On 12/11/18 9:56 AM, Tom Lane wrote:
> I've heard that if you want to implement a password aging policy, PAM
> authentication can manage that for you; but I don't know the details.
Interesting idea ... could use pam-pgsql[1] and PAM as the
authentication method. Might result in another connection (from PAM)
to authenticate every connection, though. I suppose the module could
use a daemon keeping one connection open for auth queries, but the
README doesn't *say* it does. Could set up a pooler just for the auth
module to connect through, I guess.
It allows you to configure arbitrary auth_query, acct_query, pwd_query,
etc., so you could conceivably join pg_authid with some other table
where you'd keep expiration info.
Looks like our PAM authentication might not support some PAM
capabilities like conducting additional message exchanges (for
example, to prompt for a new password on the spot if the old
one has expired).
It might be possible to shoehorn that capability into the existing
fe-be protocol by calling it a custom SASL method, something analogous
to ssh's "keyboard-interactive"[2].
-Chap
[1] https://github.com/pam-pgsql/pam-pgsql
[2] https://tools.ietf.org/html/rfc4256