USUN02-302         Fax: +1-408-774-8680
Mountain View, CA 94043, USA              (PGP Key on Request)

 
 
 

login slow w/bad password

Post by Steve McKinty - Sun Microsystems Grenob » Thu, 26 Sep 1996 04:00:00



Quote:>I do some junior sysadmining on an Ultra Sparc running Solaris 2.5.
>I've noticed that when I log in and mistype my password, there is a
>long delay before I'm given a new login: prompt (long as in 10 seconds
>or so).  This is much longer than any other Unix system I've used.

This is a deliberate feature of SVr4 (not unique to Solaris 2). It
is an anti-hacker function, to prevent people working their way through
a dictionary trying passwords. I think the delay increases with each
failure, although I'm not sure of the exact algorithm.

Steve

--
Steve McKinty                   |
Sun Microsystems ICNC           |
38240 Meylan, France            |

 
 
 

login slow w/bad password

Post by David W. Bar » Wed, 02 Oct 1996 04:00:00


As some have pointed out, this feature makes sense in the login
program.

However, Solaris (probably actually System V) also has it in the su(1)
program.  This is a real joke of a security measure, because it
actually _reduces_ security instead of increasing it.  Why, you ask?
Because the programmer who added the pause-on-bad-password feature to
su failed to engage his brain before coding and put the pause before
the call to syslog(3) that logs the bad su attempt.  So a bad guy who
has a non-root account can merrily guess passwords all day, hitting ^C
(or whatever the intr character is) if a # prompt doesn't appear in a
second or so, and none of the bad guesses will ever get logged.

Real swift, that.

--
David Barts N5JRN | UW Civil Engineering, Box 352700 | Seattle, WA 98195-2700

        2156 GMT T: 63 F wind: NW 5 gust 10 mph P: 1017 mbar

 
 
 

login slow w/bad password

Post by Craig S. Wrigh » Sat, 05 Oct 1996 04:00:00


The main use is where you have either a terminal server or modem
connection. Try doing this over 10^100000 passwd combinations from a
modem or from a terminal


> As some have pointed out, this feature makes sense in the login
> program.

> However, Solaris (probably actually System V) also has it in the su(1)
> program.  This is a real joke of a security measure, because it
> actually _reduces_ security instead of increasing it.  Why, you ask?
> Because the programmer who added the pause-on-bad-password feature to
> su failed to engage his brain before coding and put the pause before
> the call to syslog(3) that logs the bad su attempt.  So a bad guy who
> has a non-root account can merrily guess passwords all day, hitting ^C
> (or whatever the intr character is) if a # prompt doesn't appear in a
> second or so, and none of the bad guesses will ever get logged.

> Real swift, that.

> --
> David Barts N5JRN | UW Civil Engineering, Box 352700 | Seattle, WA 98195-2700

>         2156 GMT T: 63 F wind: NW 5 gust 10 mph P: 1017 mbar

--

        ,'~``.              \|/              ,'``~.

+--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+
|                                                              |
|   Soon, we may all be staring at our computers, wondering    |
|               whether they're staring back.                  |
|                                                              |
| [Network Admin For WPA Business Products.  aka doshai >;-) ] |
|    .oooO        http://pip.com.au/~doshai/      Oooo.        |
|    (   )   Oooo.                        .oooO   (   )        |
+-----\ (----(   )-------oooO-Oooo--------(   )--- ) /---------+
       \_)    ) /                          \ (    (_/
             (_/                            \_)
Key fingerprint = 2D F4 54 BB B4 EA F1 E7  B6 DE 48 92 FC 8D FF 49
Send a message with the subject "send pgp-key" for a copy of my key.
(if I want to give it to you)

 
 
 

1. Newby (After 4.3.2 install, CDE LOGIN IS SLOW SLOW SLOW)

This is my dillemna. I installed AIX 4.3.2 on a RS6000 43P-140  166Mz Type
7043-140

I answered what I believed to be the correct Questions regarding Networking

I said I wanted to do it manually, so I answered the following:

Host: <Valid TCPIP Address>
Netmasks <255,255,255,0>
Named Server IP <Valid TCPIP Address for our name server>

When it finally finished, it tried to log in to CDE, but it took about 20
minutes!!

When I did a cold start, it would take longer. It seemed to take quite a
while on rpc.lockd

When I am finally in, Invoking the Application Manager takes 15 minutes
Applying a change I make in the APplication manager takes another 15 minutes

Oh by the way, while I do have network connectivity, I cant ping to named
addresses. I presume it might be network related.

my resolv.conf looks fine.
It has my domain followed by nameserver xx.xxx.xxx.xx

Any clues?

2. Windows NT vs Linux

3. any way of making login have less or more bad password attempts?

4. IP AUTO FORWARDING / IP MASQING

5. Authentication using login passwords a bad idea

6. print setup?

7. slow login after password entry

8. Talk Protocol ?

9. 014 Bad Bad Bad !!! for Linux

10. Bad, bad, bad VM behaviour in 2.4.10

11. Bad driver...Bad bad driver

12. Bad, bad, bad error...

13. SoftwarBuyLine.com is bad, bad, bad...