Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mo6Eo-0006Oy-KK for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Nov 2021 15:55:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mo6Em-0000ad-3I for pgsql-hackers@arkaria.postgresql.org; Fri, 19 Nov 2021 15:55:40 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mo6El-0000aQ-P8 for pgsql-hackers@lists.postgresql.org; Fri, 19 Nov 2021 15:55:39 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mo6Ej-00027s-4P for pgsql-hackers@postgresql.org; Fri, 19 Nov 2021 15:55:38 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 1AJFtYoZ3046423; Fri, 19 Nov 2021 10:55:34 -0500 From: Tom Lane To: Gilles Darold cc: PostgreSQL Hackers Subject: Re: Pasword expiration warning In-reply-to: <129bcfbf-47a6-e58a-190a-62fc21a17d03@migops.com> References: <129bcfbf-47a6-e58a-190a-62fc21a17d03@migops.com> Comments: In-reply-to Gilles Darold message dated "Fri, 19 Nov 2021 15:49:37 +0100" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3046421.1637337334.1@sss.pgh.pa.us> Date: Fri, 19 Nov 2021 10:55:34 -0500 Message-ID: <3046422.1637337334@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Gilles Darold writes: > Now that the security policy is getting stronger, it is not uncommon to > create users with a password expiration date (VALID UNTIL). TBH, I thought people were starting to realize that forced password rotations are a net security negative. It's true that a lot of places haven't gotten the word yet. > I'm wondering if we might be interested in having this feature in psql? This proposal kind of seems like a hack, because (1) not everybody uses psql (2) psql can't really tell whether rolvaliduntil is relevant. (It can see whether the server demanded a password, but maybe that went to LDAP or some other auth method.) That leads me to wonder about server-side solutions. It's easy enough for the server to see that it's used a password with an expiration N days away, but how could that be reported to the client? The only idea that comes to mind that doesn't seem like a protocol break is to issue a NOTICE message, which doesn't seem like it squares with your desire to only do this interactively. (Although I'm not sure I believe that's a great idea. If your application breaks at 2AM because its password expired, you won't be any happier than if your interactive sessions start to fail. Maybe a message that would leave a trail in the server log would be best after all.) > Default value is 0 like today no warning at all. Off-by-default is pretty much guaranteed to not help most people. regards, tom lane