> Greetings, > > * Tom Lane (tgl@sss.pgh.pa.us) wrote: >> Praneel Devisetty <devisettypraneel@gmail.com> writes: >> > We have a requirement , where we require a user to get locked after three >> > wrong login attempts. >> >> The usual recommendation is to configure Postgres to use PAM >> authentication; then you can set up any weird requirements like >> this one in the PAM configuration. > > Unfortunately, it's a pain to set up PAM and there's a lot of things in > the PAM stack which can't be used because PostgreSQL doesn't run as > root. We should really have a better solution to this pretty commonly > asked for capability; I'm hoping to find time soon to hack on that. > > Thanks! > > Stephen
These days, I think the better solution is to have this functionality in a central system. Putting aside that it is an 'outdated' auditor requirement ...
To elaborate, you should explain to the auditor that this introduces a huge denial-of-service vulnerability into your system. Anyone can start hammering on everyone else's accounts, and with a fairly trivial script, lock the entire company out of all accounts. This is a terrible idea.