On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote: > We have both regular accounts and system accounts. For regular accounts, we > still require password complexity and the lockout functionality after multiple > failed login attempts. However, for system accounts, due to information > security regulations, password complexity is also required. The issue is that > system accounts are used for system integration, and if the account gets > locked, it may affect system services, which could lead to problems. To > prevent > this, we would like to exclude system accounts from being affected by the > credcheck.max_auth_failure parameter.
Just in case it wasn't clear: My recommendation is to NOT use the
credcheck.max_auth_failure parameter for ANY account. It just causes
problems and doesn't really help. If you can't trust your users to
chooses sufficiently strong passwords, use a second factor. Or maybe
replace passwords with some other method (public keys, FIDO, ...)
altogether (in fact, I'd do that for system accounts).
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | h...@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
signature.asc
Description: PGP signature
