[Dovecot] Issues with authentication failure delays

Kevin Goodsell kevingoodsell.lists at gmail.com
Sun May 8 20:30:33 EEST 2011 

There are two rather clear issues with the state of authentication
failure delays. First, the delay length isn't what was (presumably)
intended. Second, there is a new way of doing failure delays in Dovecot
2 which was added *in addition to* the old method, rather than replacing
it. As a result delays may not be the expected length and settings don't
have the expected effect.

First, the length of the failure delays. Based on auth/auth-penalty.c
and auth/auth-penalty.h, it seems rather clear that the delay time (for
the newer type of failure delay) was intended to start at 2 seconds and
double for each failure (see auth_penalty_to_secs), but be capped at 15
seconds. However, a simple test which tries to log in 5 times with a
random password and times each attempt shows something different:

  $ cat authtest.py
  import imaplib
  import time
  import random

  conn = imaplib.IMAP4('localhost')
  for i in range(5):
      try:
          start = time.time()
          conn.login('testusers', str(random.random()))
      except Exception, e:
          print e
          print time.time() - start

  $ python authtest.py
  [AUTHENTICATIONFAILED] Authentication failed.
  0.502058982849
  [AUTHENTICATIONFAILED] Authentication failed.
  4.50464391708
  [AUTHENTICATIONFAILED] Authentication failed.
  8.50679802895
  [AUTHENTICATIONFAILED] Authentication failed.
  15.5040819645
  [AUTHENTICATIONFAILED] Authentication failed.
  15.5039038658

(Note that these results are with auth_failure_delay set to 0, more on
that in a bit.) Aside from the extra half second on each attempt (which
I have no clue about), there is no delay on the first attempt.
Subsequent delays seem to have the correct timing. I *think* this is
because auth_penalty_lookup is called from
auth_request_handler_auth_begin, that is, at the *beginning* of an
authentication attempt, therefore not affecting the first failed
attempt.

This may be too minor an issue to worry much about, but it certainly
looks to me like it's not doing quite what was intended.

Moving on to the second issue. Revision fbff8ca77d2e added a new style
of authentication failure delay, but left the existing failure delay
mechanism in place. The old failure delay uses the auth_failure_delay
setting, and could be disabled by using a value of 0 for that setting.
Its remnants are in auth/auth-request-handler.c in the function
auth_request_handler_flush_failures. It looks like much of the code in
that file could be removed or simplified by eliminating this older
failure delay system.

Better still, I would like to see the auth_failure_delay setting
retained and used in the new system. The value of the setting could be
used in place of AUTH_PENALTY_INIT_SECS, allowing similar
configurability to what the old system offered.

-Kevin

More information about the dovecot mailing list