From: Bruce Momjian on
Tom Lane wrote:
> "Albe Laurenz" <laurenz.albe(a)wien.gv.at> writes:
> > Bruce Momjian wrote:
> >> Password checks might include password complexity or non-reuse of
> >> passwords. This facility will require the client to send the password to
> >> the server in plain-text, so SSL and 'password' authentication is
> >> necessary to use this features.
>
> > So in my opinion that should be:
> > This facility will require to send new and changed password to
> > the server in plain-text, so it will require SSL, and the use
> > of encrypted passwords in CREATE/ALTER ROLE will have to be
> > disabled.
>
> Actually, not one word of *either* version should be in TODO. All of
> that is speculation about policies that a particular add-on module
> might or might not choose to enforce.

Agreed, updated:

|Allow server-side enforcement of password policies
|Password checks might include password complexity or non-reuse of
passwords. This facility will require the client to send password
creation/changes to the server in plain-text, not MD5.

--
Bruce Momjian <bruce(a)momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Magnus Hagander on
2009/10/19 Tom Lane <tgl(a)sss.pgh.pa.us>:
> I wrote:
>> A server-side plugin can provide a guarantee that there are no bad
>> passwords (for some value of bad, and with some possible adverse
>> consequences).  We don't have that today.
>
> BTW, it strikes me that ALTER USER RENAME introduces an interesting
> hazard for such a plugin.  Consider
>
> CREATE USER joe;
> ALTER USER joe PASSWORD joe;  -- presumably, plugin will reject this
> ALTER USER joe PASSWORD mumblefrotz;  -- assume this is considered OK
> ALTER USER joe RENAME TO mumblefrotz;
>
> Now we have a user with name equal to password, which no sane security
> policy will think is a good thing, but the plugin had no chance to
> prevent it.

The big difference is that you need to be superuser to change the name
of a user, but not to change your own password.

I know for example the Windows password policy thing has the same
issue - if you rename the user, it doesn't have the password around to
check, but you are an administrator so that's considered ok.


--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Magnus Hagander <magnus(a)hagander.net> writes:
> 2009/10/19 Tom Lane <tgl(a)sss.pgh.pa.us>:
>> Now we have a user with name equal to password, which no sane security
>> policy will think is a good thing, but the plugin had no chance to
>> prevent it.

> The big difference is that you need to be superuser to change the name
> of a user, but not to change your own password.

True, but the superuser doesn't necessarily know what the user has
set his password to.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Tue, Oct 20, 2009 at 9:42 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus(a)hagander.net> writes:
>> 2009/10/19 Tom Lane <tgl(a)sss.pgh.pa.us>:
>>> Now we have a user with name equal to password, which no sane security
>>> policy will think is a good thing, but the plugin had no chance to
>>> prevent it.
>
>> The big difference is that you need to be superuser to change the name
>> of a user, but not to change your own password.
>
> True, but the superuser doesn't necessarily know what the user has
> set his password to.

Yeah, but I'm not sure this case is worth worrying about. People who
actually care password security are likely to have checks that are
substantially stronger than "!= username".

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Itagaki Takahiro on

"Albe Laurenz" <laurenz.albe(a)wien.gv.at> wrote:

> I wrote:
> > Following the discussions in
> > http://archives.postgresql.org/pgsql-hackers/2009-09/msg01766.php
> > and
> > http://archives.postgresql.org/pgsql-hackers/2009-10/msg00025.php ,
> > here are patches for
> >
> > a) a hook in backend/commands/user.c that allows one to add
> > password checking functions
> > b) a contrib module that makes use of the hook and
> > c) documentation for the contrib module.
>
> I found a small but embarrassing bug - here is another version.

I've reviewed your patch. The rough approach looks fine,
but I have some comments about function declarations and coding style.

The hook in core is declared as:
typedef int(*check_password_hook_type)(char * const username, char * const password);

but result type is actually treated as a boolean. So, it also should
declared as bool. Also, the type of arguments should be "const char *".


There several comments in contrib/passwordcheck.

- We don't need #ifdef PG_MODULE_MAGIC because the module works
only on 8.5 or later; PG_MODULE_MAGIC is always defined there.

- _PG_fini() is never called in HEAD anymore. Please remove it.

- The function declaration of _PG_init() should be _PG_init(void).

- isalpha() should be called as isalpha((unsigned char) c)
because it could be crashed by multi-byte characters.

- "8 characters long" would be better if it is configurable easily.
I don't think it is to be a GUC varable, but #define should be used.

- The logic in "check if the password contains only letters" should be
"check if the password contains both upper-case, lower-case and
non-alphabet letters". Passwords like "12345678' are not enough.

- Coding style should more follow postgres. For example, posisions
of '{', usage of spaces and linebreaks.


Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center



--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers