With an expired user account, an attempt to log in remotely with the wrong
password results in a 3 second delay followed by:
Access denied.

If the correct password is entered, there is no delay before 
presenting the message:
Access denied.

An attacker could measure the time between rejections with an attack 
tool and determine the user's password.



Version-Release number of selected component (if applicable):
3.9p1 
8.RHEL4.15 

How reproducible:
Always

Steps to Reproduce:
1. From remote machine, attempt remote login to server with an expired account.
 Alternately, ssh localhost.
2. Enter bogus password - view error after 3 seconds.
3. Enter correct password - view error immediately with no delay.

    
Actual Results:  no delay presented when correct password is entered

Expected Results:  3 second delay before presenting "Access denied."


Additional info:
May be related to bug 141642 and 146882


Supporting log entries:
/var/log/messages
Aug 29 12:02:11 dbabb3 sshd(pam_unix)[3005]: account gtoft has expired (failed
to change password)

/var/log/secure
Aug 29 19:20:57 dbabb3 sshd[4677]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 12:20:57 dbabb3 sshd[4597]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 19:20:59 dbabb3 sshd[4677]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Aug 29 12:20:59 dbabb3 sshd[4597]: Failed password for gtoft from
::ffff:192.168.114.1 port 3440 ssh2
Note:
1.  Timing in above shows less than 3 seconds elapse between password entries
2.  There are 2 different times for the same event, 7 hours apart (system is in
GMT-7 America/Phoenix timezone)

User entry from /etc/shadow (password hash mangled):
gtoft:$1$jvmsof8HIN60h28HX$1/9YkyzdSxbe.:13615:7:90:28:7::