On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote: > We have both regular accounts and system accounts. For regular accounts, we > still require password complexity and the lockout functionality after multiple > failed login attempts. However, for system accounts, due to information > security regulations, password complexity is also required. The issue is that > system accounts are used for system integration, and if the account gets > locked, it may affect system services, which could lead to problems. To prevent > this, we would like to exclude system accounts from being affected by the > credcheck.max_auth_failure parameter. Just in case it wasn't clear: My recommendation is to NOT use the credcheck.max_auth_failure parameter for ANY account. It just causes problems and doesn't really help. If you can't trust your users to chooses sufficiently strong passwords, use a second factor. Or maybe replace passwords with some other method (public keys, FIDO, ...) altogether (in fact, I'd do that for system accounts). hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | hjp@xxxxxx | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!"
Attachment:
signature.asc
Description: PGP signature