Discussion:
Password Security Standarts on PostgreSQL
MURAT KOÇ
2013-03-07 11:10:04 UTC
Permalink
Hi list,

In Oracle, it could be created a user profile called "PROFILE" and this
profile could have below specifications:

PASSWORD_LIFE_TIME (that describes when password will expire)
FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before
locking user account)
PASSWORD_LOCK_TIME (specified time after user account is locked because
of failed login attempts exceeded)
PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify
function - min characters, password complexity)

Has PostgreSQL got any capability like this except LDAP, kerberos or PAM
authentication ?

Regards,
Murat KOC
Adrian Klaver
2013-03-07 14:40:38 UTC
Permalink
Post by MURAT KOÇ
Hi list,
In Oracle, it could be created a user profile called "PROFILE" and this
PASSWORD_LIFE_TIME (that describes when password will expire)
FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before
locking user account)
PASSWORD_LOCK_TIME (specified time after user account is locked
because of failed login attempts exceeded)
PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify
function - min characters, password complexity)
Has PostgreSQL got any capability like this except LDAP, kerberos or PAM
authentication ?
The only part of the above that I know of is VALID UNTIL
(PASSWORD_LIFE_TIME) from below:

http://www.postgresql.org/docs/9.2/interactive/sql-createrole.html
Post by MURAT KOÇ
Regards,
Murat KOC
--
Adrian Klaver
***@gmail.com
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Albe Laurenz
2013-03-08 10:18:24 UTC
Permalink
In Oracle, it could be created a user profile called "PROFILE" and this profile could have below
PASSWORD_LIFE_TIME (that describes when password will expire)
FAILED_LOGIN_ATTEMPTS (specifies number of failed login attempts before locking user account)
PASSWORD_LOCK_TIME (specified time after user account is locked because of failed login attempts
exceeded)
PASSWORD_VERIFY_FUNCTION (this allows setting a strong password verify function - min characters,
password complexity)
Has PostgreSQL got any capability like this except LDAP, kerberos or PAM authentication ?
There's the "passwordcheck" contrib:
http://www.postgresql.org/docs/current/static/passwordcheck.html
It does the same thing as Oracle's PASSWORD_VERIFY_FUNCTION.
You can write your own password checking function.
This way you can also force a certain password expiry date
(PostgreSQL does not have a password life time).

Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.post
Victor Yegorov
2013-03-08 11:20:37 UTC
Permalink
Post by Albe Laurenz
This way you can also force a certain password expiry date
(PostgreSQL does not have a password life time).
What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
--
Victor Y. Yegorov
Albe Laurenz
2013-03-08 12:07:10 UTC
Permalink
Post by Victor Yegorov
Post by Albe Laurenz
This way you can also force a certain password expiry date
(PostgreSQL does not have a password life time).
What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
That's the password expiry date.

Oracle's concept is different: it sets a limit on the time
between password changes.
There is no such thing in PostgreSQL.

Yours,
Laurenz Albe
--
Sent via pgsql-general mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsq
Chris Travers
2013-03-08 13:45:46 UTC
Permalink
Post by Albe Laurenz
Post by Victor Yegorov
Post by Albe Laurenz
This way you can also force a certain password expiry date
(PostgreSQL does not have a password life time).
What bout ALTER ROLE ... VALID UNTIL 'timestamp' ?
That's the password expiry date.
Oracle's concept is different: it sets a limit on the time
between password changes.
There is no such thing in PostgreSQL.
BTW, your suggestion to use a function here is exactly what we do in
LedgerSMB. Password expiration is forced to be now() + an interval
specified in a configuration table.

It would be nice to be able to do handling of failed login attempts but
currently I don;t think that's possible from within PostgreSQL (i.e.
without external auth).

Loading...