7

I'm using plasma 5 right now (on Fedora 22, if that matters) and whenever I enter my password incorrectly at the lock screen I have to wait around five seconds before it will let me try to enter text into the password input again.

I feel this is too long and was wondering if anyone knew whether this timeout was defined in a config file somewhere (hopefully only affecting the lock/login screens and not other software where the timeout is a good bot-bruteforce deterrent)

Hashbrown
  • 2,782
  • 4
  • 32
  • 47
  • not sure if this is the right place to discuss it, but plasma5 is new, so it's probably that I'm just first one to come across and want to use it. Just like `kde-4` before it, I don't doubt that this tag will be used a lot as the new KDE starts getting used by more people. That was the thinking when I made it, it's now in the communities hands whether it's used or dies – Hashbrown Sep 23 '15 at 05:37

2 Answers2

2

The reason updating the pam_unix.so entry does not work (see grawity's answer) does not work is to be found within the source code of kscreenlocker:

Before forwarding a received password to the authentication program (that is, kcheckpass) the KScreenLocker greeter application will start a three-second “grace lock timer” and will refuse any further unlock attempts until that counter has expired. That three-second number being hard-coded of course. So when you attempt to remove the PAM-level time, as suggested in the other answer, all you'll actually do is wait proportionally longer on this timer instead.

The only solution here is to recompile KScreenLocker with the given timer patched to some low value (setting it to 0 might me racy; I haven't checked).
Or try proposing a different value to upstream. From I know they aren't very open on making stuff on the screen locker configurable, so you may be out of luck there.

ntninja
  • 348
  • 3
  • 6
1

The delay is added by the pam_unix authentication module.

Open /etc/pam.d/system-auth, find the "auth … pam_unix.so" module in there, then add the nodelay option to the line. (See "man pam_unix" for information about all options, and examples of how to specify them.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • That didn't appear to work, the screen still said `Unlocking failed` and disabled interaction with the textbox for several seconds (is there something I have to do to get the system to realise I edited the config?). Had it worked, this file seems like it'd affect more than only the lock screen, is it safe to disable delay here? – Hashbrown Sep 23 '15 at 05:46
  • Try doing the same replacement in other similar files? (`system-auth` isn't used directly, it is usually imported from a service-specific config like `/etc/pam.d/kde` or such.) – u1686_grawity Sep 23 '15 at 05:49
  • Other than `system-auth`, only `password-auth` had `auth..pam_unix` in them (I tried it to no avail). The files `kscreensaver` and `kde` only included or 'substack'd other files like `system-auth`. – Hashbrown Sep 23 '15 at 06:10
  • The files all say they are auto-generated by `authconfig`. I ran `authconfig --test` and it gave me a password dialog; typing in the wrong password had it instantly re-ask. I changed the config files back to remove `nodelay` and `authconfig` started pausing between wrong passwords. So the setting is working, but not on the lock screen at all – Hashbrown Sep 23 '15 at 06:12