summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/auth-delay.sgml
blob: bd3ef7128d55f57d12c3fc4468c42c1199644bda (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<!-- doc/src/sgml/auth-delay.sgml -->

<sect1 id="auth-delay" xreflabel="auth_delay">
 <title>auth_delay</title>

 <indexterm zone="auth-delay">
  <primary>auth_delay</primary>
 </indexterm>

 <para>
  <filename>auth_delay</filename> causes the server to pause briefly before
  reporting authentication failure, to make brute-force attacks on database
  passwords more difficult.  Note that it does nothing to prevent
  denial-of-service attacks, and may even exacerbate them, since processes
  that are waiting before reporting authentication failure will still consume
  connection slots.
 </para>

 <para>
  In order to function, this module must be loaded via
  <xref linkend="guc-shared-preload-libraries"/> in <filename>postgresql.conf</filename>.
 </para>

 <sect2>
  <title>Configuration Parameters</title>

  <variablelist>
   <varlistentry>
    <term>
     <varname>auth_delay.milliseconds</varname> (<type>int</type>)
     <indexterm>
      <primary><varname>auth_delay.milliseconds</varname> configuration parameter</primary>
     </indexterm>
    </term>
    <listitem>
     <para>
      The number of milliseconds to wait before reporting an authentication
      failure.  The default is 0.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>

  <para>
   These parameters must be set in <filename>postgresql.conf</filename>.
   Typical usage might be:
  </para>

<programlisting>
# postgresql.conf
shared_preload_libraries = 'auth_delay'

auth_delay.milliseconds = '500'
</programlisting>
 </sect2>

 <sect2>
  <title>Author</title>

  <para>
   KaiGai Kohei <email>kaigai@ak.jp.nec.com</email>
  </para>
 </sect2>

</sect1>