Обсуждение: Enforcing password standards
How to force postgres users to follow password standards and renewal policies?
Thanks
Deepak
On Thu, Jun 10, 2010 at 7:01 PM, DM <dm.aeqa@gmail.com> wrote: > How to force postgres users to follow password standards and renewal > policies? Use some form of external authentication.
* DM (dm.aeqa@gmail.com) wrote: > How to force postgres users to follow password standards and renewal > policies? It's not trivial, sadly. Regarding renewal, you can use the 'valid until' role parameter to implement a "only good until" mechanism, and then update that using a security definer function when the password is changed. You would then have to have your application calling that function for password changes. Another approach, which I've used in the past but I truely dislike, is to use PAM, cracklib, pam_tally, etc. The problem with this is that if you use pam_unix as the basic "password storage" mechanism, you have to jump through lots of nasty hoops and configure things in a really ugly way. You *could* use another PAM module besides pam_unix in the stack, but I'm not sure what the best suggestion there would be, and I think you'd still have ugly permission problems with pam_tally.. All-in-all, there really isn't a very good solution here, if you're forced to use the PG system for your authentication. If you can move *away* from that (something I would definitely encourage), it becomes alot more reasonable- eg: use Kerberos for your authentication and implement the password standards, renewal policies, etc, there. Or, use ident auth under Unix with unix domain sockets and make sure you configure the system-wide PAM requirements according to your policies. Both of those approaches avoid putting PWs in PG, which gives you a way to deal with the fact that PG doesn't have support for these kinds of policies. There have been a number of discussions about this issue but, sadly, I don't know that anyone has come up with a good solution yet. I've been sorely tempted to rewrite pam_unix to support an alternative storage location for the files it needs (along with pam_tally, etc), so that you could then use PAM under PG w/ just a "pg/etc" directory that had the PG-used pam_unix files (passwd, shadow, etc) instead of the system-wide ones. Thanks, Stephen
Вложения
On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote: > How to force postgres users to follow password standards and renewal > policies? > Thanks > Deepak 9.0 will ship with a contrib module called "passwordcheck" which will enforce some of these things, FWIW. -- Joshua Tolley / eggyknap End Point Corporation http://www.endpoint.com
Вложения
Thanks everyone,
I will wait for Postgres 9.0 to implement this feature then. Thanks
Thanks
Deepak
On Fri, Jun 11, 2010 at 10:30 AM, Joshua Tolley <eggyknap@gmail.com> wrote:
9.0 will ship with a contrib module called "passwordcheck" which will enforceOn Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote:
> How to force postgres users to follow password standards and renewal
> policies?
> Thanks
> Deepak
some of these things, FWIW.
--
Joshua Tolley / eggyknap
End Point Corporation
http://www.endpoint.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkwScpkACgkQRiRfCGf1UMMOzgCfW1P8SpFR53OSjm/og3hQFjba
0dIAoJK9mkm07XCAyfnPeiygBgrKuFG2
=XESJ
-----END PGP SIGNATURE-----
On Fri, Jun 11, 2010 at 10:40:29AM -0700, DM wrote: > Thanks everyone, > I will wait for Postgres 9.0 to implement this feature then. Thanks The contrib module supports enforcement of only some of the things you've listed you want. For other items on your list (notably renewal), you're better off integrating with some external authentication provider, as has been suggested elsewhere in this thread. -- Josh > Thanks > Deepak > On Fri, Jun 11, 2010 at 10:30 AM, Joshua Tolley <eggyknap@gmail.com> > wrote: > > On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote: > > How to force postgres users to follow password standards and > renewal > > policies? > > Thanks > > Deepak > > 9.0 will ship with a contrib module called "passwordcheck" which will > enforce > some of these things, FWIW. > -- > Joshua Tolley / eggyknap > End Point Corporation > http://www.endpoint.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkwScpkACgkQRiRfCGf1UMMOzgCfW1P8SpFR53OSjm/og3hQFjba > 0dIAoJK9mkm07XCAyfnPeiygBgrKuFG2 > =XESJ > -----END PGP SIGNATURE-----