public inbox for [email protected]
help / color / mirror / Atom feedFrom: Greg Sabino Mullane <[email protected]>
To: 張宸瑋 <[email protected]>
Cc: [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: Wed, 11 Dec 2024 12:57:06 -0500
Message-ID: <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com> (raw)
In-Reply-To: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote:
> In the use of the Credcheck suite, the parameter
> "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to
> limit users from entering incorrect passwords more than three times, after
> which their account will be locked.
>
Won't that allow absolutely anyone to lock out anyone else, including
admins/superusers? Sounds like a bad idea to me.
> Due to certain requirements, I would like to ask if there is a way or
> feature to set this parameter differently for a specific user or role, so
> that it does not apply to them.
>
There is not, but there is always the credcheck.reset_superuser setting as
an emergency measure. I'd keep the password complexity settings and not
enable max_auth_failure at all, myself. Three strikes and you're out feels
pretty draconian. Is there a particular threat model that is driving that?
Cheers,
Greg
view thread (14+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
In-Reply-To: <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox