*Casablanca, Maroc - June 10, 2023*
## PostgreSQL credcheck extension
The credcheck PostgreSQL extension provides few general credential checks,
which will be evaluated during the user creation, during the password change
and user renaming. By using this extension, we can define a set of rules:
* allow a specific set of credentials
* reject a certain type of credentials
* enforce use of an expiration date with a minimum of day for a password
* define a password reuse policy
* define the number of authentication failure allowed before a user is banned
Release v2.0.0 adds a major feature and the compatibility with PostgreSQL 16.
Upgrade require a PostgreSQL restart to reload the credcheck library.
- Add "Authentication failure ban" new feature
PostgreSQL doesn't have any mechanism to limit the number of
authentication
failure attempt before the user being banned. With the credcheck
extension,
after an amount of authentication failure defined by configuration
directive
`credcheck.max_auth_failure` the user can be banned and never connect
anymore
even if it gives the right password later. This feature requires that
the
credcheck extension to be added to to `shared_preload_libraries`
configuration
option.
All users authentication failures are registered in shared memory with
the
timestamps of when the user have been banned. The authentication
failures
history is saved into memory only, that mean that the history is lost at
PostgreSQL restart. I have not seen the interest for the moment to
restore
the cache at startup.
The authentication failure cache size is set to 1024 records by default
and
can be adjusted using the `credcheck.auth_failure_cache_size`
configuration
directive. Change of this GUC require a PostgreSQL restart.
Two settings allow to control the behavior of this feature:
* `credcheck.max_auth_failure`: number of authentication failure allowed
for a user before being banned.
* `credcheck.reset_superuser` : force superuser to not be banned or
reset
a banned superuser when set to true.
The default value for the first setting is `0` which means that
authentication
failure ban feature is disabled. The default value for the second
setting is
`false` which means that `postgres` superuser can be banned.
In case the `postgres` superuser was banned, he can not logged anymore.
If
there is no other superuser account that can be used to reset the
record of
the banned superuser, set the `credcheck.reset_superuser`configuration
directive
to `true` into postgresql.conf file and send the SIGHUP signal to the
PostgreSQL
process pid so that it will reread the configuration. Next time the
superuser will
try to connect, its authentication failure cache entry will be removed.
Complete list of changes is available
[here](https://github.com/MigOpsRepos/credcheck/blob/v2.0/ChangeLog)
## Links & Credits
credcheck is an open project under the PostgreSQL license originally created at
[MigOps Inc](https://migops.com/), developed and maintained by [Gilles
Darold](https://www.darold.net/).
Any contribution to build a better tool is welcome. You can send your ideas,
features requests or patches
using the GitHub tools.
**Links :**
* Download:
[https://github.com/MigOpsRepos/credcheck/releases/](https://github.com/MigOpsRepos/credcheck/releases/)
* Support: use GitHub report tool at
[https://github.com/MigOpsRepos/credcheck/issues](https://github.com/MigOpsRepos/credcheck/issues)
## About credcheck
The credcheck extension is an original work of [MigOps
Inc](https://migops.com/), Since MigOPs is closed Gilles Darold is the official
maintainer. If you need more information please [contact
me](mailto:[email protected])
Documentation at
[https://github.com/MigOpsRepos/credcheck#readme](https://github.com/MigOpsRepos/credcheck#readme)
