make delay after failed login configurable

Tue, 11 Jan 2011 00:25:44 -0800 

Hi,
I would like to have the pause after a failed login configurable. There are a few "sleep(3)" in the codebase (2.2 - 2.4) which I would like to replace with a configurable timeout. 

The reasoning for this is twofold.


 1. Our password-backend (eDirectory with pam_ldap) can be configured 
to pause and throttle login attempts, so there is no need for imapd to 
do it.
 2. We want to use cyrus imapd with cas in a single sign on 
environment. We are using horde with an imap-proxy as a frontend to our 
imap server. We have a "bug" in the login process, which will do about 
three failing logins with the imap server. Since the pause in imapd is 
not configurable, this leads to nine seconds delay, which is not really 
nice.



The attached patch (for imapd-2.2.12) makes the pause configurable 
while maintaining the three seconds delay as default. I only changed the 
"sleep(3)" calls in imapd.c and proxyd.c as we are not using pop3 and 
lmtp is not used directly through horde.


Should I create a bugzilla entry for this feature request?

Bye
 Felix
diff -ur cyrus-imapd-2.2.12-orig/imap/imapd.c cyrus-imapd-2.2.12/imap/imapd.c
--- cyrus-imapd-2.2.12-orig/imap/imapd.c        2011-01-05 12:28:15.000000000 
+0100
+++ cyrus-imapd-2.2.12/imap/imapd.c     2011-01-06 09:44:58.000000000 +0100
@@ -1705,6 +1705,7 @@
     char *passwd;
     const char *reply = NULL;
     int plaintextloginpause;
+    int failedloginpause;
     int r;
     
     if (imapd_userid) {
@@ -1776,7 +1777,10 @@
        syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
               imapd_clienthost, canon_user, sasl_errdetail(imapd_saslconn));
 
-       sleep(3);
+       failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+        if (failedloginpause != 0) {
+           sleep(failedloginpause);
+       }
 
        if ((reply = sasl_errstring(r, NULL, NULL)) != NULL) {
            prot_printf(imapd_out, "%s NO Login failed: %s\r\n", tag, reply);
@@ -1866,6 +1870,8 @@
 
     int r;
 
+    int failedloginpause;
+
     r = saslserver(imapd_saslconn, authtype, resp, "", "+ ", "",
                   imapd_in, imapd_out, &sasl_result, NULL);
 
@@ -1894,7 +1900,11 @@
            snmp_increment_args(AUTHENTICATION_NO, 1,
                                VARIABLE_AUTH, 0, /* hash_simple(authtype) */ 
                                VARIABLE_LISTEND);
-           sleep(3);
+
+           failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+            if (failedloginpause != 0) {
+               sleep(failedloginpause);
+           }
 
            if (errorstring) {
                prot_printf(imapd_out, "%s NO %s\r\n", tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/imap/proxyd.c cyrus-imapd-2.2.12/imap/proxyd.c
--- cyrus-imapd-2.2.12-orig/imap/proxyd.c       2011-01-05 12:28:15.000000000 
+0100
+++ cyrus-imapd-2.2.12/imap/proxyd.c    2011-01-06 09:45:13.000000000 +0100
@@ -2163,6 +2163,7 @@
     char *passwd;
     char *reply = 0;
     int plaintextloginpause;
+    int failedloginpause;
     int r;
 
     if (proxyd_userid) {
@@ -2242,8 +2243,12 @@
                   proxyd_clienthost, canon_user, reply);
        }
        /* Apply penalty only if not under layer */
-       if (proxyd_starttls_done == 0)
-           sleep(3);
+       if (proxyd_starttls_done == 0) {
+           failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+           if (failedloginpause != 0) {
+               sleep(failedloginpause);
+           }
+       }
        if (errorstring) {
            prot_printf(proxyd_out, "%s NO Login failed: %s\r\n", 
                        tag, errorstring);
@@ -2308,6 +2313,7 @@
     char *ssfmsg=NULL;
 
     int r;
+    int failedloginpause;
 
     r = saslserver(proxyd_saslconn, authtype, resp, "", "+ ", "",
                   proxyd_in, proxyd_out, &sasl_result, NULL);
@@ -2337,7 +2343,10 @@
            snmp_increment_args(AUTHENTICATION_NO, 1,
                                VARIABLE_AUTH, 0, /* hash_simple(authtype) */ 
                                VARIABLE_LISTEND);
-           sleep(3);
+           failedloginpause = config_getint(IMAPOPT_FAILEDLOGINPAUSE);
+           if (failedloginpause != 0) {
+               sleep(failedloginpause);
+           }
 
            if (errorstring) {
                prot_printf(proxyd_out, "%s NO %s\r\n", tag, errorstring);
diff -ur cyrus-imapd-2.2.12-orig/lib/imapoptions 
cyrus-imapd-2.2.12/lib/imapoptions
--- cyrus-imapd-2.2.12-orig/lib/imapoptions     2011-01-05 12:28:15.000000000 
+0100
+++ cyrus-imapd-2.2.12/lib/imapoptions  2011-01-06 09:44:00.000000000 +0100
@@ -202,6 +202,9 @@
    as having already been delivered to the mailbox.  Records the mailbox
    and message-id/resent-message-id of all successful deliveries. */
 
+{ "failedloginpause", 3, INT }
+/* Number of seconds to pause after a failed login. */
+
 { "foolstupidclients", 0, SWITCH }
 /* If enabled, only list the personal namespace when a LIST "*" is performed.
    (it changes the request to a LIST "INBOX*" */

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/





















					Reply via email to