On 12/11/24 09:57, Greg Sabino Mullane wrote:
On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020307@xxxxxxxxx
<mailto:kenny020307@xxxxxxxxx>> wrote:
In the use of the Credcheck suite, the parameter
"credcheck.max_auth_failure = '3'" is set in the postgresql.conf
file to limit users from entering incorrect passwords more than
three times, after which their account will be locked.
Won't that allow absolutely anyone to lock out anyone else, including
admins/superusers? Sounds like a bad idea to me.
From what I see here:
https://github.com/hexacluster/credcheck
This extension only applies to password authentication.
To me that seems to allow for a backdoor using another authentication
method.
Due to certain requirements, I would like to ask if there is a way
or feature to set this parameter differently for a specific user or
role, so that it does not apply to them.
There is not, but there is always the credcheck.reset_superuser setting
as an emergency measure. I'd keep the password complexity settings and
not enable max_auth_failure at all, myself. Three strikes and you're out
feels pretty draconian. Is there a particular threat model that is
driving that?
Cheers,
Greg
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx