From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Michael Banck <michael(dot)banck(at)credativ(dot)de> |
Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Record last password change |
Date: | 2019-01-05 19:15:00 |
Message-ID: | 20190105191459.GR2528@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Michael Banck (michael(dot)banck(at)credativ(dot)de) wrote:
> a customer recently mentioned that they'd like to be able to see when a
> (md5, scram) role had their password last changed.
There is an awful lot here that we really should be doing. For a long
time, that felt prettty stalled because of the md5 mechanism being used,
but now that we've got SCRAM, there's a number of things we should be
doing:
- Password aging (which requires knowing when it was last changed)
- Password complexity
- Disallow repeated use of the same password
- Requiring password change on first/next connection
- User/Password profiles
more...
> Use-cases for this would be issueing an initial password and then later
> making sure it got changed, or auditing that all passwords get changed
> once a year. You can do that via external authentication methods like
> ldap/gss-api/pam but in some setups those might not be available to the
> DBAs.
Agreed.
> I guess it would amount to adding a column like rolpasswordchanged to
> pg_authid and updating it when rolpassword changes, but maybe there is a
> better way?
That could be a start, but I do expect that we'll grow at least one
other table eventually to support user profiles.
> The same was requested in https://dba.stackexchange.com/questions/91252/
> how-to-know-when-postgresql-password-is-changed so I was wondering
> whether this would be a welcome change/addition, or whether people think
> it's not worth bothering to implement it?
Definitely a +1 from me, but I'd like us to be thinking about the other
things we should be doing in this area to bring our password-based
authentication mechanism kicking-and-screaming into the current decade.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2019-01-05 19:17:42 | Re: Record last password change |
Previous Message | Stephen Frost | 2019-01-05 19:09:38 | Re: Why not represent "never vacuumed" accurately wrt pg_class.relpages? |