What is the `sshd_config` parameter to set the time between password prompts?

If I attempt a logon with bad credentials to an sshd server, I am greeted with Access denied after about a 2 second pause.

Is there a way to increase the time it takes to return the password entry prompt?

Note that I already have LoginGraceTime set to a value of 20s.

Solution 1:

This can be controlled with the pam_faildelay.so PAM module (man).

Under RHEL 6, the following file applies to sshd:

/etc/pam.d/sshd:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       optional     pam_faildelay.so delay=[N time in microseconds]
auth       include      password-auth


account    required     pam_nologin.so
account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

If you don't want to set the delay within the pam module config you can set it in:

/etc/login.defs:

 FAIL_DELAY    [N time in seconds]

Note that, oddly, FAIL_DELAY accepts the time in seconds.

To apply this to console logins, modify /etc/pam.d/password-auth and/or /etc/pam.d/system-auth. Also note, you must include the pam_faildelay.so line BEFORE any other auth lines (particularly pam_unix.so).