Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mojU9-0003Py-EX for pgsql-hackers@arkaria.postgresql.org; Sun, 21 Nov 2021 09:50:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mojU8-0005er-AK for pgsql-hackers@arkaria.postgresql.org; Sun, 21 Nov 2021 09:50:08 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mojU7-0005ei-Ro for pgsql-hackers@lists.postgresql.org; Sun, 21 Nov 2021 09:50:07 +0000 Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mojU1-0004VH-JU for pgsql-hackers@postgresql.org; Sun, 21 Nov 2021 09:50:06 +0000 Received: by mail-wm1-x335.google.com with SMTP id p18so12513203wmq.5 for ; Sun, 21 Nov 2021 01:50:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=migops.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=dz4J6ghjZJIFKoVvtDuhk2YVirkl5s/Z9eZUPdiGPcs=; b=t4JJM0ipnYGSuxM6NkKohUNwEJ5JdSQL37M1UVLeqpYaZ2SlfyFJ+4gQ/JVwo2GbFg tWDJjeEMkTx26d0ijGYREA8uT3yensQ6erfw1NC8pkmzS1Z0wNPF1rgkDU3zxhofZKB/ Fxya9tqFN9kkK7adiZee+KWZn08R3oH3ivVM08k38EhtE9FK62AFPMRS0qFeM5FST5ut 7BIY7mFckk7ogvlfDEm4iYi3zdV+TLj57eQdvJ1Z8UVa/3Op9EbEBCceStrpAlr8KfYG L4ytFXtVVRShkvxs1zw0Bzc+J7HDShf6rKYVs2oqYO8bSnxm5u8zcImOug4iP1KLONnt LGYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=dz4J6ghjZJIFKoVvtDuhk2YVirkl5s/Z9eZUPdiGPcs=; b=IX9FQSMk9B2aBiTUaad36tGbZSFfuvxAdAuMVZXu49D+72+eU3AKUqZCSrk1Kaywud TbrDNtNTHyVnm+vBD0dVA06oSoENI9jc3IMyGqqut0mCSTibqwOnlJ1R8+qtzZQOyyCY lWm9CKDHNXUDvkI94ncxPxEOOYzUj4g0yj3Q9TQBKWEQcXaoRlmfHnzmTpOBGKvI+2bT qjDnzy/sueM2wAhW7OuFj1GTo6PJ3/2Q0z7unw94XEIK6h9UBL742e4lTpbibp+TZw1P WcV5SyAMAYf4GVf+bfmbeJ3mm+B6qP5XqHykgyQ++t9S7qMZP+MIaEAa8yn/4miu8Wrw KmNQ== X-Gm-Message-State: AOAM530P8o3+FzL1rYDyMXOZTMJkzoaNBfdBKiQqTYWKwmXf6Ay8+9CO HZdx6NHQ5uPmLvV+DzgDusJ6JB9tC7Ty5Q== X-Google-Smtp-Source: ABdhPJwkJXGJ7DUKneyoIya1reV2wQFIhBOU6M/QndCZZ44m6H05gPu4ScnPnvw6sy4piMMB0FLhRA== X-Received: by 2002:a1c:f418:: with SMTP id z24mr18893549wma.95.1637488199762; Sun, 21 Nov 2021 01:49:59 -0800 (PST) Received: from ?IPv6:2a01:cb14:51d:5100:fded:3668:57ec:59a? ([2a01:cb14:51d:5100:fded:3668:57ec:59a]) by smtp.gmail.com with ESMTPSA id i17sm6309702wmq.48.2021.11.21.01.49.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 21 Nov 2021 01:49:59 -0800 (PST) Subject: Re: Pasword expiration warning To: Andrew Dunstan , "Bossart, Nathan" , Gilles Darold , Tom Lane Cc: PostgreSQL Hackers References: <129bcfbf-47a6-e58a-190a-62fc21a17d03@migops.com> <3046422.1637337334@sss.pgh.pa.us> <3ea14054-af0c-3f21-0ced-04c896438bdc@dunslane.net> From: Gilles Darold Message-ID: <08e09a01-5762-3b2e-1fa7-513478ab7394@migops.com> Date: Sun, 21 Nov 2021 10:49:57 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <3ea14054-af0c-3f21-0ced-04c896438bdc@dunslane.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: fr List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Le 20/11/2021 à 14:48, Andrew Dunstan a écrit : > On 11/19/21 19:17, Bossart, Nathan wrote: >> On 11/19/21, 7:56 AM, "Tom Lane" wrote: >>> That leads me to wonder about server-side solutions. It's easy >>> enough for the server to see that it's used a password with an >>> expiration N days away, but how could that be reported to the >>> client? The only idea that comes to mind that doesn't seem like >>> a protocol break is to issue a NOTICE message, which doesn't >>> seem like it squares with your desire to only do this interactively. >>> (Although I'm not sure I believe that's a great idea. If your >>> application breaks at 2AM because its password expired, you >>> won't be any happier than if your interactive sessions start to >>> fail. Maybe a message that would leave a trail in the server log >>> would be best after all.) >> I bet it's possible to use the ClientAuthentication_hook for this. In >> any case, I agree that it probably belongs server-side so that other >> clients can benefit from this. >> > +1 for a server side solution. The people most likely to benefit from > this are the people least likely to be using psql IMNSHO. Ok, I can try to implement something at server side using a NOTICE message. -- Gilles Darold