Обсуждение: Password Security Standarts on PostgreSQL
Hi list,
In Oracle, it could be created a user profile called "PROFILE" and this profile could have below specifications:
PASSWORD_LIFE_TIME (that describes when password will expire)
FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before locking user account)
PASSWORD_LOCK_TIME (specified time after user account is locked because of failed login attempts exceeded)
PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify function - min characters, password complexity)
Has PostgreSQL got any capability like this except LDAP, kerberos or PAM authentication ?
Regards,
Murat KOC
On 03/07/2013 03:10 AM, MURAT KOÇ wrote: > Hi list, > In Oracle, it could be created a user profile called "PROFILE" and this > profile could have below specifications: > PASSWORD_LIFE_TIME (that describes when password will expire) > FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before > locking user account) > PASSWORD_LOCK_TIME (specified time after user account is locked > because of failed login attempts exceeded) > PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify > function - min characters, password complexity) > Has PostgreSQL got any capability like this except LDAP, kerberos or PAM > authentication ? The only part of the above that I know of is VALID UNTIL (PASSWORD_LIFE_TIME) from below: http://www.postgresql.org/docs/9.2/interactive/sql-createrole.html > Regards, > Murat KOC -- Adrian Klaver adrian.klaver@gmail.com
MURAT KOÇ wrote: > In Oracle, it could be created a user profile called "PROFILE" and this profile could have below > specifications: > > PASSWORD_LIFE_TIME (that describes when password will expire) > FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before locking user account) > PASSWORD_LOCK_TIME (specified time after user account is locked because of failed login attempts > exceeded) > PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify function - min characters, > password complexity) > > Has PostgreSQL got any capability like this except LDAP, kerberos or PAM authentication ? There's the "passwordcheck" contrib: http://www.postgresql.org/docs/current/static/passwordcheck.html It does the same thing as Oracle's PASSWORD_VERIFY_FUNCTION. You can write your own password checking function. This way you can also force a certain password expiry date (PostgreSQL does not have a password life time). Yours, Laurenz Albe
2013/3/8 Albe Laurenz <laurenz.albe@wien.gv.at>
What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
This way you can also force a certain password expiry date
(PostgreSQL does not have a password life time).
What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
--
Victor Y. Yegorov
Victor Yegorov wrote: > 2013/3/8 Albe Laurenz <laurenz.albe@wien.gv.at> >> This way you can also force a certain password expiry date >> (PostgreSQL does not have a password life time). > > What bout ALTER ROLE ... VALID UNTIL 'timestamp' ? That's the password expiry date. Oracle's concept is different: it sets a limit on the time between password changes. There is no such thing in PostgreSQL. Yours, Laurenz Albe
On Fri, Mar 8, 2013 at 4:07 AM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
That's the password expiry date.Victor Yegorov wrote:
> 2013/3/8 Albe Laurenz <laurenz.albe@wien.gv.at>
>> This way you can also force a certain password expiry date
>> (PostgreSQL does not have a password life time).
>
> What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
Oracle's concept is different: it sets a limit on the time
between password changes.
There is no such thing in PostgreSQL.
BTW, your suggestion to use a function here is exactly what we do in LedgerSMB. Password expiration is forced to be now() + an interval specified in a configuration table.
It would be nice to be able to do handling of failed login attempts but currently I don;t think that's possible from within PostgreSQL (i.e. without external auth).