Closed Gabi201265 closed 1 year ago
You are right, both are required and especially the max bound. Commit 3933c24 adds this feature. using credcheck.password_valid_max
setting.
SET credcheck.password_valid_max TO 180;
-- fail, the VALID UNTIL clause can not exceed a maximum of 180 days
ALTER USER aaa PASSWORD 'DummY2' VALID UNTIL '2050-01-01 00:00:00';
ERROR: the VALID UNTIL option must NOT have a date beyond 180 days
-- Clear the user
DROP USER aaa;
-- fail, the VALID UNTIL clause can not exceed a maximum of 180 days
CREATE USER aaa PASSWORD 'DummY2' VALID UNTIL '2050-01-01 00:00:00';
ERROR: require a VALID UNTIL option with a date beyond 180 days
Hello,
I am testing credcheck.password_valid_max feature and I have an issue when i try to make install : credcheck.c: In function 'flush_password_history': credcheck.c:1616:9: attention : implicit declaration of function 'unlink' [-Wimplicit-function-declaration] unlink(PGPH_DUMP_FILE ".tmp"); ^ Do you have an idea to solve this ?
Have a good day, Gabriel
Please pull latest development code. Commit aefe9cf could solve this issue.
Yes, indeed, i did it.
Now it's perfect 👌.
I would like to block the account after X incorrect password entry attempts. Do you know how can I do this feature on postgres ?
Best regards, Gabriel
There is not hook in PostgreSQL core to handle that, a possible solution could be to use fail2ban.
My bad, I have forgotten that the ClientAuthentication_hook_type exists. Working on adding this feature to block the account after X authentication failure.
Version 2.0.0 adds this feature.
Hello @gilles-migops @darold,
First of all, thank you very much for the development of the password historization feature. I just finished my tests, it's excellent.
I have another question about the password_valid_until option. I don't understand why, it allows to set the minimum bound but not the maximum bound. I don't understand why credcheck doesn't allow the control of a maximum bound. Indeed, to reinforce security, it is more logical to set a small maximum bound. But credcheck only allows to set the minimum bound...
Can you please explain me in detail what is the use? Wouldn't it be better to redesign credcheck to set a default value for the upper bound?
Thank you very much for your work, Have a nice day, Gabriel Leroux