Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!mit-eddie!minya!jc
From: jc@minya.UUCP (John Chambers)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <419@minya.UUCP>
Date: Sat, 28-Nov-87 16:40:44 EST
Article-I.D.: minya.419
Posted: Sat Nov 28 16:40:44 1987
Date-Received: Tue, 1-Dec-87 05:58:48 EST
References: <4139@venera.isi.edu> <2167@tut.cis.ohio-state.edu> <440@uni2.bcm.tmc.edu>
Organization: home
Lines: 19

In article <440@uni2.bcm.tmc.edu>, rick@svedberg.bcm.tmc.edu (Richard H. Miller) writes:
> Another approach to hacker frustration is to pause between prompts for 
> userid and as a user enters an unsuccessful userid/password, double the
> wait time. Thus as a person attempts to crack you system, it will take 
> longer and longer to have Unix prompt for the userid after a bad guess. 
> This is one of the methods that OS-1100 plans to implement for their B1
> security EXEC.

A couple years back, I worked on a system where the getty did this.  The
trouble was, the dial-in ports got quite a few random "characters" coming
in, which looked to getty like invalid attempts to log in, so it slowly
jacked up the delay.  When a real user connected, it took forever to get
any prompts.  I had to subvert this "feature" in order to alleviate the
users' frustration.  Eventually, I solved it better by installing my own
logger and doing away with getty, but that's another tale.  Without the
source, I probably would have been forced to replace getty right away.

-- 
John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)