[Pkg-shadow-devel] Bug#87648: Old proposed patches #2: 463_login_delay_obeys_to_PAM

[Christian Perrier]

The attached patch was written back in November for Debian bug #87648.

It allows for login to respect "nodelay" when the system uses PAM and
not unconditionnally follow FAIL_DELAY from login.defs.


So far, I haven't got feedback on it.

I intend to now apply it and close the relevant Debian bug (#87648),
no matter it's applied upstream or not. But, Tomasz, can you give us
an indication whether you think it's OK for you...

PS: I refreshed it against the current login sources

-------------- next part --------------
Goal: Do not hardcode pam_fail_delay and let pam_unix do its
      job to set a delay...or not

Fixes: #87648

Status wrt upstream: Forwarded but not applied yet

Index: shadow-4.0.14/src/login.c
===================================================================
--- shadow-4.0.14.orig/src/login.c	2006-01-10 18:33:22.538192396 +0100
+++ shadow-4.0.14/src/login.c	2006-01-10 18:36:25.989844860 +0100
@@ -591,10 +591,6 @@
 		PAM_FAIL_CHECK;
 		retcode = pam_set_item (pamh, PAM_TTY, tty);
 		PAM_FAIL_CHECK;
-#ifdef HAVE_PAM_FAIL_DELAY
-		retcode = pam_fail_delay (pamh, 1000000 * delay);
-		PAM_FAIL_CHECK;
-#endif
 		/* if fflg == 1, then the user has already been authenticated */
 		if (!fflg || (getuid () != 0)) {
 			int failcount = 0;
@@ -635,8 +631,6 @@
 			  failed = 0;
 
 			  failcount++;
-			  if (delay > 0)
-			    retcode = pam_fail_delay(pamh, 1000000*delay);
 
 			  retcode = pam_authenticate (pamh, 0);
 
@@ -936,8 +930,10 @@
 		 * to login the user again. If the earlier alarm occurs
 		 * before the sleep() below completes, login will exit.
 		 */
-		if (delay > 0)
-			sleep (delay);
+#ifndef USE_PAM
+ 		if (delay > 0)
+		   sleep (delay);
+#endif
 
 		puts (_("Login incorrect"));