password rules
Hello all, I've been lurking for quite a while on the pg lists but now I need some help or rather, want to start a discussion: We can set a password for a role in PG but there is no way to force a user to change it, prevent reuse or to enforce some complexity on it. As I understand, that's by choice and when I ask about this, the usual answer is "that's not the job of a database, use LDAP for it". To be fair, setting up LDAP is very easy in PG, just one line in hba.conf and all is done. But sadly, that's only where the problems begin. The difficult part is to embedd this setup into a company, especially a large one as I work for with over 1000 PG databases and at least that many roles. Someone needs to be able to manage the passwords in LDAP and this means someone has to decide who can change which passwords, which is usually where some sort of Identity and Access Management (IAM) comes into place. We already have LDAP and IAM in place in our organization for many other things, but IAM identities are coupled to a real person, not a team. Which means only one person in the team would be able to set a new password and when that person leaves the team, IAM rights need to be revoked and given to a new person. Doable, but quite a pane in the behind, especially when that one person happens to be on holidays. The prefered way would be to couple the rights to a dev-team-specific IAM role, which is something I am trying to get the okay for from our security for the past two years but failed so far (they argue it's a PCI/DSS requirement). What I wish for are two seamingly simple features in PG that would solve all our problems without LDAP: - enforce some password complexity and prevent reuse - expire a password immediately after creating and prompt the user to change it upon first login try. They can connect with the initial password but cannot login until they've set a new password. Background is: our developers can manage their own databases for their applications via a self service we've build for them. They can configure which databases and roles they need, our self service deployes everything, generates a password and sends the info to the dev via email. They idea would be, that the dev will change the password immediately but we cannot enforce that the dev will change the password, ever. And we also can't prevent the dev from setting "1234" as a password. With LDAP we could do all this but as stated above, it's not easy to implement (our "dev" is usually a team). We've reached a point where we (the dba team) are seriously discussing setting up our own LDAP server(s) without IAM, solely driven by our self service. But it will be tricky to find a setup without being a single point of failure for that many databases and get the okay for the resources needed to run and manage it, when we already have an "official" LDAP server. I know there are extensions which are half-way there, like credcheck, but they suffer from the same drawback as most extensions, maintained only by a very small team or single person who after some years no longer has much time for it. Which is why we don't use any extension outside the official source code at all. Sorry for this rather long (first) email on this list but I feel like I had to explain our usecase and why LDAP is not always as simple as adding a line to hba.conf. I understand the sentiment why some argue that this should not be the job of the DB but on the other hand, the DB already allows setting a password in the first place, hence why should it not be able to enforce some rules? Is there any chance PG will provide this natively or are there any technical limitations I am unaware of? Can I do something to help bringing these feature into PG? My C knowledge is very limited so I won't be able to provide a patch but I'd be more than happy to test it. Also, I'll be at the Swiss PGday this week in Rapperswil if someone wants to discuss this in person ;) have fun, raphi
Re: password rules
Am 25.06.2025 um 01:20 schrieb Greg Sabino Mullane: On Mon, Jun 23, 2025 at 2:45 PM raphi wrote: As of now though we cannot use PG for any PCI/DSS certified application because we can't enforce either complexity nor regular password changes, You can, and many, many companies do, but you need a modern auth system like Kerberos. Even if we were to put something into Postgres today (and given the MFA and re-use requirements, it's near impossible), PCI DSS keeps evolving and getting stricter, so keeping up with it would get harder with each release. Can I do something to help bringing these feature into PG? My C knowledge is very limited so I won't be able to provide a patch but I'd be more than happy to test it. Your energy would be much better used in bringing Kerberos into your organization. :) Well as said, we have LDAP and IAM widely in use for everything except database access. It's the IAM part that's making it difficult for us to implement it for PG application/user roles, this wouldn't change by using Kerberos instead of LDAP. I thought we'll get the exception from our security to use IAM roles instead of physical persons defined as the owner of the PG accounts but now they are against it. Main reason is because they are looking into a completely different solution with Vault, which would fix some other issues and make it more robust towards PCI, and they prefer a solution for everything rather than making another exception. But we are speaking about years here, 2027 earliest and they haven't even talked to us yet how this would work with PG, only other DB products. have fun, raphi
Re: password rules
Am 25.06.2025 um 13:55 schrieb Peter J. Holzer: On 2025-06-23 16:35:35 +0200, raphi wrote: To be fair, setting up LDAP is very easy in PG, just one line in hba.conf and all is done. But sadly, that's only where the problems begin. The difficult part is to embedd this setup into a company, especially a large one as I work for with over 1000 PG databases and at least that many roles. Someone needs to be able to manage the passwords in LDAP and this means someone has to decide who can change which passwords, which is usually where some sort of Identity and Access Management (IAM) comes into place. We already have LDAP and IAM in place in our organization for many other things, but IAM identities are coupled to a real person, not a team. Which means only one person in the team would be able to set a new password and when that person leaves the team, IAM rights need to be revoked and given to a new person. Doable, but quite a pane in the behind, especially when that one person happens to be on holidays. I don't see why that should be the case. You could either grant privileges to more than one person or - preferrably - to a role which is then granted to the personal roles. So for example you would authenticate as «raphi» and I as «hjp» but we could both change to «foo_admin» or whatever. That would even have the advantage that we leave an audit trail with our "real" identities. That's not how the identiy principle works, at least not how it's implement in our company. A user in ldap has a direct relation to one digital entity, either a token from an application or certificate from a physical person (maybe some AD shenanigans also). We don't have digital entities for teams, that's what's missing. For it to work they (security) would need to allow to weaken this principle and as you said, allow everyone who has a certain role to manage the associated user in LDAP, like setting a new password. Technically possible and we have similar mechanisms in place for other access, but authentication is then made by key or certificate, ldap/iam is only used to control who can access what. But "our" problem aside, I still don't quite understand the decision that this was never implemented. If password authentication is so bad, why allow it all then? And when it's allowed, why not provide some basic features to make it more secure? The lack of any password rules is in it self the reason why it is so dangerous to use passwords in PG. I'd argue that the use of passwords with complexity requirements and TTL settings over an encrypted connection, with firewall rules and proper hba.conf access lists, are quite safe. Maybe even safer than a central solution like LDAP or Kerberos which is a single point of entry for an attacker, be it by attacking the software itself or the backup of the data, potentially getting access to everything instead of "just" one hacked password. But now I'm definitely getting into "let's have a beer" territory... ;) have fun raphi
Re: password rules
Am 23.06.2025 um 17:05 schrieb Tom Lane: raphi writes: We can set a password for a role in PG but there is no way to force a user to change it, prevent reuse or to enforce some complexity on it. As I understand, that's by choice and when I ask about this, the usual answer is "that's not the job of a database, use LDAP for it". ... Is there any chance PG will provide this natively or are there any technical limitations I am unaware of? If you don't like using an extension for it, you're out of luck. (The core developers have too much to do already, so we are never going to be receptive to arguments like "I don't want to use an extension". I'd be open to use an extension for this if there'd be one that is still maintained. The seemingly most popular one, credcheck, has an issue open for over a year, the password history is not being replicated to the standby so we can not use it. The other one, passwordpolicy, hasn't been updated in 6 years. Extension or not, there are serious objections to many aspects of such a feature, namely that they can't be enforced without requiring clients to send cleartext passwords to the server. That in itself is a security problem. For that matter, the whole business of using passwords rather than other ID technologies (SSL certificates, Kerberos/GSS tickets, etc) is feeling pretty twentieth-century. We only allow encrypted connections as (hopefully) most do and don't log any passwords but I see your point. As said, it's an ongoing battle between what DBAs need and what is possible in our environment. After my discussion today with our security officer, LDAP will probably never be the solution for us because of IAM (which is why I wrote here). He mentioned a project for next year where they want to look into a Vault solution. It's still password authentication but with complexity, TTL and "hidden" from users. As of now though we cannot use PG for any PCI/DSS certified application because we can't enforce either complexity nor regular password changes, which is required in PCI - and they are fine with using passwords per se, but with constraints. We can with other DB products, which is a pitty, it disqualifies PG automatically from the discussion for certain applications even when PG would be the better fit. I would've thought that this alone would put password handling back on the todo list, providing PCI compliance out-of-the-box without the need of additional infrastructure would be something to brag about :D Because 20th or 21th century, password authentication will probably be used for a long time, especially when it's still allowed by PCI and other industry standards. One last thing, any chance that "valid until" could get a flag where DBA can choose if the user will have a chance to set a new password when it expires instead of just locking the account? So when it expires, the user can still connect but not login, they can only set a new password, idealy with some mechanism preventing the user from setting the same password as before (compare the input with the current one, e.g. login in the background with the pass and when it succeeds, ask the user to give a different password or something like that). have fun, raphi
Re: password rules
Am 23.06.2025 um 22:39 schrieb Christoph Berg: Re: raphi Sorry for this rather long (first) email on this list but I feel like I had to explain our usecase and why LDAP is not always as simple as adding a line to hba.conf. Did you give the "pam" method a try? T Not really because it's a local solution. How do you change passwords or keep history on your standby nodes? Besides, the documentation says that postgres can't handle /etc/shadow because it runs unprivileged, only pam_ldap would work. Or am I missing something? have fun, raphi
Re: password rules
Am 25.06.2025 um 17:33 schrieb Peter J. Holzer: On 2025-06-25 14:42:26 +0200, raphi wrote: [snip] That's not how the identiy principle works, at least not how it's implement in our company. A user in ldap has a direct relation to one digital entity, either a token from an application or certificate from a physical person (maybe some AD shenanigans also). We don't have digital entities for teams, that's what's missing. For it to work they (security) would need to allow to weaken this principle and as you said, allow everyone who has a certain role to manage the associated user in LDAP, like setting a new password. That user shouldn't have a password, since nobody is authenticating as that user. It also doesn't have to exist in LDAP. It's just a role in the database. hmm I don't follow, maybe I was doing it wrong? In my tests I configured LDAP as described in the documentation: https://www.postgresql.org/docs/current/auth-ldap.html [quote] Once the user has been found in this search, the server re-binds to the directory as this user, using the password specified by the client, to verify that the login is correct [/quote] And this worked as expected, when the user provided the password stored in LDAP, they could login and couldn't when given a wrong (or empty) password. Can you elaborate on what you mean? [snip] But do they? "Complexity" (scare quotes intentional) rules are easy to circumvent and when people don't see the need for strong passwords, they will do so. If they do see the need they will use strong passwords on their own and the rules are somewhere between unnecessary and counter-productive. Most guidelines also have stopped recommending mandatory password rotations quite some time ago. These features provide convenient boxes for auditors to tick off and security for management who can claim that they did something. Operational security? Not so much. (just my personal opinion as someone who's been a sysadmin for over 20 years (although not recently)) Well, PCI still does. But checking auditors boxes is not the main reason I am looking for a solution (because we don't have any PCI applications on PG yet anyway) but our self service: An ansible playbook creates a role for someone and sends the password by email to the user who wanted the role created. This password ought to be temporary and should be changed upon first connect. Without any checks we can't neither ensure that the password will be changed nor that it won't be reused. We make it clear that this should happen and most devs probably do the sensible thing and set a new complex password but as you said, some people are just lazy and there's no feasable way for us to verify this. have fun raphi (who also was once in an almost forgotten lifetime a solaris admin for over 20 years ;))
Re: Simulate a PITR in postgresql 16
Am 30.06.2025 um 21:45 schrieb Ron Johnson: Using PgBackRest might be more convenient, since it handles everything you need, is multithreaded, never removes too many wal files, compresses files if you want and also encrypts them if you want. I agree, with pgBackRest it's basically: pgbackrest --stanza=demo --delta --type=time "--target=2025-05-05 15:37:03.157376+00" --target-action=promote restore and you are done. It will also restore configure files and you can also selectively restore only one DB in the cluster if you want to speed up things. Works very well with S3 too and is very easy to integrate in an ansible playbook to have a generic way to do PITRs. Check out the official user guide: https://pgbackrest.org/user-guide.html have fun raphi
Re: password rules
Am 26.06.2025 um 14:27 schrieb Peter J. Holzer: On 2025-06-25 17:55:12 +0200, raphi wrote: Am 25.06.2025 um 17:33 schrieb Peter J. Holzer: On 2025-06-25 14:42:26 +0200, raphi wrote: That's not how the identiy principle works, at least not how it's implement in our company. A user in ldap has a direct relation to one digital entity, either a token from an application or certificate from a physical person (maybe some AD shenanigans also). We don't have digital entities for teams, that's what's missing. For it to work they (security) would need to allow to weaken this principle and as you said, allow everyone who has a certain role to manage the associated user in LDAP, like setting a new password. That user shouldn't have a password, since nobody is authenticating as that user. It also doesn't have to exist in LDAP. It's just a role in the database. hmm I don't follow, maybe I was doing it wrong? I'm thinking of something like this: Roles assigned to people are in LDAP, and only they have passwords. Application roles don't have to be in LDAP (maybe there are operational reasons to have them there, but PostgreSQL doesn't need them) and don't have passwords. Thank you very much for the detailed test. It will be useful for other ideas I have but (I think) it does not solve our particular case. Maybe I wasn't clear enough and I'm sorry for that, but our problem lies in the way how applications connect. The passwords that devs are ordering via our self service is for the application that is connecting to the database, not for themselfs. It's the application's password that we want to ensure that it is complex and gets changed after we set an initial password for it. Because PG does not do it, we wanted to resolve this with LDAP but failed due to IAM. But, I just returned from the once again phenomenal Swiss PGDays and I had the chance to talk to Laurenz and Dani and I can say, that I finally get it now. Laurenz explained very well how the whole authentication works and that the philosophy is that the postgres server should never know any passwords. I think that's what Tom tried to say but I failed to understand it correctly, I thought the issue is not having unencrypted passwords being sent over the network. So, why this also does not solve our problem, I am giving up on trying to use PG to enforce some password rules, I'm not even sure if credcheck is still a good idea. But the more I think about it the more I like switching to certificates, after all we already have mechanisms in place to automatically get new officially trusted (not selfsigned) certificates, it could be adoptable for PG connects too. I'm just not sure how and if all our applications can adopt this, but that's a "me" problem. Anyways, thanks to everyone who helped me see the PG way, I won't bother anyone with this topic again ;) have fun, raphi
Re: password rules
Am 28.06.2025 um 15:59 schrieb Peter J. Holzer: On 2025-06-27 19:00:36 +0200, raphi wrote: It's the application's password that we want to ensure that it is complex and gets changed after we set an initial password for it. Why let a human change that at all? Couldn't you just create a suitable random password at deployment time? (And then automatically every n months if you want to rotate it.) Because someone has to configure the password in the application, mostly within WLS or Tomcat and that's definitely not something that we DBA want to touch, that's the devs job. Which means we would have to provide some mechanism for the application to grab the password, say from a file or something, which has it's own pitfalls. Not to mention that we DBA usually don't want to know any application passwords. The only feasable way to implement this is with hashicorp Vault or something similar, then no one knows the password, neither DBA nor Dev and it would be guaranteed that it's complex. And application maintenance by a dev directly in the DB could then be made with personal logins via LDAP and switching to the application role as you so splendidly described ;) Same would be true for SSL certificates, only the application would need it and the devs could login via LDAP. have fun raphi
