Re: Record last password change

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Michael Banck <michael(dot)banck(at)credativ(dot)de> writes:
> > The same was requested in https://dba.stackexchange.com/questions/91252/
> > how-to-know-when-postgresql-password-is-changed so I was wondering
> > whether this would be a welcome change/addition, or whether people think
> > it's not worth bothering to implement it?
>
> This has all the same practical problems as recording object creation
> times, which we're not going to do either. (You can consult the
> archives for details, but from memory, the stickiest aspects revolve
> around what to do during dump/reload. Although even CREATE OR REPLACE
> offers interesting definitional questions. In the end there are just
> too many different behaviors that somebody might want.)

I disagree with these being serious practical problems- we just need to
decide which was to go when it comes to dump/restore here and there's an
awful lot of example systems out there to compare to for this case.

> I've heard that if you want to implement a password aging policy, PAM
> authentication can manage that for you; but I don't know the details.

That's ridiculously ugly; I know, because I've had to do it, more than
once. In my view, it's past time to update our password mechanisms to
have the features that one expects a serious system to have these days.

Thanks!

Stephen