Postgres Pro
Downloads
Home   >   mailing lists

Re: Lock Postgres account after X number of failed logins? - Mailing list pgsql-general

From Tim Cross
Subject Re: Lock Postgres account after X number of failed logins?
Date
Msg-id 87h7wuj840.fsf@gmail.com
Whole thread Raw
In response to Re: Lock Postgres account after X number of failed logins?  ("Wolff, Ken L" <ken.l.wolff@lmco.com>)
Responses Re: Lock Postgres account after X number of failed logins?  (Geoff Winkless <pgsqladmin@geoff.dj>)
List pgsql-general
Tree view 
Wolff, Ken L <ken.l.wolff@lmco.com> writes:

> As Stephen states, even some basic functionality in this regard would go a long way.  Perhaps something could be
builtinto the postgresql-contrib RPM?  Right now the only way I see is to write a hook, which involves changing source
code,which then puts us into the situation of (1) maintaining our own code tree and (2) figuring out how to produce a
newset of RPMs.  
 
>
> I realize Postgres is a community project and that there are a great number of other valuable feature/enhancement
requestsin the queue.  Just adding my $.02 here.
 
>

The problem here is that everyone has valid points.

Tom is quite correct that this sort of security policy really needs to
be implemented in a single central location, such as LDAP, AD or some
other IAM middleware. Having security policies implemented separately in
different systems is where failures creep in  and why maintenance
becomes a problem.

Where Tom's solution fails is with smaller companies that cannot afford
this level of infrastructure. They can still fall victim to the same
level of regulatory bureaucracy, but without the necessary level of
technical resources of larger organisations. For these organisations,
basic facilities, like the ability to lock an account after a certain
number of failed login attempts for a period of time is a very useful
feature. 

My suggestion would be to develop the basic requirements and contribute
the result to Postgres. This would give back to the community and
eliminate the need to maintain separate code in the long-term. The cost
of paying for extra resources to do this development and maintenance is
still going to be less than the licensing costs for that commercial
competitor. Just requesting the facility is unlikely to result in any
acceptable outcome within any reasonable time frame. 

If your security people are really on top of their game, they will be
providing you with a security architecture which fulfils the enterprise
architecture requirements and which centralises IAM management. This is
really the only truly secure solution which guarantees access is removed
from all system in a timely manner, enables effective logging and
auditing of access, ensures consistent application of security policy
and allows consistent response to security incidents and events. While
requiring additional resources to establish, it does tend to result in
reduced maintenance costs in the longer term.

-- 
Tim Cross

pgsql-general by date:

Previous
From: Christian Ramseyer
Date:
Subject: Encoding conversion: Use replacement character instead of failingquery with "ERROR: character with byte sequence 0xd0 0xad in encoding "UTF8"has no equivalent in encoding LATIN1" ?
Next
From: Tom Lane
Date:
Subject: Re: Encoding conversion: Use replacement character instead of failing query with "ERROR: character with byte sequence 0xd0 0xad in encoding "UTF8" has no equivalent in encoding LATIN1" ?