Re: Credcheck- credcheck.max_auth_failure

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ron Johnson <[email protected]>
To: pgsql-generallists.postgresql.org <[email protected]>
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: Wed, 11 Dec 2024 13:43:38 -0500
Message-ID: <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com> (raw)
In-Reply-To: <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
	<CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>

On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane <[email protected]>
wrote:

> On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote:
>
>> In the use of the Credcheck suite, the parameter
>> "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to
>> limit users from entering incorrect passwords more than three times, after
>> which their account will be locked.
>>
>
> Won't that allow absolutely anyone to lock out anyone else, including
> admins/superusers? Sounds like a bad idea to me.
>

Isn't this a pretty common password setting?  I know that for at least 35
years, and going back to the VAX/VMS days I've been  locked out for X hours
if I typed an invalid password.  Same on Windows and I think also Linux
(though ssh public keys and clients remembering passwords mean that rarely
happens to me).


>
>
>> Due to certain requirements, I would like to ask if there is a way or
>> feature to set this parameter differently for a specific user or role, so
>> that it does not apply to them.
>>
>
> There is not, but there is always the credcheck.reset_superuser setting as
> an emergency measure. I'd keep the password complexity settings and not
> enable max_auth_failure at all, myself. Three strikes and you're out feels
> pretty draconian. Is there a particular threat model that is driving that?
>

-- 
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Credcheck- credcheck.max_auth_failure
  In-Reply-To: <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox