Re: User to get locked after three wrong login attempts.

On Wed, Sep 5, 2018 at 3:09 PM, Tim Cross <theophilusx(at)gmail(dot)com> wrote:

>
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
>
> > Greetings,
> >
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> >> Praneel Devisetty <devisettypraneel(at)gmail(dot)com> writes:
> >> > We have a requirement , where we require a user to get locked after
> three
> >> > wrong login attempts.
> >>
> >> The usual recommendation is to configure Postgres to use PAM
> >> authentication; then you can set up any weird requirements like
> >> this one in the PAM configuration.
> >
> > Unfortunately, it's a pain to set up PAM and there's a lot of things in
> > the PAM stack which can't be used because PostgreSQL doesn't run as
> > root. We should really have a better solution to this pretty commonly
> > asked for capability; I'm hoping to find time soon to hack on that.
> >
> > Thanks!
> >
> > Stephen
>
> These days, I think the better solution is to have this functionality in
> a central system. Putting aside that it is an 'outdated' auditor
> requirement ...

To elaborate, you should explain to the auditor that this introduces a huge
denial-of-service vulnerability into your system. Anyone can start
hammering on everyone else's accounts, and with a fairly trivial script,
lock the entire company out of all accounts. This is a terrible idea.

Craig