Search Postgresql Archives

Re: Credcheck- credcheck.max_auth_failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote:
> We have both regular accounts and system accounts. For regular accounts, we
> still require password complexity and the lockout functionality after multiple
> failed login attempts. However, for system accounts, due to information
> security regulations, password complexity is also required. The issue is that
> system accounts are used for system integration, and if the account gets
> locked, it may affect system services, which could lead to problems. To prevent
> this, we would like to exclude system accounts from being affected by the
> credcheck.max_auth_failure parameter.

Just in case it wasn't clear: My recommendation is to NOT use the
credcheck.max_auth_failure parameter for ANY account. It just causes
problems and doesn't really help. If you can't trust your users to
chooses sufficiently strong passwords, use a second factor. Or maybe
replace passwords with some other method (public keys, FIDO, ...)
altogether (in fact, I'd do that for system accounts).

        hp

-- 
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@xxxxxx         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux