Обсуждение: Enforcing password standards

On Thu, Jun 10, 2010 at 7:01 PM, DM <dm.aeqa@gmail.com> wrote:
> How to force postgres users to follow password standards and renewal
> policies?

Use some form of external authentication.

* DM (dm.aeqa@gmail.com) wrote:
> How to force postgres users to follow password standards and renewal
> policies?

It's not trivial, sadly.  Regarding renewal, you can use the 'valid
until' role parameter to implement a "only good until" mechanism, and
then update that using a security definer function when the password is
changed.  You would then have to have your application calling that
function for password changes.

Another approach, which I've used in the past but I truely dislike, is
to use PAM, cracklib, pam_tally, etc.  The problem with this is that if
you use pam_unix as the basic "password storage" mechanism, you have to
jump through lots of nasty hoops and configure things in a really ugly
way.  You *could* use another PAM module besides pam_unix in the stack,
but I'm not sure what the best suggestion there would be, and I think
you'd still have ugly permission problems with pam_tally..

All-in-all, there really isn't a very good solution here, if you're
forced to use the PG system for your authentication.  If you can move
*away* from that (something I would definitely encourage), it becomes
alot more reasonable- eg: use Kerberos for your authentication and
implement the password standards, renewal policies, etc, there.  Or, use
ident auth under Unix with unix domain sockets and make sure you
configure the system-wide PAM requirements according to your policies.
Both of those approaches avoid putting PWs in PG, which gives you a way
to deal with the fact that PG doesn't have support for these kinds of
policies.

There have been a number of discussions about this issue but, sadly, I
don't know that anyone has come up with a good solution yet.  I've been
sorely tempted to rewrite pam_unix to support an alternative storage
location for the files it needs (along with pam_tally, etc), so that you
could then use PAM under PG w/ just a "pg/etc" directory that had the
PG-used pam_unix files (passwd, shadow, etc) instead of the system-wide
ones.

    Thanks,

        Stephen

On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote:
>    How to force postgres users to follow password standards and renewal
>    policies?
>    Thanks
>    Deepak

9.0 will ship with a contrib module called "passwordcheck" which will enforce
some of these things, FWIW.

--
Joshua Tolley / eggyknap
End Point Corporation
http://www.endpoint.com

On Fri, Jun 11, 2010 at 10:40:29AM -0700, DM wrote:
>    Thanks everyone,
>    I will wait for Postgres 9.0 to implement this feature then. Thanks

The contrib module supports enforcement of only some of the things you've
listed you want. For other items on your list (notably renewal), you're better
off integrating with some external authentication provider, as has been
suggested elsewhere in this thread.

--
Josh

>    Thanks
>    Deepak
>    On Fri, Jun 11, 2010 at 10:30 AM, Joshua Tolley <eggyknap@gmail.com>
>    wrote:
>
>      On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote:
>      >    How to force postgres users to follow password standards and
>      renewal
>      >    policies?
>      >    Thanks
>      >    Deepak
>
>      9.0 will ship with a contrib module called "passwordcheck" which will
>      enforce
>      some of these things, FWIW.
>      --
>      Joshua Tolley / eggyknap
>      End Point Corporation
>      http://www.endpoint.com
>      -----BEGIN PGP SIGNATURE-----
>      Version: GnuPG v1.4.9 (GNU/Linux)
>
>      iEYEARECAAYFAkwScpkACgkQRiRfCGf1UMMOzgCfW1P8SpFR53OSjm/og3hQFjba
>      0dIAoJK9mkm07XCAyfnPeiygBgrKuFG2
>      =XESJ
>      -----END PGP SIGNATURE-----