passwordpolicy
The passwordpolicy is like the regular PostgreSQL passwordcheck extension, except it is built with cracklib and has some configurations options. Unlike the original module, this one has more strict password checks. The passwordpolicy module checks users’ passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.
Installing by compiling source code
Prerequisite
Ubuntu:
# add postgres repo
add-apt-repository 'deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
# install postgres
apt-get -y update
apt-get -y install postgresql postgresql-contrib libpq-dev postgresql-server-dev-all
# install build requirements
apt-get -y install make build-essential
# install cracklib
apt-get -y install libpam-cracklib libcrack2-devRHEL:
yum -y install openssl-devel
# add postgres repo
rpm -Uvh https://yum.postgresql.org/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
# install postgres
yum -y install postgresql10-server postgresql10-libs postgresql10-devel postgresql10-contrib
# install cracklib
yum -y install cracklib cracklib-devel cracklib-dicts words
# create dictionary
mkdict /usr/share/dict/* | packer /usr/lib/cracklib_dict
# initialize databasse
/usr/pgsql-10/bin/postgresql-10-setup initdbTo build it, just do this:
make
make installIf you encounter an error such as:
make: pg_config: Command not found
Be sure that you have pg_config installed and in your path. If you used a package management system such as RPM to install PostgreSQL, be sure that the -devel package is also installed. If necessary tell the build process where to find it. Edit Makefile, and change PG_CONFIG variable:
PG_CONFIG=/path/to/pg_configfollowed by the
make
make installpg_config is usually under /usr/pgsql-10/bin/pg_config on
RHEL/CentOS/Fedora. Replace 10 with your major PostgreSQL version.
Alternatively the following will work too:
PATH="/usr/pgsql-10/bin:$PATH" make
sudo PATH="/usr/pgsql-10/bin:$PATH" make install
PATH="/usr/pgsql-10/bin:$PATH" make installcheckUsing the module
To enable this module, add ‘$libdir/passwordpolicy’ to
shared_preload_libraries in postgresql.conf, then restart the server.
Configurations
Configure the passwordpolicy plugin in postgresql.conf.
p_policy.min_password_len = 8 # Set minimum Password length
p_policy.min_special_chars = 2 # Set minimum number of special chracters
p_policy.min_numbers = 2 # Set minimum number of numeric characters
p_policy.min_uppercase_letter = 2 # Set minimum number of upper case letters
p_policy.min_lowercase_letter = 2 # Set minimum number of lower casae letters
Testing
Using vagrant:
vagrant up
vagrant provision --provision-with installMore information
For more details, please read the manual of the original module:
https://www.postgresql.org/docs/current/static/passwordcheck.html
Contributing
Bug reports and pull requests are welcome on GitHub at passwordpolicy repository. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
Author
- indrajit - Owner - eendroroy
License
The project is available as open source under the terms of the MIT License.