Re: Credcheck- credcheck.max_auth_failure

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Greg Sabino Mullane <[email protected]>
To: 張宸瑋 <[email protected]>
Cc: [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: Wed, 11 Dec 2024 12:11:55 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
	<CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>

On 12/11/24 09:57, Greg Sabino Mullane wrote:
> On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected] 
> <mailto:[email protected]>> wrote:
> 
>     In the use of the Credcheck suite, the parameter
>     "credcheck.max_auth_failure = '3'" is set in the postgresql.conf
>     file to limit users from entering incorrect passwords more than
>     three times, after which their account will be locked.
> 
> 
> Won't that allow absolutely anyone to lock out anyone else, including 
> admins/superusers? Sounds like a bad idea to me.

 From what I see here:

https://github.com/hexacluster/credcheck

This extension only applies to password authentication.

To me that seems to allow for a backdoor using another authentication 
method.


> 
>     Due to certain requirements, I would like to ask if there is a way
>     or feature to set this parameter differently for a specific user or
>     role, so that it does not apply to them.
> 
> 
> There is not, but there is always the credcheck.reset_superuser setting 
> as an emergency measure. I'd keep the password complexity settings and 
> not enable max_auth_failure at all, myself. Three strikes and you're out 
> feels pretty draconian. Is there a particular threat model that is 
> driving that?
> 
> Cheers,
> Greg
> 

-- 
Adrian Klaver
[email protected]

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Credcheck- credcheck.max_auth_failure
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox