Re: Credcheck- credcheck.max_auth_failure
| От | Adrian Klaver |
|---|---|
| Тема | Re: Credcheck- credcheck.max_auth_failure |
| Дата | |
| Msg-id | 680ca9f8-1382-4c61-9e8a-d2baf1793459@aklaver.com обсуждение исходный текст |
| Ответ на | Re: Credcheck- credcheck.max_auth_failure (Greg Sabino Mullane <htamfids@gmail.com>) |
| Список | pgsql-general |
On 12/11/24 09:57, Greg Sabino Mullane wrote: > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020307@gmail.com > <mailto:kenny020307@gmail.com>> wrote: > > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf > file to limit users from entering incorrect passwords more than > three times, after which their account will be locked. > > > Won't that allow absolutely anyone to lock out anyone else, including > admins/superusers? Sounds like a bad idea to me. From what I see here: https://github.com/hexacluster/credcheck This extension only applies to password authentication. To me that seems to allow for a backdoor using another authentication method. > > Due to certain requirements, I would like to ask if there is a way > or feature to set this parameter differently for a specific user or > role, so that it does not apply to them. > > > There is not, but there is always the credcheck.reset_superuser setting > as an emergency measure. I'd keep the password complexity settings and > not enable max_auth_failure at all, myself. Three strikes and you're out > feels pretty draconian. Is there a particular threat model that is > driving that? > > Cheers, > Greg > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-general по дате отправления: