Re: Pasword expiration warning - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Pasword expiration warning
Date
Msg-id 3046422.1637337334@sss.pgh.pa.us
Whole thread Raw
In response to Pasword expiration warning  (Gilles Darold <gilles@migops.com>)
Responses Re: Pasword expiration warning
List pgsql-hackers
Gilles Darold <gilles@migops.com> writes:
> Now that the security policy is getting stronger, it is not uncommon to 
> create users with a password expiration date (VALID UNTIL).

TBH, I thought people were starting to realize that forced password
rotations are a net security negative.  It's true that a lot of
places haven't gotten the word yet.

> I'm wondering if we might be interested in having this feature in psql? 

This proposal kind of seems like a hack, because
(1) not everybody uses psql
(2) psql can't really tell whether rolvaliduntil is relevant.
    (It can see whether the server demanded a password, but
    maybe that went to LDAP or some other auth method.)

That leads me to wonder about server-side solutions.  It's easy
enough for the server to see that it's used a password with an
expiration N days away, but how could that be reported to the
client?  The only idea that comes to mind that doesn't seem like
a protocol break is to issue a NOTICE message, which doesn't
seem like it squares with your desire to only do this interactively.
(Although I'm not sure I believe that's a great idea.  If your
application breaks at 2AM because its password expired, you
won't be any happier than if your interactive sessions start to
fail.  Maybe a message that would leave a trail in the server log
would be best after all.)

> Default value is 0 like today no warning at all.

Off-by-default is pretty much guaranteed to not help most people.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Mark Dilger
Date:
Subject: Re: Non-superuser subscription owners
Next
From: Mark Dilger
Date:
Subject: Re: Non-superuser subscription owners