Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uU2lh-00EYAq-6d for pgsql-general@arkaria.postgresql.org; Tue, 24 Jun 2025 12:28:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uU2ld-00Bs6g-11 for pgsql-general@arkaria.postgresql.org; Tue, 24 Jun 2025 12:28:49 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uU2lc-00Bs6Y-MX for pgsql-general@lists.postgresql.org; Tue, 24 Jun 2025 12:28:49 +0000 Received: from 3.mo583.mail-out.ovh.net ([46.105.40.108]) by makus.postgresql.org with smtp (Exim 4.96) (envelope-from ) id 1uU2lZ-003j3k-1s for pgsql-general@lists.postgresql.org; Tue, 24 Jun 2025 12:28:48 +0000 Received: from director7.ghost.mail-out.ovh.net (unknown [10.110.54.143]) by mo583.mail-out.ovh.net (Postfix) with ESMTP id 4bRPPk1jG8z1jMM for ; Tue, 24 Jun 2025 12:28:42 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-vjmzq (unknown [10.110.101.192]) by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id A6052C01F5; Tue, 24 Jun 2025 12:28:41 +0000 (UTC) Received: from darold.net ([37.59.142.114]) by ghost-submission-5b5ff79f4f-vjmzq with ESMTPSA id 6lioHPmZWmhjtwAA3ev91A (envelope-from ); Tue, 24 Jun 2025 12:28:41 +0000 Authentication-Results:garm.ovh; auth=pass (GARM-114S008a37fc149-b08d-4253-8b71-46b636a485b7, 8207CB7F969C1D681D01E7ECF985D25E2F133C02) smtp.auth=gilles@darold.net X-OVh-ClientIp:90.38.194.7 Message-ID: Date: Tue, 24 Jun 2025 14:28:41 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: password rules To: raphi , pgsql-general@lists.postgresql.org References: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch> <4597837e-a48f-4b77-be7e-e016064c26a9@crashdump.ch> Content-Language: en-US, fr From: Gilles Darold Autocrypt: addr=gilles@darold.net; keydata= xsBNBEyscTYBCADOHjxbECHbFaVEA8fKAh8gtdRMKCXPhYwgrhIq+435c824l0NkxxT6xAq/ U2embiCGSBy13yVT016bzcxOnOqxgw4dJgXPE1P6RYLgjd17c5Xt7uzkbn4ChO1LOVtx+7y/ uf8GV1fiPTtnilzGQvWdXMDDTNaFbyfIsebE6rB2p47Ns0m+cj46hS22pmEWELM4RilmQ2MX X7vNZPxQ/C6SKQDgeGZSHrvw9OLzFty8yY7HnExfUmCzfN4asAH3q/lCu1YQgud84bCC6hXz Cbw/DvR7pW8QK/ej/UkNzeGUWsWX6GYDF26P3wO9Zqk5T8JixrveiCaWA/e4DR5yr2bTABEB AAHNIUdpbGxlcyBEYXJvbGQgPGdpbGxlc0BkYXJvbGQubmV0PsLAjgQTAQoAOBYhBEnFnv37 SNFcBZKyn3AqzJ89qW5hBQJfxQsiAhsjBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHAq zJ89qW5hjXsIAI53R1IdrgOia4DCtL1hK3+nbqPYYAhHAbQa54V/oHFEuXubH5F+mEBRT12M XNibbPvOCVUHTa46CuYLyBY6GZZ83fYpPZ3IQIavCDiLmpANR7rOoVmGERKs8VLVnQuJ1a+q BObwo1WKOFiqR1UEeT3hfytsmJVan8l2GzNFA+OOwIGEPdLLEpuSO9K3uyEa5FMNxXVWDROR MIHWvcS/RLlJby9GgLUIbLCXYXNrxncQajPs4P/TLS7fsW36laBPHIBoGbIBkgGIlpXhuTj2 PY95YOfyFelXW3AL6oXOncmV9SkfaE2iIpc33FIrN3pEbIC4XEqMANKjidFXcdM3+JfOwE0E TKxxNgEIALVvukwz2p2Vw37pnMk2CGWCgoj76Lnts/3sG42Jw6Ewjvjg7u9SGg2fJJ4dzywc oBW5ufJlZalghO3RpbZqDwT2432CUdGG500GLLzYrHIhGBw8h9SkoJqnfel3MOjGy/HZMymK mCy/uqx3ti3Tp0l0Is38C7GK/lG3NKnYUwQuFaM2pDkIoIx3hyogGXEMwV+IHtYpvFroCBVi CgkYubsOEfqJti40BMXJfKv74ecDk43I7x9V6Pzt0j0rfmj4vFbSKHF6ptJNeZBrXrNSeTmf AJXaPD/olDLEStWu6cr5XyMmYxYE9D2eMOQHhFb7UOZdh++HhWcPxMMyKNNB2YsAEQEAAcLA XwQYAQIACQUCTKxxNgIbDAAKCRBwKsyfPaluYZETB/91iP031oHNFMU62RC8x+bERW5x6Dpu 7Kk9rOSKf7ChcSWElBQ2A7OnNAACgPNbJgYyuEquYHTdXLP43phNDJ93EhL+af5z2BLx1gkd V+1rotlzbzIaUv9uofRWU6UJ/emgL3kn1TRmf3PKWWgJkHRlePqKDeNVc53uApbXHoNrS4ul uiwD88mx3+xgZqteCQO2DhEpAckzki82S4n4Ww6fRFB3KIGyafO7fzHFK8cFuT4za4YUFQN9 Ix6WTABleoRLz3Cn+Jde049Zhg1222l0N07KWRS3ZZxAhwr3rv+pg3cJdbNf/rDszym92rig 79SbGEEuL3nFCUXmA/QRIE+v In-Reply-To: <4597837e-a48f-4b77-be7e-e016064c26a9@crashdump.ch> Content-Type: text/plain; charset=UTF-8; format=flowed X-Ovh-Tracer-Id: 11095180635430756057 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdduleeklecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttddvjeenucfhrhhomhepifhilhhlvghsucffrghrohhlugcuoehgihhllhgvshesuggrrhholhgurdhnvghtqeenucggtffrrghtthgvrhhnpeekkedtkefghfffjeegvedvieeigeegheduheehgeduudffffffgfeiieffhfevvdenucfkphepuddvjedrtddrtddruddpledtrdefkedrudelgedrjedpfeejrdehledrudegvddruddugeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepghhilhhlvghssegurghrohhlugdrnhgvthdpnhgspghrtghpthhtohepuddprhgtphhtthhopehpghhsqhhlqdhgvghnvghrrghlsehlihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrghdpoffvtefjohhsthepmhhoheekfegmpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=inGm+bJaix7i6Qjtzc/4vxjpxNcsCJBLFWeCrUjQfdE=; c=relaxed/relaxed; d=darold.net; h=From; s=ovhmo452075-selector1; t=1750768122; v=1; b=RNrEnJ1W92CxF764mx+klrlIpV+oIhsxtUNquXGcj62jTXRtskzsU+mJuttyF/sSfBSo81ts qMj+dsjMNNr0yZN9w++LjHsiy6W49umR1x0EokLv+zzdWypOGine+Bv38JGY96oQ3SL+y7/yNNe OI0hdyFWXGEwKhPcTy1+ioB9vlqqkbG9nANx7jpu6Kpo6Iir08fE3kgowtlB17ZZpLiM8q5LGqd BguF++XCsLVx+nEs1FPcfKTgmbwuZTNPX1bZeM5E4FU+k6uJ8Wxa/WMf2qE6lAD6vVwicfwk0m/ OfALWpOCw4jOZbB65MHoymo2RzIaAqvu2+lzaRw99e2nA== Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Le 24/06/2025 =C3=A0 07:18, raphi a =C3=A9crit=C2=A0: > > > Am 23.06.2025 um 22:39 schrieb Christoph Berg: >> Re: raphi >>> Sorry for this rather long (first) email on this list but I feel=20 >>> like I had >>> to explain our usecase and why LDAP is not always as simple as=20 >>> adding a line >>> to hba.conf. >> Did you give the "pam" method a try? T > Not really because it's a local solution. How do you change passwords=20 > or keep history on your standby nodes? Besides, the documentation says=20 > that postgres can't handle /etc/shadow because it runs unprivileged,=20 > only pam_ldap would work. Or am I missing something? > > have fun, > raphi I think the credcheck extension has been created to handle the features=20 you are requesting. > - enforce some password complexity and prevent reuse This is already implemented. > - expire a password immediately after creating and prompt the user to=20 change it upon first login try. They can connect with the initial > password but cannot login until they've set a new password. I have started to work some weeks ago and it just need more time to=20 end/polish the job. > the password history is not being replicated to the standby so we can=20 not use it. It is in my TODO list for a year as you noted and will try to implement=20 it this summer. --=20 Gilles Darold