Re: Credcheck- credcheck.max_auth_failure

2024-12-17 Thread Ron Johnson
On Tue, Dec 17, 2024 at 1:39 PM Peter J. Holzer wrote: > On 2024-12-16 10:37:59 -0500, Ron Johnson wrote: > > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer > wrote: > > > > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > > Local (socket-based) connections are typically peer-authe

Re: Credcheck- credcheck.max_auth_failure

2024-12-17 Thread Peter J. Holzer
On 2024-12-16 10:37:59 -0500, Ron Johnson wrote: > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer wrote: > > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > Local (socket-based) connections are typically peer-authenticated > > (meaning that authentication is handled by Linux pa

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Ron Johnson
On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer wrote: > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > Local (socket-based) connections are typically peer-authenticated > > (meaning that authentication is handled by Linux pam). > ^^^ > Is it? I haven't

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Peter J. Holzer
On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > Local (socket-based) connections are typically peer-authenticated > (meaning that authentication is handled by Linux pam). ^^^ Is it? I haven't checked the source code, but this doesn't seem plausible. You can g

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Ron Johnson
Local (socket-based) connections are typically peer-authenticated (meaning that authentication is handled by Linux pam). Thus, if someone enters too many wrong passwords for a superuser account, you *should* still be able to locally connect to PG. Better test it, though. On Mon, Dec 16, 2024 at

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Ron Johnson
On Mon, Dec 16, 2024 at 8:10 AM Greg Sabino Mullane wrote: > On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 wrote: > >> We have both regular accounts and system accounts. For regular accounts, >> we still require password complexity and the lockout functionality after >> multiple failed login attempts. >>

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Greg Sabino Mullane
On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 wrote: > We have both regular accounts and system accounts. For regular accounts, > we still require password complexity and the lockout functionality after > multiple failed login attempts. > Again, what is the threat model here? Most people have their passwo

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread Peter J. Holzer
On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote: > We have both regular accounts and system accounts. For regular accounts, we > still require password complexity and the lockout functionality after multiple > failed login attempts. However, for system accounts, due to information > security regulations, p

Re: Credcheck- credcheck.max_auth_failure

2024-12-16 Thread 張宸瑋
We have both regular accounts and system accounts. For regular accounts, we still require password complexity and the lockout functionality after multiple failed login attempts. However, for system accounts, due to information security regulations, password complexity is also required. The issue is

Re: Credcheck- credcheck.max_auth_failure

2024-12-13 Thread Peter J. Holzer
On 2024-12-11 13:43:38 -0500, Ron Johnson wrote: > On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane > wrote: > > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 wrote: > > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.

Re: Credcheck- credcheck.max_auth_failure

2024-12-11 Thread Adrian Klaver
On 12/11/24 09:57, Greg Sabino Mullane wrote: On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 > wrote: In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passw

Re: Credcheck- credcheck.max_auth_failure

2024-12-11 Thread Greg Sabino Mullane
On Wed, Dec 11, 2024 at 1:44 PM Ron Johnson wrote: > Isn't this a pretty common password setting? I know that for at least 35 > years, and going back to the VAX/VMS days I've been locked out for X hours > if I typed an invalid password. Same on Windows and I think also Linux > (though ssh publ

Re: Credcheck- credcheck.max_auth_failure

2024-12-11 Thread Ron Johnson
On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane wrote: > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 wrote: > >> In the use of the Credcheck suite, the parameter >> "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to >> limit users from entering incorrect passwords more than th

Re: Credcheck- credcheck.max_auth_failure

2024-12-11 Thread Greg Sabino Mullane
On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 wrote: > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to > limit users from entering incorrect passwords more than three times, after > which their account will be locked. > Won't that

Re: Credcheck- credcheck.max_auth_failure

2024-12-11 Thread Adrian Klaver
On 12/11/24 02:46, 張宸瑋 wrote: In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passwords more than three times, after which their account will be locked. Due to certain requirements, I

Credcheck- credcheck.max_auth_failure

2024-12-11 Thread 張宸瑋
In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passwords more than three times, after which their account will be locked. Due to certain requirements, I would like to ask if there is a way