MIME-Version: 1.0
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
 <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
In-Reply-To: <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Wed, 11 Dec 2024 13:43:38 -0500
Message-ID: <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
Subject: Re: Credcheck- credcheck.max_auth_failure
To: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000007956de062902fad2"
Archived-At: <https://www.postgresql.org/message-id/CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ%40mail.gmail.com>
Precedence: bulk

--0000000000007956de062902fad2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 11, 2024 at 12:57=E2=80=AFPM Greg Sabino Mullane <htamfids@gmai=
l.com>
wrote:

> On Wed, Dec 11, 2024 at 5:46=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=8B <kenn=
y020307@gmail.com> wrote:
>
>> In the use of the Credcheck suite, the parameter
>> "credcheck.max_auth_failure =3D '3'" is set in the postgresql.conf file =
to
>> limit users from entering incorrect passwords more than three times, aft=
er
>> which their account will be locked.
>>
>
> Won't that allow absolutely anyone to lock out anyone else, including
> admins/superusers? Sounds like a bad idea to me.
>

Isn't this a pretty common password setting?  I know that for at least 35
years, and going back to the VAX/VMS days I've been  locked out for X hours
if I typed an invalid password.  Same on Windows and I think also Linux
(though ssh public keys and clients remembering passwords mean that rarely
happens to me).


>
>
>> Due to certain requirements, I would like to ask if there is a way or
>> feature to set this parameter differently for a specific user or role, s=
o
>> that it does not apply to them.
>>
>
> There is not, but there is always the credcheck.reset_superuser setting a=
s
> an emergency measure. I'd keep the password complexity settings and not
> enable max_auth_failure at all, myself. Three strikes and you're out feel=
s
> pretty draconian. Is there a particular threat model that is driving that=
?
>

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--0000000000007956de062902fad2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Wed, Dec 11, 2024 at 12:57=E2=80=AFPM =
Greg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfids@gmai=
l.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container">=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=
=3D"ltr">On Wed, Dec 11, 2024 at 5:46=E2=80=AFAM =E5=BC=B5=E5=AE=B8=E7=91=
=8B &lt;<a href=3D"mailto:kenny020307@gmail.com" target=3D"_blank">kenny020=
307@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote"><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex"><div><div>In the use of the Credcheck s=
uite, the parameter &quot;credcheck.max_auth_failure =3D &#39;3&#39;&quot; =
is set in the postgresql.conf file to limit users from entering incorrect p=
asswords more than three times, after which their account will be locked.</=
div></div></blockquote><div><br></div><div>Won&#39;t that allow absolutely =
anyone to lock out anyone else, including admins/superusers? Sounds like a =
bad idea to me.</div></div></div></blockquote><div><br></div><div>Isn&#39;t=
 this a pretty common password setting?=C2=A0 I know that for at least 35 y=
ears, and going back to the VAX/VMS days I&#39;ve been=C2=A0 locked out for=
 X hours if I typed an invalid password.=C2=A0 Same on Windows and I think =
also Linux (though ssh public keys and clients remembering passwords mean t=
hat rarely happens to me).</div><div>=C2=A0</div><blockquote class=3D"gmail=
_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204=
,204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div> Du=
e to certain requirements, I would like to ask if there is a way or feature=
 to set this parameter differently for a specific user or role, so that it =
does not apply to them.</div></div></blockquote><div><br></div><div>There i=
s not, but there is always the=C2=A0credcheck.reset_superuser setting as an=
 emergency measure. I&#39;d keep the password complexity settings and not e=
nable max_auth_failure at all, myself. Three strikes and you&#39;re out fee=
ls pretty draconian. Is there a particular=C2=A0threat model that is drivin=
g that?</div></div></div></blockquote><div><br></div></div><span class=3D"g=
mail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signat=
ure"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sauce.<div>Don&=
#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Redacted&gt; lobster!<=
/div></div></div></div></div></div>

--0000000000007956de062902fad2--