password_until_valid_customization

MigOpsRepos / credcheck

PostgreSQL plain credential checker

MIT License

57 stars 5 forks source link

password_until_valid_customization #11

Closed Gabi201265 closed 1 year ago

Gabi201265 commented 1 year ago

Hello @gilles-migops @darold,

First of all, thank you very much for the development of the password historization feature. I just finished my tests, it's excellent.

I have another question about the password_valid_until option. I don't understand why, it allows to set the minimum bound but not the maximum bound. I don't understand why credcheck doesn't allow the control of a maximum bound. Indeed, to reinforce security, it is more logical to set a small maximum bound. But credcheck only allows to set the minimum bound...

Can you please explain me in detail what is the use? Wouldn't it be better to redesign credcheck to set a default value for the upper bound?

Thank you very much for your work, Have a nice day, Gabriel Leroux

darold commented 1 year ago

You are right, both are required and especially the max bound. Commit 3933c24 adds this feature. using credcheck.password_valid_max setting.

SET credcheck.password_valid_max TO 180;
-- fail, the VALID UNTIL clause can not exceed a maximum of 180 days
ALTER USER aaa PASSWORD 'DummY2' VALID UNTIL '2050-01-01 00:00:00';
ERROR:  the VALID UNTIL option must NOT have a date beyond 180 days
-- Clear the user
DROP USER aaa;
-- fail, the VALID UNTIL clause can not exceed a maximum of 180 days
CREATE USER aaa PASSWORD 'DummY2' VALID UNTIL '2050-01-01 00:00:00';
ERROR:  require a VALID UNTIL option with a date beyond 180 days

Gabi201265 commented 1 year ago

Hello,

I am testing credcheck.password_valid_max feature and I have an issue when i try to make install : credcheck.c: In function 'flush_password_history': credcheck.c:1616:9: attention : implicit declaration of function 'unlink' [-Wimplicit-function-declaration] unlink(PGPH_DUMP_FILE ".tmp"); ^ Do you have an idea to solve this ?

Have a good day, Gabriel

darold commented 1 year ago

Please pull latest development code. Commit aefe9cf could solve this issue.

Gabi201265 commented 1 year ago

Yes, indeed, i did it.

Now it's perfect 👌.

I would like to block the account after X incorrect password entry attempts. Do you know how can I do this feature on postgres ?

Best regards, Gabriel

darold commented 1 year ago

There is not hook in PostgreSQL core to handle that, a possible solution could be to use fail2ban.

darold commented 1 year ago

My bad, I have forgotten that the ClientAuthentication_hook_type exists. Working on adding this feature to block the account after X authentication failure.

darold commented 1 year ago

Version 2.0.0 adds this feature.