April 06, 2023
The credcheck PostgreSQL extension provides general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, a set of rules can be defined:
New release v1.0 adds a major feature called Password Reuse Policy and the ability to force the use of an expiration date for a password. It also prevent PostgreSQL to expose the password in the logs in case of error and fixes some issues reported by users since the past 6 months.
Add Password Reuse Policy feature. This implementation use a dedicated shared memory storage to share the password history between all database. It requires credcheck to loaded through
shared_preload_libraries in postgresql.conf. The behavior of this feature can controlled by two settings:
credcheck.password_reuse_history: number of distinct passwords set before a password can be reused.
credcheck.password_reuse_interval: amount of time it takes before a password can be reused again.
Add possibility to enforce the use of an expiration date for a password with a life time of a specific number of days. Example:
credcheck.password_valid_until = 60 the password life time must be at least of two months.
Allow credcheck to check the user name in
CREATE USER statement without option
Force credcheck settings to be set/changed only by a superuser.
Fix detection of the
VALID UNTIL clause in
Force PostgreSQL to not expose the password in the log when an error in CREATE/ALTER role occurs. This behavior can be disabled by setting the custom variable
credcheck.no_password_logging to off.
ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION (28000) for most error messages.
Complete list of changes is available here
credcheck is an open project under the PostgreSQL license created at MigOps Inc. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.
The credcheck extension is an original work of MigOps Inc, MigOPs is specialized in migration to PostgreSQL and PostgreSQL support. If you need more information please contact us
Documentation at https://github.com/MigOpsRepos/credcheck#readme