Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tLT41-00EyG5-9J for pgsql-general@arkaria.postgresql.org; Wed, 11 Dec 2024 20:12:05 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tLT3y-001yK5-Rf for pgsql-general@arkaria.postgresql.org; Wed, 11 Dec 2024 20:12:04 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tLT3x-001yJw-W1 for pgsql-general@lists.postgresql.org; Wed, 11 Dec 2024 20:12:03 +0000 Received: from fout-b6-smtp.messagingengine.com ([202.12.124.149]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tLT3v-002KpG-6S for pgsql-general@lists.postgresql.org; Wed, 11 Dec 2024 20:12:02 +0000 Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfout.stl.internal (Postfix) with ESMTP id A47B11140100; Wed, 11 Dec 2024 15:11:57 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Wed, 11 Dec 2024 15:11:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1733947917; x=1734034317; bh=RARqI/P/1wdPROvtRE9q5Lv/SINHMkje+AFE7Ro3xjU=; b= eTxxkbyrxAy3sjq2w5uMLYb2NJJD/f0kKDiUDf4WU7SCiRbrU5hK+MX2wpHYsAts +k1BWNwNzFPUOUH79ekaI0P4C67TUD4J6f8BWvUhfrAfbPs45nG2aGaZjDFD9qiG uKt5u+ECJTuMiVVoCsdiWn1XjeAymOz8JjrQH7a8PXTgUivUOULOpIxFqui6XMME LkLETQvjPOcjbAvNoGcQ6R0o+oxkyLLnSyxl0193ee1maWi8ZGKYgG2yPFGww3be dAMpevkfALXPWexX+FtHwvcT8fP5e2dCAzh55S0JFgDy+RBXLjDlR2e2yWMEjmG5 uxwHe1zka/7D93U0ol2RFg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1733947917; x= 1734034317; bh=RARqI/P/1wdPROvtRE9q5Lv/SINHMkje+AFE7Ro3xjU=; b=U f+v4acwUTAJUymUgK4rUvCS4Y2sj2999tae0QCJzBL/h6U/1uJzyX2Qiqe2cCLb+ Frma+e2hKZi/S5DxypE/p7FxO1GPbiMo8U+CLU0OFKnHiWb3Jn45wpiDPjq8isQk aWKQ9ZFaLWm8lc2ZhjnMfp5z64Gz34s0RLQ+3w1kSj6/g32paJGRNY7Xuqu4YYVT 7NVE2ZS+z8EmZ4xWP+cs8/XEy/oyCJfT4JsGBaA5BMzTToCbAPjW4kpv2NDeUHgJ ycIycmKFVZeTXLPkp2XmX0la5/3NuTuzVtzufWDtQxmN/LgwSD0cihqGbB0vxHZ8 R6YPqJTCAr5H1UGoIyz9A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrkedtgddufeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfg fuvfevfhfhjggtgfesthekredttddvjeenucfhrhhomheptegurhhirghnucfmlhgrvhgv rhcuoegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrg htthgvrhhnpeefvdduvedugeetgeevjeelueeufefhgffgieejffdvueeiudfgleefjeev geegieenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghk lhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpd hrtghpthhtohephhhtrghmfhhiughssehgmhgrihhlrdgtohhmpdhrtghpthhtohepkhgv nhhnhidtvddtfedtjeesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhgvg hnvghrrghlsehlihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrgh X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 11 Dec 2024 15:11:56 -0500 (EST) Message-ID: <680ca9f8-1382-4c61-9e8a-d2baf1793459@aklaver.com> Date: Wed, 11 Dec 2024 12:11:55 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Credcheck- credcheck.max_auth_failure To: Greg Sabino Mullane , =?UTF-8?B?5by15a6455GL?= Cc: pgsql-general@lists.postgresql.org References: Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 12/11/24 09:57, Greg Sabino Mullane wrote: > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 > wrote: > > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf > file to limit users from entering incorrect passwords more than > three times, after which their account will be locked. > > > Won't that allow absolutely anyone to lock out anyone else, including > admins/superusers? Sounds like a bad idea to me. From what I see here: https://github.com/hexacluster/credcheck This extension only applies to password authentication. To me that seems to allow for a backdoor using another authentication method. > > Due to certain requirements, I would like to ask if there is a way > or feature to set this parameter differently for a specific user or > role, so that it does not apply to them. > > > There is not, but there is always the credcheck.reset_superuser setting > as an emergency measure. I'd keep the password complexity settings and > not enable max_auth_failure at all, myself. Three strikes and you're out > feels pretty draconian. Is there a particular threat model that is > driving that? > > Cheers, > Greg > -- Adrian Klaver adrian.klaver@aklaver.com