Stephen Frost <sfrost@xxxxxxxxxxx> writes: > Greetings, > > * Tom Lane (tgl@xxxxxxxxxxxxx) wrote: >> Praneel Devisetty <devisettypraneel@xxxxxxxxx> writes: >> > We have a requirement , where we require a user to get locked after three >> > wrong login attempts. >> >> The usual recommendation is to configure Postgres to use PAM >> authentication; then you can set up any weird requirements like >> this one in the PAM configuration. > > Unfortunately, it's a pain to set up PAM and there's a lot of things in > the PAM stack which can't be used because PostgreSQL doesn't run as > root. We should really have a better solution to this pretty commonly > asked for capability; I'm hoping to find time soon to hack on that. > > Thanks! > > Stephen These days, I think the better solution is to have this functionality in a central system. Putting aside that it is an 'outdated' auditor requirement, what the auditor really wants to see is that access to ALL systems is locked after 3 failed authentication attempts (for a period e.g. 5 minutes). Having a centralised system also has the benefit of 'same login', so your users have the same username and password across all services in the organisation and 1 central and consistent place for password management. I would suggest looking at what can be achieved with oepnLDAP and/or Active Directory/Kerberos. Note that the tricky part with this approach in the era of multiple devices is getting the parameters tweaked correctly. It is not as easy as just saying 'after 3 failed logins, lock the account'. You need to consider what happens when someone changes their password and has multiple devices logged into different services (e.g. mail). As soon as the password has changed, some of these devices will begin to fail and this will happen before the user can open each device and change the password. If the policy is to restrictive, by the time they do this, their account is locked and they cannot change the password - now they are caught in a vicious cycle. Most lockout mechanisms have parameters you can set to avoid this issue. Tim -- Tim Cross
