Re: [v9.1] Add security hook on initialization of instance

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [v9.1] Add security hook on initialization of instance
Date: 2010-07-09 15:19:17
Message-ID: 20100709151917.GU21875@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Fri, Jul 9, 2010 at 10:52 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > Something else which has come up but is related is the ability to
> > support a "pam_tally"-like function in PG.  Basically, the ability to
> > lock users out if they've had too many failed login attempts.  I wonder
> > if we could add this hook (or maybe have more than one if necessary) in
> > a way to support a contrib module for that.
>
> Seems like the hard part would be figuring out where to store the
> bookkeeping information.

pam_tally does it in a flat file on-disk. It's not perfect, but it
works. It'd be good enough for me if there was a hook in the right
place that I could write the contrib module.

Of course, it'd be even nicer to have support for this in-core, since
it's a FISMA requirement and not everyone is going to like having to
install a contrib module to handle something like this. Of course, so
is stuff like remembering old passwords, password aging, etc... I do
really wish there was a way PAM could be used by applications
*independently* of the system auth (eg: /etc/passwd) to handle all of
this. If anyone's aware of a way, I'm all ears..

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2010-07-09 15:21:29 Re: [v9.1] Add security hook on initialization of instance
Previous Message Tom Lane 2010-07-09 15:09:50 Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().