Login attempts could repeat depending on SSLMode and leads to incorrect count of attempts #274
Labels
documentation
Improvements or additions to documentation
Comments
|
Since this is an expected and documented client-side behaviour [1], we shouldn't try to change this on the pg_tle side. However it's worth adding a note in the example for users to be aware. [1] https://www.postgresql.org/docs/devel/libpq-connect.html#LIBPQ-CONNECT-SSLMODE |
adamguo0
added
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
For the lockout-after-a-specific-number-of-login-attempts example, login attempts could increment by 2 depending on SSLMode
https://www.postgresql.org/message-id/flat/17032-7ad69968e744de35%40postgresql.org#:~:text=It%20tries%20to%20connect%20with%20encryption%20and%20fails%2C%20then%20tries%20to%20connect%0Awithout%20encryption%20and%20also%20fails
Steps to reproduce
Run the example here with sslmode set to allow/prefer
https://github.com/aws/pg_tle/blob/main/examples/client_lockout/client_lockout--1.0.sql
Expected outcome
Client should be locked out after 5 attempts
Actual outcome
Client is locked out before 5 attempts
Analysis
Could potentially check the SSLMode in hook sql, which requires a C code change.
https://github.com/aws/pg_tle/blob/main/src/clientauth.c#L144-L166
The text was updated successfully, but these errors were encountered: