Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rUpmU-00DHWt-Lw for pgsql-announce@arkaria.postgresql.org; Tue, 30 Jan 2024 15:12:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rUpmT-006sO4-Je for pgsql-announce@arkaria.postgresql.org; Tue, 30 Jan 2024 15:12:09 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rUpmS-006sNE-GG for pgsql-announce@lists.postgresql.org; Tue, 30 Jan 2024 15:12:08 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rUpmP-004AWY-Cs for pgsql-announce@lists.postgresql.org; Tue, 30 Jan 2024 15:12:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject: MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=qfdUjMoEqV6nPa4XkAiKuXynYdm1btsLK5Z65fi6tNA=; b=wE2TA1P9Ne7FH7Ur5gu1RoX/m7 xwUQo36jDcjB5PrljH4VFpNvVhleVzirC8xPg340y5s4UInYc1cCNi2bf9kTinldCgdT5C3ZmsZ3R D43BA1I7EEkYWvD2YUtMfoLLJ5BcpXvH9AjTNuosB4P3A7B93fCbL+oEWN61f4I+k1XTdNgrAFqVe xp9wyNdwAIr4cIH39VzS/E823Cuof4maJtxOywEiqEoU+VnzdsgdfR7B/OmkJvN8TnPtTAiDAXP2v mPKDxAmkPzZDCLpw8uUWo6uhGl+4tHmtGhWMB65hItgMWVG/5XudzOGAofnFqZauaIrIk2UUGV7t2 FN+ujsKw==; Received: from wrigleys.postgresql.org ([2a02:c0:301:0:ffff::34]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rUpmO-00CZKz-9L for pgsql-announce@lists.postgresql.org; Tue, 30 Jan 2024 15:12:04 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rUpmM-00BMHM-Cg for pgsql-announce@lists.postgresql.org; Tue, 30 Jan 2024 15:12:02 +0000 Content-Type: multipart/mixed; boundary="===============1233941104213957013==" MIME-Version: 1.0 Subject: Credcheck version 2.4 released To: PostgreSQL Announce From: HexaCluster via PostgreSQL Announce Reply-To: gilles@hexacluster.ai Date: Tue, 30 Jan 2024 15:11:22 +0000 Message-ID: <170662748220.664.15549459598471296185@wrigleys.postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-pglister-tags: related X-pglister-tagsig: 43c4a4b40809128343c9de3440edc434da0a45475f7ada26f127fd6bb64623a9 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============1233941104213957013== Content-Type: multipart/alternative; boundary="===============4161253874248891480==" MIME-Version: 1.0 --===============4161253874248891480== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Grenoble - January 30, 2024 ## PostgreSQL credcheck extension The credcheck PostgreSQL extension provides few general credential checks, = which will be evaluated during the user creation, during the password chang= e and user renaming. By using this extension, we can define a set of rules: * allow a specific set of credentials * reject a certain type of credentials * deny password that can be easily cracked * enforce use of an expiration date with a minimum of day for a password * define a password reuse policy * define the number of authentication failure allowed before a user is ba= nned * add a delay after all authentication failure This release is a maintenance release to fix a major issue with the backup = of the password history file with pgBackRest and adds an authentication delay feat= ure. - Add authentication delay feature to be able to add a pause on authentic= ation failure. Setting `credcheck.auth_delay_ms` causes the server to pause f= or a given number of milliseconds before reporting authentication failure. T= his makes brute-force attacks on database passwords more difficult. This patch is purely a copy/paste from the auth_delay extension just to= limit the number of extensions to preload. See https://www.postgresql.org/docs/cu= rrent/auth-delay.html for more information about the origin of this feature. - Force size of file `$PGDATA/global/pg_password_history` to be a multipl= e of 8192 to fix pgBackRest error caused by the error message: "page misalignment= in file /.../global/pg_password_history: file size 2604 is not divisible by pag= e size 8192" Extension upgrade requires a PostgreSQL restart to reload the credcheck lib= rary. Complete list of changes and acknowledgments are available [here](https://g= ithub.com/MigOpsRepos/credcheck/releases/tag/v2.4) ## Links & Credits credcheck is an open project under the PostgreSQL license created at [MigOp= s Inc](https://migops.com/), developped and maintained at [HexaCluster Corp= ](https://hexacluster.ai/) by [Gilles Darold](https://www.darold.net/). Any contribution to build a better tool is welcome. You can send your ideas= , features requests or patches using the GitHub tools. **Links :** * Download: [https://github.com/MigOpsRepos/credcheck/releases/](https://g= ithub.com/MigOpsRepos/credcheck/releases/) * Support: use GitHub report tool at [https://github.com/MigOpsRepos/credch= eck/issues](https://github.com/MigOpsRepos/credcheck/issues) ## About credcheck The credcheck extension is an original work of [MigOps Inc](https://migops.= com/), Since MigOPs is closed Gilles Darold is the official maintainer. If = you need more information please [contact me](mailto:gilles@darold.net) Documentation at [https://github.com/MigOpsRepos/credcheck#readme](https://= github.com/MigOpsRepos/credcheck#readme) --===============4161253874248891480== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Credcheck version 2.4 released
 

Credcheck version 2.4 released

Grenoble - January 30, 2024

PostgreSQL credcheck extension<= /h2>

The credcheck PostgreSQL extension provides= few general credential checks, which will be evaluated during the user cre= ation, during the password change and user renaming. By using this extensio= n, we can define a set of rules:

  • allow a specifi= c set of credentials
  • reject a certai= n type of credentials
  • deny password t= hat can be easily cracked
  • enforce use of = an expiration date with a minimum of day for a password
  • define a passwo= rd reuse policy
  • define the numb= er of authentication failure allowed before a user is banned
  • add a delay aft= er all authentication failure

This release is a maintenance release to fi= x a major issue with the backup of the password history file with pgBackRest and adds an authentication delay feat= ure.

  • Add authenticat= ion delay feature to be able to add a pause on authentication failure. Setting credcheck.auth_delay_ms causes the server= to pause for a given number of milliseconds before reporting authentication failure. T= his makes brute-force attacks on database passwords more difficult. This patch is purely a copy/paste from the auth_delay extension just to= limit the number of extensions to preload. See https://www.postgresql.org/docs/cu= rrent/auth-delay.html for more information about the origin of this feature.
  • Force size of f= ile $PGDATA/global/pg_password_history to be a multiple of 8192 to fix pgBackRest error caused by the error message: "page misalignment= in file /.../global/pg_password_history: file size 2604 is not divisible by pag= e size 8192"

Extension upgrade requires a PostgreSQL res= tart to reload the credcheck library.

Complete list of changes and acknowledgment= s are available here

Links & Credits

credcheck is an open project under the Post= greSQL license created at MigOps Inc, developped and maintain= ed at HexaCluster Corp by Gilles Darold. Any contribution to build a better tool is welcome. You can send your ideas= , features requests or patches using the GitHub tools.

Links :

About credcheck

The credcheck extension is an original work= of MigOps Inc, Since MigOPs is closed Gilles Darold is the o= fficial maintainer. If you need more information please cont= act me

Documentation at https://github.com/MigOpsRepos/credcheck#readme
This email was sent to you from HexaCluster. It was delivered on their beha= lf by the PostgreSQL project. Any questions about the content of the message shou= ld be sent to HexaCluster.

You were sent this email as a subscriber of the pgsql-announce mai= linglist, for the content tag Related Open Source. To unsubscribe from further emails, or change which emails you want to receive, please click th= e personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 
--===============4161253874248891480==-- --===============1233941104213957013==--