* Robert Haas (robertmhaas@gmail.com) wrote:
> On Fri, Jul 9, 2010 at 10:52 AM, Stephen Frost <sfrost@snowman.net> wrote:
> > Something else which has come up but is related is the ability to
> > support a "pam_tally"-like function in PG. Basically, the ability to
> > lock users out if they've had too many failed login attempts. I wonder
> > if we could add this hook (or maybe have more than one if necessary) in
> > a way to support a contrib module for that.
>
> Seems like the hard part would be figuring out where to store the
> bookkeeping information.
pam_tally does it in a flat file on-disk. It's not perfect, but it
works. It'd be good enough for me if there was a hook in the right
place that I could write the contrib module.
Of course, it'd be even nicer to have support for this in-core, since
it's a FISMA requirement and not everyone is going to like having to
install a contrib module to handle something like this. Of course, so
is stuff like remembering old passwords, password aging, etc... I do
really wish there was a way PAM could be used by applications
*independently* of the system auth (eg: /etc/passwd) to handle all of
this. If anyone's aware of a way, I'm all ears..
Thanks,
Stephen