-
Notifications
You must be signed in to change notification settings - Fork 404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configuring of invalid password cooldown? #345
Comments
What you’re linking to is only the indicator, not an actual cooldown. AFAIR, the cooldown comes from PAM and needs to be configured there, not in i3lock. |
You're half right - I've configured PAM (https://unix.stackexchange.com/questions/40954/how-does-one-change-the-delay-that-occurs-after-entering-an-incorrect-password , I seemed to need both the nodelay and delay= parameters for it to work). Instant cool-down works in GDM, |
Yes, AFAIR, this behavior was introduced to prevent an easy denial of service attack: mashing the enter key to fill the password buffer with invalid attempts, that i3lock would then dutyfully process one after the other, making it impossible for the owner of the laptop to log in until the time passed. |
Any chance it could be configured to align with PAM cooldown or allow a duration be passed to it? If it's slower than PAM, on most hosts it would be possible to brute force via a TTY. Another use case may be a user who wants to increase time, which I assume is also not currently possible. If Denial of Service via the attack path is a concern, then allow a cache of n-attempts and throw away any further input - based on manual testing, I think that's what may be occurring now (the cooldown doesn't block input, but only one further attempt seems to be allowed). |
No, I don’t think it’s worth making this configurable (see also https://faq.i3wm.org/question/778/why-is-patch-not-merged-and-made-optional for some considerations regarding offering options). I recommend you change this value locally and build from source. |
I'm submitting a…
Current Behavior
Currently, there is a hardcoded cooldown for invalid credentials of 3000ms, applied by i3lock (https://github.com/i3/i3lock/blob/main/i3lock.c#L321). Time-limited physical access to my host is not a realistic threat I face - either a hacker has no physical access, or they have it for an extended duration, not much in between.
My password is long and complex, I regularly make typos. As there is no ability to configure cool-down periods of an incorrect password but I can imagine scenarios where a user may want extended cooldown prior to the ability to reenter their password.
Instead of waiting 3+ seconds each typo, I'm currently thinking about reducing my password complexity but would prefer an option to reduce cooldown as other system aspects may be impacted by reduced complexity (ssh when password auth is enabled, for example).
Expected Behavior
Ability to configure cooldown.
Reproduction Instructions
Environment
Output of
i3lock --version
:The text was updated successfully, but these errors were encountered: