Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNArj-0094Xt-To
	for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 13:10:27 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNArg-006Zru-KX
	for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 13:10:25 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <htamfids@gmail.com>)
	id 1tNArg-006Zrl-6o
	for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 13:10:25 +0000
Received: from mail-il1-x129.google.com ([2607:f8b0:4864:20::129])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <htamfids@gmail.com>)
	id 1tNAre-0037fE-Uq
	for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 13:10:24 +0000
Received: by mail-il1-x129.google.com with SMTP id e9e14a558f8ab-3a8180205f3so17530635ab.0
        for <pgsql-general@lists.postgresql.org>; Mon, 16 Dec 2024 05:10:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1734354622; x=1734959422; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=dbw3iefbObUsKN1Ip83pDOrOcjziM6k6pXBnw6JHGQE=;
        b=FYufo2jFb8ImaYYYMfKnHy+iyIr/VJTaJEeR3RBoqkrKc4+gooScnCUSDCOsKQR4QB
         FsZxuJWUXWc7ulVeAwsus7z/rqQ+R7cxShIALtkTPREfQkoP9xI6it0grNLRNj5Eb2H2
         PBbeLbWMfhgsDIeRYiq1xnXsdRfK6dJqk+3B9GsUf5XiFIzx5Kw6g+x16rSs+kp+vpHA
         shHWWN2rsi45eQAupRrXVb2TgBQ+MY/BTZcjmmX5KylZohnbX9P3FIxE+9Rb1wY2M2zf
         BA1XKbywpmBLpk+ewSGuLuH62/UICgl7/qsxV9D+tHc6WUUEjif1/txovmWYJe0tnb82
         RVcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734354622; x=1734959422;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dbw3iefbObUsKN1Ip83pDOrOcjziM6k6pXBnw6JHGQE=;
        b=tfRnDSJ5ERvxqsd7k5RbQQvWNUAVYE9Tmg1p54mw6doNK3fPH932sNRG0lcGOaVF8D
         DP/eohfhxcZnqgeqvBjnxfnEY+ONnYkFaYyBRzhXEAjKsQYdYcKszvI9opV5zAGYJDu5
         9Lfwv9JYrIz3WEbf1Iag8D+UDyZ3xz0DR1l0wgJuKZoUPxAGdGfVxsI5OFDQWoKlsYoL
         RWTqVfxbX9+TBKr20dWSqWwf6L8OyzEkyhkZtaRM1NwRXI0T3O8Z81YvenDP4GuvqeG0
         VvKiEyQSnWPbwaPsviVlsmgXM04vXkFogIWiValus9wkJqbMmuR631JNVnKrMF35GQKv
         e1vg==
X-Gm-Message-State: AOJu0YwScBQKwe2fqpijPgDRUMSOajCBRUzRfrwiHKMCpBDQYXRwFP5k
	n0h1rBVnO+F0/nJW919DF4rn2TjgWpN/WmfHcXtw1Vi/z+Jk89KBYEwyG59p16qYONGnhTPzlRu
	T9Q3pWQtPp4cgVNIPCMAob4EnSfGoCw==
X-Gm-Gg: ASbGnctGHooVjGi911MT2Qf00IoXVWTWB37X8RvsjlU8IQ6qQLdAC4U1eBMoAOTuCja
	CsMNSF8uYpv1frfgqVLv8JZG5G3a+3YMwSqYZqQ==
X-Google-Smtp-Source: AGHT+IGR6ro3KXiPEhbQ6qxPYeZotdKYKJjH927SGnoa6ktLRN62kGWhbi8T8q83JswWsQeQXkBRhZPTgzR0qhiNckY=
X-Received: by 2002:a05:6e02:16cb:b0:3a7:d02b:f653 with SMTP id
 e9e14a558f8ab-3b024e395femr103807485ab.0.1734354621858; Mon, 16 Dec 2024
 05:10:21 -0800 (PST)
MIME-Version: 1.0
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
 <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
 <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
 <20241213202348.jtchbb2lezbx2re6@hjp.at> <CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
In-Reply-To: <CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
From: Greg Sabino Mullane <htamfids@gmail.com>
Date: Mon, 16 Dec 2024 08:09:45 -0500
Message-ID: <CAKAnmmJQmpN14wCpOsM9mCEXagwWWONyA+BYszMQJ5ExxOEfXA@mail.gmail.com>
Subject: Re: Credcheck- credcheck.max_auth_failure
To: =?UTF-8?B?5by15a6455GL?= <kenny020307@gmail.com>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000268c56062962e71f"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKAnmmJQmpN14wCpOsM9mCEXagwWWONyA%2BBYszMQJ5ExxOEfXA%40mail.gmail.com>
Precedence: bulk

--000000000000268c56062962e71f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 16, 2024 at 5:32=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=8B <kenny0=
20307@gmail.com> wrote:

> We have both regular accounts and system accounts. For regular accounts,
> we still require password complexity and the lockout functionality after
> multiple failed login attempts.
>

Again, what is the threat model here? Most people have their password in a
.pgpass file or similar, so it seems this only adds complexity and
annoyance without any real benefit.

However, for system accounts, due to information security regulations,
> password complexity is also required.
>

Yes, this makes sense.


> The issue is that system accounts are used for system integration, and if
> the account gets locked, it may affect system services, which could lead =
to
> problems. To prevent this, we would like to exclude system accounts from
> being affected by the credcheck.max_auth_failure parameter.
>

I think we all understand that, but the extension as it exists now cannot
do that. And the obvious and easiest solution is to stop using the denial
of service feature, which I am hoping is NOT mandated by security
regulations.

Cheers,
Greg

--000000000000268c56062962e71f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Mon, Dec 16, 2024 at 5:32=E2=80=AFAM =
=E5=BC=B5=E5=AE=B8=E7=91=8B &lt;<a href=3D"mailto:kenny020307@gmail.com">ke=
nny020307@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quo=
te_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>W=
e have both regular accounts and system accounts. For regular accounts, we =
still require password complexity and the lockout functionality after multi=
ple failed login attempts.</div></div></blockquote><div><br></div><div>Agai=
n, what is the threat model here? Most people have their password in a .pgp=
ass file or similar, so it seems this only adds complexity and annoyance wi=
thout any real benefit.</div><div><br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex"><div><div> However, for system accounts, due to informat=
ion security regulations, password complexity is also required.</div></div>=
</blockquote><div><br></div><div>Yes, this makes sense.</div><div>=C2=A0</d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div> The issue i=
s that system accounts are used for system integration, and if the account =
gets locked, it may affect system services, which could lead to problems. T=
o prevent this, we would like to exclude system accounts from being affecte=
d by the credcheck.max_auth_failure parameter.</div></div></blockquote><div=
><br></div><div>I think we all understand that, but the extension as it exi=
sts now cannot do that. And the obvious and easiest solution=C2=A0is to sto=
p using the denial of service feature, which I am hoping is NOT mandated by=
 security regulations.</div><div><br></div><div>Cheers,</div><div>Greg</div=
><div><br></div></div></div>

--000000000000268c56062962e71f--