Re: [GENERAL] Enforcing password standards
On Fri, Jun 11, 2010 at 10:40:29AM -0700, DM wrote: Thanks everyone, I will wait for Postgres 9.0 to implement this feature then. Thanks The contrib module supports enforcement of only some of the things you've listed you want. For other items on your list (notably renewal), you're better off integrating with some external authentication provider, as has been suggested elsewhere in this thread. -- Josh Thanks Deepak On Fri, Jun 11, 2010 at 10:30 AM, Joshua Tolley eggyk...@gmail.com wrote: On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote: How to force postgres users to follow password standards and renewal policies? Thanks Deepak 9.0 will ship with a contrib module called passwordcheck which will enforce some of these things, FWIW. -- Joshua Tolley / eggyknap End Point Corporation http://www.endpoint.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkwScpkACgkQRiRfCGf1UMMOzgCfW1P8SpFR53OSjm/og3hQFjba 0dIAoJK9mkm07XCAyfnPeiygBgrKuFG2 =XESJ -END PGP SIGNATURE- signature.asc Description: Digital signature
Re: [GENERAL] Enforcing password standards
On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote: How to force postgres users to follow password standards and renewal policies? Thanks Deepak 9.0 will ship with a contrib module called passwordcheck which will enforce some of these things, FWIW. -- Joshua Tolley / eggyknap End Point Corporation http://www.endpoint.com signature.asc Description: Digital signature
Re: [GENERAL] Enforcing password standards
Thanks everyone, I will wait for Postgres 9.0 to implement this feature then. Thanks Thanks Deepak On Fri, Jun 11, 2010 at 10:30 AM, Joshua Tolley eggyk...@gmail.com wrote: On Thu, Jun 10, 2010 at 06:01:24PM -0700, DM wrote: How to force postgres users to follow password standards and renewal policies? Thanks Deepak 9.0 will ship with a contrib module called passwordcheck which will enforce some of these things, FWIW. -- Joshua Tolley / eggyknap End Point Corporation http://www.endpoint.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkwScpkACgkQRiRfCGf1UMMOzgCfW1P8SpFR53OSjm/og3hQFjba 0dIAoJK9mkm07XCAyfnPeiygBgrKuFG2 =XESJ -END PGP SIGNATURE-
Re: [GENERAL] Enforcing password standards
On Thu, Jun 10, 2010 at 7:01 PM, DM dm.a...@gmail.com wrote: How to force postgres users to follow password standards and renewal policies? Use some form of external authentication. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Enforcing password standards
* DM (dm.a...@gmail.com) wrote: How to force postgres users to follow password standards and renewal policies? It's not trivial, sadly. Regarding renewal, you can use the 'valid until' role parameter to implement a only good until mechanism, and then update that using a security definer function when the password is changed. You would then have to have your application calling that function for password changes. Another approach, which I've used in the past but I truely dislike, is to use PAM, cracklib, pam_tally, etc. The problem with this is that if you use pam_unix as the basic password storage mechanism, you have to jump through lots of nasty hoops and configure things in a really ugly way. You *could* use another PAM module besides pam_unix in the stack, but I'm not sure what the best suggestion there would be, and I think you'd still have ugly permission problems with pam_tally.. All-in-all, there really isn't a very good solution here, if you're forced to use the PG system for your authentication. If you can move *away* from that (something I would definitely encourage), it becomes alot more reasonable- eg: use Kerberos for your authentication and implement the password standards, renewal policies, etc, there. Or, use ident auth under Unix with unix domain sockets and make sure you configure the system-wide PAM requirements according to your policies. Both of those approaches avoid putting PWs in PG, which gives you a way to deal with the fact that PG doesn't have support for these kinds of policies. There have been a number of discussions about this issue but, sadly, I don't know that anyone has come up with a good solution yet. I've been sorely tempted to rewrite pam_unix to support an alternative storage location for the files it needs (along with pam_tally, etc), so that you could then use PAM under PG w/ just a pg/etc directory that had the PG-used pam_unix files (passwd, shadow, etc) instead of the system-wide ones. Thanks, Stephen signature.asc Description: Digital signature
