Closed umairshahid closed 1 year ago
credcheck will not be forcing/expiring the user's credentials, but it would be a good add on to this extension. As a workaround, I think we have to go with the 'VALID UNTIL' option, which locks the user after a certain time interval.
When you say 'add on to this extension', are you implying a different extension is needed or are you saying that this could be a good feature to implement in credcheck?
Also, VALID UNTIL is not a good alternative, as it will require an admin to reset the password each time it expires.
I mean, this could be a good feature to this extension. At least, a background worker which invokes in background and periodically enforce the password change, as per the timeline.
I am trying to understand what is the password enforce mean. When password lifetime expires, do we need to perform below actions ?
Yes, I think that is exactly it.
Hi,
I think that the extension should only have a parameter to comply with SOC 2 to enforces CREATE or ALTER ROLE statements with a VALID UNTIL value in the range of the 60 days. Something like password_valid_until = 60
will enable the check, default to 0 = infinity. Then credcheck will verify if the password has an expiration date lower of equal to password_valid_until
.
Once the user reach the expiration date he will not able to connect anymore, PostgreSQL backend will refuse the connection by returning an error "FATAL: password authentication failed for user". This is the responsibility of the application/client to propose to the user to change the password before the expiration date is reached. We can not do that at extension level because there is no hook on new connection.
Also it is not a good idea to kill a connection because the password has expired, the rejection will appear next time the user will log in. If there is connection pooler this can take a while depending on the setting of server connection lifetime but this is better than killing a connection.
Agreed, Rather killing the current user connections, let the rejection appear next time.
Thank you very much for entertaining my request. I am looking forward to the implementation of this feature.
Commit 57643d9 adds this feature through the use of setting credcheck.password_valid_until
.
One of the requirements for regulatory compliance is to force a periodic change in password. Specifically, this requirement from SOC 2 says:
Passwords for privileged accounts shall be changed at least every 60 days.
Can credcheck be used to enforce this in the database? If yes, how? If no, what would you suggest as a workaround?