PAM Module Patch and Feature

Frank Cusack fcusack at
Sat Mar 24 00:23:41 CET 2007

On March 23, 2007 4:37:42 PM -0600 David Mitchell <mitchell at> wrote:
> Frank Cusack wrote:
>> On March 22, 2007 4:27:44 PM -0600 David Mitchell <mitchell at>
>> wrote:
>>> I think I figured out the source for the 'odd' behavior I was seeing. In
>>> a nutshell, my timeout on the PAM module side was shorter than the delay
>>> imposed by the freeradius server for bad passwords. I need to play
>>> around more and find out what a 'safe' value is. Do you happen to know
>>> where in the freeradius/otpd/lsmd chain the bad password delay is being
>>> imposed? I can probably find it, but I'm guessing that you know.
>> The radiusd.conf 'reject_delay' option.  I always set this to 0.
> Here's the really weird part. If I set reject_delay to 0, it works just
> like I expect. But if I set it to some value like 1, which is the
> default, it delays for about 30 seconds.

That sounds suspicously like the cleanup delay kicking in.

> Unless I run radiusd with -X to
> see what's going on in which case it works as expected with a one second
> delay. I'll keep digging into the cause to see if it's something in my
> build or what.
> It seems like if this was a common bug it would be reported by now, but
> I did a quick search for reject_delay in the bug database and didn't
> find anything. I'll see if I can figure it out.

That would be awesome.

It's possible that the reject_delay only recently broke.


More information about the Freeradius-Devel mailing list