| From: | Michael Banck <mbanck(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Cc: | 成之焕 <zhcheng(at)ceresdata(dot)com> |
| Subject: | [PATCH] Exponential backoff for auth_delay |
| Date: | 2023-12-27 16:19:54 |
| Message-ID: | 658c4eab.050a0220.731ff.011e@mx.google.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
we had a conversation with a customer about security compliance a while
ago and one thing they were concerned about was avoiding brute-force
attemps for remote password guessing. This is should not be a big
concern if reasonably secure passwords are used and increasing SCRAM
iteration count can also help, but generally auth_delay is recommended
for this if there are concerns.
This patch adds exponential backoff so that one can choose a small
initial value which gets doubled for each failed authentication attempt
until a maximum wait time (which is 10s by default, but can be disabled
if so desired).
Currently, this patch tracks remote hosts but not users, the idea being
that a remote attacker likely tries several users from a particular
host, but this could in theory be extended to users if there are
concerns.
The patch is partly based on an earlier, more ambitious attempt at
extending auth_delay by 成之焕 from a year ago:
https://postgr.es/m/AHwAxACqIwIVOEhs5YejpqoG.1.1668569845751.Hmail.zhcheng@ceresdata.com
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-Add-optional-exponential-backoff-to-auth_delay-co.patch | text/x-diff | 9.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Melanie Plageman | 2023-12-27 16:26:52 | Re: Emit fewer vacuum records by reaping removable tuples during pruning |
| Previous Message | jian he | 2023-12-27 16:13:14 | change regexp_substr first argument make tests more easier to understand. |