Re: User to get locked after three wrong login attempts.
| От | Craig James |
|---|---|
| Тема | Re: User to get locked after three wrong login attempts. |
| Дата | |
| Msg-id | CAFwQ8rerOUEptWfbtrVusBTMqsEcTqDbnN6Q+O+o-49mmTUPqw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: User to get locked after three wrong login attempts. (Tim Cross <theophilusx@gmail.com>) |
| Ответы |
Re: User to get locked after three wrong login attempts.
Re: User to get locked after three wrong login attempts. |
| Список | pgsql-admin |
On Wed, Sep 5, 2018 at 3:09 PM, Tim Cross <theophilusx@gmail.com> wrote:
Stephen Frost <sfrost@snowman.net> writes:
> Greetings,
>
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> Praneel Devisetty <devisettypraneel@gmail.com> writes:
>> > We have a requirement , where we require a user to get locked after three
>> > wrong login attempts.
>>
>> The usual recommendation is to configure Postgres to use PAM
>> authentication; then you can set up any weird requirements like
>> this one in the PAM configuration.
>
> Unfortunately, it's a pain to set up PAM and there's a lot of things in
> the PAM stack which can't be used because PostgreSQL doesn't run as
> root. We should really have a better solution to this pretty commonly
> asked for capability; I'm hoping to find time soon to hack on that.
>
> Thanks!
>
> Stephen
These days, I think the better solution is to have this functionality in
a central system. Putting aside that it is an 'outdated' auditor
requirement ...
To elaborate, you should explain to the auditor that this introduces a huge denial-of-service vulnerability into your system. Anyone can start hammering on everyone else's accounts, and with a fairly trivial script, lock the entire company out of all accounts. This is a terrible idea.
Craig
В списке pgsql-admin по дате отправления: