66 lines
1.7 KiB
Plaintext
66 lines
1.7 KiB
Plaintext
<!-- doc/src/sgml/auth-delay.sgml -->
|
|
|
|
<sect1 id="auth-delay" xreflabel="auth_delay">
|
|
<title>auth_delay — pause on authentication failure</title>
|
|
|
|
<indexterm zone="auth-delay">
|
|
<primary>auth_delay</primary>
|
|
</indexterm>
|
|
|
|
<para>
|
|
<filename>auth_delay</filename> causes the server to pause briefly before
|
|
reporting authentication failure, to make brute-force attacks on database
|
|
passwords more difficult. Note that it does nothing to prevent
|
|
denial-of-service attacks, and may even exacerbate them, since processes
|
|
that are waiting before reporting authentication failure will still consume
|
|
connection slots.
|
|
</para>
|
|
|
|
<para>
|
|
In order to function, this module must be loaded via
|
|
<xref linkend="guc-shared-preload-libraries"/> in <filename>postgresql.conf</filename>.
|
|
</para>
|
|
|
|
<sect2 id="auth-delay-configuration-parameters">
|
|
<title>Configuration Parameters</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>
|
|
<varname>auth_delay.milliseconds</varname> (<type>integer</type>)
|
|
<indexterm>
|
|
<primary><varname>auth_delay.milliseconds</varname> configuration parameter</primary>
|
|
</indexterm>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
The number of milliseconds to wait before reporting an authentication
|
|
failure. The default is 0.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
These parameters must be set in <filename>postgresql.conf</filename>.
|
|
Typical usage might be:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# postgresql.conf
|
|
shared_preload_libraries = 'auth_delay'
|
|
|
|
auth_delay.milliseconds = '500'
|
|
</programlisting>
|
|
</sect2>
|
|
|
|
<sect2 id="auth-delay-author">
|
|
<title>Author</title>
|
|
|
|
<para>
|
|
KaiGai Kohei <email>kaigai@ak.jp.nec.com</email>
|
|
</para>
|
|
</sect2>
|
|
|
|
</sect1>
|