Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tLQy4-00ElRs-Rg for pgsql-general@arkaria.postgresql.org; Wed, 11 Dec 2024 17:57:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tLQy0-000fwg-Qv for pgsql-general@arkaria.postgresql.org; Wed, 11 Dec 2024 17:57:46 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tLQy0-000fwX-FM for pgsql-general@lists.postgresql.org; Wed, 11 Dec 2024 17:57:45 +0000 Received: from mail-il1-x130.google.com ([2607:f8b0:4864:20::130]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tLQxz-002Iah-AS for pgsql-general@lists.postgresql.org; Wed, 11 Dec 2024 17:57:44 +0000 Received: by mail-il1-x130.google.com with SMTP id e9e14a558f8ab-3a777958043so28499765ab.2 for ; Wed, 11 Dec 2024 09:57:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733939862; x=1734544662; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Av/kkHx5nlCKVCNajR86qNLhov8aWfoqNlVJF+j2DwI=; b=YYshFbSgGAtUfUEHb+WazM1ioLmjrenh2sjsmYIHfowbNLKjwWTGXOmWls9Vuo5gax e9jeQyCznVzFRIUiVqvzQ5RsaM9cNnMDaO1Dj94jxCLb2FYycz2bmBNaMCcxnWVygHpD CmcVhqDgsO7rQjsvpQgR/P8CJfLaeSYyDLNmVISayd3kPkwPAUp8OxpmLwVGdNRpqElz 1xfUBsHbdF48mblk5YJ9Mwzo1LQhrlP+OYDEOd549HG3tFz441qhL37dlU+4mZCzsf1n 9QrEYQdKgGjUUPpgVCSEmkHyUzqV6dNRiS/T9q6mgwieqX8pZFJMyGv8vs1Na5hSP7Qt D6UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733939862; x=1734544662; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Av/kkHx5nlCKVCNajR86qNLhov8aWfoqNlVJF+j2DwI=; b=ggtYwclD6bkjiOqNP7UQMPYaBXJeJYV+E7IMUqRLs/XxVkThLOyio2EXBASjBBZes8 EzbrKF7eWvb4FeRzayJ6fDrPDGyqn7OpAqgywwAXtsNwfylw2n7k0E1OT58HXBNxzH7S PXw8w52ypwKW06ZsowoaP9PC/UtcL6XUU7Lb6bS9MprHaJ9pNvkpPv1BaZOCDR7dHKtD uITrbpbZ5dmAH5gkJnYsjF0oXKVlgJjif4/VCdZwDa/gPqXxQ4aVz+J/VeM0B9GvrhF6 hNSIIhVCkfSBTxjMAFEGbTzsCDCiwEs9Qffg5YQdQr9nh+CR0igE23rwmwYjQ4bz7FFj 3W1A== X-Gm-Message-State: AOJu0YyicFw1V0IHcYlhdP1jq4xI2dBToaw1U5Uhes2/5iRoYf7kQNHH irIhP+BxSg76mLG8PgEcpue0sGpHogpMKgLzK1bb6o5GI/JawdDmodxlpwgszMN3sYRcEF4yXTX 3EAzkFWdmFNKyTkbI+Ng5FQUGwF0= X-Gm-Gg: ASbGncusXcl5f+ZWC2B5tSvwcXtmP6wKP79cEHBEIX+0SLvpBK34G0DNxwwUjymf170 MUPbG7IXl7g1V3mPZlQ131A3HzG+5gq9djfU= X-Google-Smtp-Source: AGHT+IHHWue+b+UQ6zEVjNIYNo6FgUI4TdBVxs3wuWtweRb9CL6jq4ir5UmHdCvKqbxIRJcC966OkK+FtKMvLKdtv/w= X-Received: by 2002:a05:6e02:18cd:b0:3a7:e539:c272 with SMTP id e9e14a558f8ab-3ac4bfc3ac4mr5036505ab.23.1733939862555; Wed, 11 Dec 2024 09:57:42 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Greg Sabino Mullane Date: Wed, 11 Dec 2024 12:57:06 -0500 Message-ID: Subject: Re: Credcheck- credcheck.max_auth_failure To: =?UTF-8?B?5by15a6455GL?= Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="00000000000091d8cf06290255e2" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000091d8cf06290255e2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Dec 11, 2024 at 5:46=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=8B wrote: > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure =3D '3'" is set in the postgresql.conf file t= o > limit users from entering incorrect passwords more than three times, afte= r > which their account will be locked. > Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me. > Due to certain requirements, I would like to ask if there is a way or > feature to set this parameter differently for a specific user or role, so > that it does not apply to them. > There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that? Cheers, Greg --00000000000091d8cf06290255e2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Dec 11, 2024 at 5:46=E2=80=AFAM = =E5=BC=B5=E5=AE=B8=E7=91=8B <ke= nny020307@gmail.com> wrote:
I= n the use of the Credcheck suite, the parameter "credcheck.max_auth_fa= ilure =3D '3'" is set in the postgresql.conf file to limit use= rs from entering incorrect passwords more than three times, after which the= ir account will be locked.

Won&= #39;t that allow absolutely anyone to lock out anyone else, including admin= s/superusers? Sounds like a bad idea to me.
=C2=A0
Due to certain requirem= ents, I would like to ask if there is a way or feature to set this paramete= r differently for a specific user or role, so that it does not apply to the= m.

There is not, but there is a= lways the=C2=A0credcheck.reset_superuser setting as an emergency measure. I= 'd keep the password complexity settings and not enable max_auth_failur= e at all, myself. Three strikes and you're out feels pretty draconian. = Is there a particular=C2=A0threat model that is driving that?
Cheers,
Greg

--00000000000091d8cf06290255e2--