Buchan Milne wrote:
The UNIX shell (well actually, the login binary on my UNIX clone OS, which uses PAM) doesn't introduce a delay for a bad password, but under any circumstance where the credentials supplied are incorrect.
Implementing it only for when the password is incorrect is typically discouraged by security researchers, as this is information disclosure (which could assist an attacker in gathering information for performing an attack). For example, a few years back, OpenSSH specifically added a patch to ensure that when OpenSSH authenticated via PAM, that the delay would be exactly the same whether the user existed or not.
Now, if you really want to introduce a long delay when any bind fails, I think you will experience problems.
I think maybe the UNIX shell example was a bad one. I'm an ISP admin, and what I'd like to do is make our LDAP server another ISP service. Today most, if not all, of our ISP services introduce a delay when incorrect *credentials* are supplied (point taken).
For example, all of these services introduce a delay when there's a bad username/password submitted:
POP3 (cyrus) IMAP (cyrus) SMTP (postfix) ftp (vsftp) ssh/scp/sftp
Even in the case where I'm authenticating via SASL (IMAP), I get a delay when I submit incorrect credentials:
neo:~# time echo "a01 logout" | imtest -m DIGEST-MD5 -a baduser -w badpass neo.olp.net <cut> Authentication failed. generic failure Security strength factor: 128 C: Q01 LOGOUT * BYE LOGOUT received a01 OK Completed Connection closed.
real 0m3.154s user 0m0.008s sys 0m0.004s
I do understand there's a difference between protocols, and what effect delays would have for different services, but I'm prepared to accept the performance penalties associated with adding a delay as long as its reasonable.
IMHO, you should rather ensure that entering the incorrect password more than a specified number of times results in the account being locked out. If your SASL mechanism can't do this, take that to their list.
I don't agree that this is a SASL (cyrus) specific issue, since some other services have implemented a delay. I still need to check out the retcode plugin.
Although It'd be interesting if cyrus sasl had some kind of plugin (like canonuser) that could be used to insert some logic during each and every login attempt. I have delays with my pop3/imap/smtp services for incorrect credentials, but I'd love to have a more configurable password policy.
- Dan