On Wed, Sep 5, 2018 at 3:09 PM, Tim Cross <theophilusx@xxxxxxxxx> wrote:
Stephen Frost <sfrost@xxxxxxxxxxx> writes:
> Greetings,
>
> * Tom Lane (tgl@xxxxxxxxxxxxx) wrote:
>> Praneel Devisetty <devisettypraneel@xxxxxxxxx> writes:
>> > We have a requirement , where we require a user to get locked after three
>> > wrong login attempts.
>>
>> The usual recommendation is to configure Postgres to use PAM
>> authentication; then you can set up any weird requirements like
>> this one in the PAM configuration.
>
> Unfortunately, it's a pain to set up PAM and there's a lot of things in
> the PAM stack which can't be used because PostgreSQL doesn't run as
> root. We should really have a better solution to this pretty commonly
> asked for capability; I'm hoping to find time soon to hack on that.
>
> Thanks!
>
> Stephen
These days, I think the better solution is to have this functionality in
a central system. Putting aside that it is an 'outdated' auditor
requirement ...
To elaborate, you should explain to the auditor that this introduces a huge denial-of-service vulnerability into your system. Anyone can start hammering on everyone else's accounts, and with a fairly trivial script, lock the entire company out of all accounts. This is a terrible idea.
Craig
