On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020307@xxxxxxxxx> wrote:
In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passwords more than three times, after which their account will be locked.
Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me.
Due to certain requirements, I would like to ask if there is a way or feature to set this parameter differently for a specific user or role, so that it does not apply to them.
There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that?
Cheers,
Greg