The passwordpolicy
is like the regular PostgreSQL passwordcheck extension, except it is built with cracklib and has some configurations options. Unlike the original module, this one has more strict password checks. The passwordpolicy
module checks users' passwords whenever they are set with CREATE ROLE
or ALTER ROLE
. If a password is considered too weak, it will be rejected and the command will terminate with an error.
Prerequisit
Ubuntu
:
# add postgres repo
add-apt-repository 'deb http://apt.postgresql.org/pub/repos/apt/ xenial-pgdg main'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
# install postgres
apt-get -y update
apt-get -y install postgresql postgresql-contrib libpq-dev postgresql-server-dev-all
# install build requirements
apt-get -y install make build-essential
# install cracklib
apt-get -y install libpam-cracklib libcrack2-dev
RHEL
:
yum -y install openssl-devel
# add postgres repo
rpm -Uvh https://yum.postgresql.org/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
# install postgres
yum -y install postgresql10-server postgresql10-libs postgresql10-devel postgresql10-contrib
# install cracklib
yum -y install cracklib cracklib-devel cracklib-dicts words
# create dictionary
mkdict /usr/share/dict/* | packer /usr/lib/cracklib_dict
# initialize databasse
/usr/pgsql-10/bin/postgresql-10-setup initdb
To build it, just do this:
make
make install
If you encounter an error such as:
make: pg_config: Command not found
Be sure that you have pg_config installed and in your path. If you used a package management system such as RPM to install PostgreSQL, be sure that the -devel package is also installed. If necessary tell the build process where to find it. Edit Makefile, and change PG_CONFIG variable:
PG_CONFIG=/path/to/pg_config
followed by the
make
make install
pg_config
is usually under /usr/pgsql-10/bin/pg_config
on
RHEL/CentOS/Fedora. Replace 10 with your major PostgreSQL version.
Alternatively the following will work too:
PATH="/usr/pgsql-10/bin:$PATH" make
sudo PATH="/usr/pgsql-10/bin:$PATH" make install
PATH="/usr/pgsql-10/bin:$PATH" make installcheck
To enable this module, add '$libdir/passwordpolicy
' to
shared_preload_libraries in postgresql.conf, then restart the server.
Configure the passwordpolicy
plugin in postgresql.conf
.
p_policy.min_password_len = 8 # Set minimum Password length
p_policy.min_special_chars = 2 # Set minimum number of special chracters
p_policy.min_numbers = 2 # Set minimum number of numeric characters
p_policy.min_uppercase_letter = 2 # Set minimum number of upper case letters
p_policy.min_lowercase_letter = 2 # Set minimum number of lower casae letters
Using vagrant:
vagrant up
vagrant provision --provision-with install
For more details, please read the manual of the original module:
https://www.postgresql.org/docs/current/static/passwordcheck.html
Bug reports and pull requests are welcome on GitHub at passwordpolicy repository. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
- indrajit - Owner - eendroroy
The project is available as open source under the terms of the MIT License.