On Tuesday 19 April 2005 22:37, Bruno Wolff III seinde rooksignalen: > On Tue, Apr 19, 2005 at 17:00:15 +0200, > > Wim Bertels <wim.bertels@xxxxxxxxxxx> wrote: > > >Can't people use PAM to get this effect if they want it? > > > > what if u use pam with ldap, then u can use pg brute force cracking to > > obtain the ldap password, which is probably a bigger problem > > You don't have to use it with LDAP. It does provide some password controls, > that should slow things down a little. However, you are going to have a > tough time preventing password guessing without making denial of service > attacks easy. anayway, it makes sense to use ldap if one has several services over different machines,.. > > > >For most people password guessing isn't going to be a big problem as > > >the database won't be accessible from totally untrusted places and > > > watching the log files for guessing will probably be a good enough > > > solution. > > > > what if u do want the database to be globally accessible.. > > Then you have a much more difficult situation. One option is to bind > user names to specific allowed IP addresses. not a option, due to user requirements not an easy problem: it always seems to end up in DoS vs Brute Force Cracking. So the only good and simple solution i can think of: use the best possible password encrytion (or sufficient, a statistically zero chance when trying as much connections -to brute force crack the password- as possible for a significant amount of time.) -- Wim Bertels
Attachment:
pgpsE0mmEiLO3.pgp
Description: signature
