search

MigOpsRepos / credcheck

PostgreSQL plain credential checker
MIT License
57 stars 5 forks source link

Enforcing periodic change of password #5

Closed umairshahid closed 1 year ago

umairshahid commented 2 years ago

One of the requirements for regulatory compliance is to force a periodic change in password. Specifically, this requirement from SOC 2 says:

Passwords for privileged accounts shall be changed at least every 60 days.

Can credcheck be used to enforce this in the database? If yes, how? If no, what would you suggest as a workaround?

migopsdinesh commented 2 years ago

credcheck will not be forcing/expiring the user's credentials, but it would be a good add on to this extension. As a workaround, I think we have to go with the 'VALID UNTIL' option, which locks the user after a certain time interval.

umairshahid commented 2 years ago

When you say 'add on to this extension', are you implying a different extension is needed or are you saying that this could be a good feature to implement in credcheck?

Also, VALID UNTIL is not a good alternative, as it will require an admin to reset the password each time it expires.

migopsdinesh commented 2 years ago

I mean, this could be a good feature to this extension. At least, a background worker which invokes in background and periodically enforce the password change, as per the timeline.

I am trying to understand what is the password enforce mean. When password lifetime expires, do we need to perform below actions ?

  1. Kill all the connections of that user
  2. When a user connects to the database, then throw an error as "password rotation is required"
  3. Give a mechanism to the user to rotate the current password
umairshahid commented 2 years ago

Yes, I think that is exactly it.

darold commented 2 years ago

Hi,

I think that the extension should only have a parameter to comply with SOC 2 to enforces CREATE or ALTER ROLE statements with a VALID UNTIL value in the range of the 60 days. Something like password_valid_until = 60 will enable the check, default to 0 = infinity. Then credcheck will verify if the password has an expiration date lower of equal to password_valid_until.

Once the user reach the expiration date he will not able to connect anymore, PostgreSQL backend will refuse the connection by returning an error "FATAL: password authentication failed for user". This is the responsibility of the application/client to propose to the user to change the password before the expiration date is reached. We can not do that at extension level because there is no hook on new connection.

Also it is not a good idea to kill a connection because the password has expired, the rejection will appear next time the user will log in. If there is connection pooler this can take a while depending on the setting of server connection lifetime but this is better than killing a connection.

migopsdinesh commented 2 years ago

Agreed, Rather killing the current user connections, let the rejection appear next time.

umairshahid commented 2 years ago

Thank you very much for entertaining my request. I am looking forward to the implementation of this feature.

darold commented 1 year ago

Commit 57643d9 adds this feature through the use of setting credcheck.password_valid_until.