April 06, 2023
The credcheck PostgreSQL extension provides general credential checks, which will be evaluated during the user creation, during the password change and user renaming. By using this extension, a set of rules can be defined:
New release v1.0 adds a major feature called Password Reuse Policy and the ability to force the use of an expiration date for a password. It also prevent PostgreSQL to expose the password in the logs in case of error and fixes some issues reported by users since the past 6 months.
Add Password Reuse Policy feature. This implementation use a dedicated shared memory storage to share the password history between all database. It requires credcheck to loaded through
shared_preload_libraries in postgresql.conf. The behavior of this feature can controlled by two settings:
credcheck.password_reuse_history: number of distinct passwords set before a password can be reused.
credcheck.password_reuse_interval: amount of time it takes before a password can be reused again.
Add possibility to enforce the use of an expiration date for a password with a life time of a specific number of days. Example:
credcheck.password_valid_until = 60 the password life time must be at least of two months.
Allow credcheck to check the user name in
CREATE USER statement without option
Force credcheck settings to be set/changed only by a superuser.
Fix detection of the
VALID UNTIL clause in
Force PostgreSQL to not expose the password in the log when an error in CREATE/ALTER role occurs. This behavior can be disabled by setting the custom variable
credcheck.no_password_logging to off.
ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION (28000) for most error messages.
Complete list of changes is available here
credcheck is an open project under the PostgreSQL license created at MigOps Inc. Any contribution to build a better tool is welcome. You can send your ideas, features requests or patches using the GitHub tools.
Documentation at https://github.com/MigOpsRepos/credcheck#readme