On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <kenny020...@gmail.com> wrote:
> In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to > limit users from entering incorrect passwords more than three times, after > which their account will be locked. > Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me. > Due to certain requirements, I would like to ask if there is a way or > feature to set this parameter differently for a specific user or role, so > that it does not apply to them. > There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that? Cheers, Greg
