Search Postgresql Archives

Re: Credcheck- credcheck.max_auth_failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/11/24 09:57, Greg Sabino Mullane wrote:
On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020307@xxxxxxxxx <mailto:kenny020307@xxxxxxxxx>> wrote:

    In the use of the Credcheck suite, the parameter
    "credcheck.max_auth_failure = '3'" is set in the postgresql.conf
    file to limit users from entering incorrect passwords more than
    three times, after which their account will be locked.


Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me.

From what I see here:

https://github.com/hexacluster/credcheck

This extension only applies to password authentication.

To me that seems to allow for a backdoor using another authentication method.



    Due to certain requirements, I would like to ask if there is a way
    or feature to set this parameter differently for a specific user or
    role, so that it does not apply to them.


There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that?

Cheers,
Greg


--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux