path: root/doc/man/pam_fail_delay.3
diff options
Diffstat (limited to 'doc/man/pam_fail_delay.3')
1 files changed, 26 insertions, 10 deletions
diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3
index 5df942b1..df93e1bf 100644
--- a/doc/man/pam_fail_delay.3
+++ b/doc/man/pam_fail_delay.3
@@ -1,8 +1,11 @@
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "PAM_FAIL_DELAY" "3" "05/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" Title: pam_fail_delay
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <>
+.\" Date: 06/02/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.TH "PAM_FAIL_DELAY" "3" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.\" disable justification (adjust text to left margin only)
@@ -10,10 +13,14 @@
pam_fail_delay \- request a delay on failure
-\fB#include <security/pam_appl.h>\fR
+.ft B
+#include <security/pam_appl.h>
.HP 19
-\fBint\ \fBpam_fail_delay\fR\fR\fB(\fR\fBpam_handle_t\ *\fR\fB\fIpamh\fR\fR\fB, \fR\fBunsigned\ int\ \fR\fB\fIusec\fR\fR\fB);\fR
+.BI "int pam_fail_delay(pam_handle_t\ *" "pamh" ", unsigned\ int\ " "usec" ");"
@@ -32,12 +39,14 @@ control is returned to the service application.
When using this function the application programmer should check if it is available with:
+.RS 3n
#endif /* PAM_FAIL_DELAY */
For applications written with a single thread that are event driven in nature, generating this delay may be undesirable. Instead, the application may want to register the delay in some other way. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires. For this reason the delay function can be changed with the
@@ -47,10 +56,12 @@ and
\fBpam_set_item \fR(3)
respectively. The value used to set it should be a function pointer of the following prototype:
+.RS 3n
void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
The arguments being the
@@ -78,32 +89,37 @@ To minimize the effectiveness of such attacks, it is desirable to introduce a ra
For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
+.RS 3n
pam_fail_delay (pamh, 3000000 /* micro\-seconds */ );
pam_authenticate (pamh, 0);
if the modules do not request a delay, the failure delay will be between 2.25 and 3.75 seconds.
However, the modules, invoked in the authentication process, may also request delays:
+.RS 3n
module #1: pam_fail_delay (pamh, 2000000);
module #2: pam_fail_delay (pamh, 4000000);
in this case, it is the largest requested value that is used to compute the actual failed delay: here between 3 and 5 seconds.
+.TP 3n
Delay was successful adjusted.
+.TP 3n
A NULL pointer was submitted as PAM handle.