mirror of
https://github.com/postgres/postgres.git
synced 2025-05-28 05:21:27 +03:00
98de86e422
krb5 has been deprecated since 8.3, and the recommended way to do Kerberos authentication is using the GSSAPI authentication method (which is still fully supported). libpq retains the ability to identify krb5 authentication, but only gives an error message about it being unsupported. Since all authentication is initiated from the backend, there is no need to keep it at all in the backend.
63 lines
2.3 KiB
Plaintext
63 lines
2.3 KiB
Plaintext
<!-- doc/src/sgml/passwordcheck.sgml -->
|
|
|
|
<sect1 id="passwordcheck" xreflabel="passwordcheck">
|
|
<title>passwordcheck</title>
|
|
|
|
<indexterm zone="passwordcheck">
|
|
<primary>passwordcheck</primary>
|
|
</indexterm>
|
|
|
|
<para>
|
|
The <filename>passwordcheck</filename> module checks users' passwords
|
|
whenever they are set with
|
|
<xref linkend="SQL-CREATEROLE"> or
|
|
<xref linkend="SQL-ALTERROLE">.
|
|
If a password is considered too weak, it will be rejected and
|
|
the command will terminate with an error.
|
|
</para>
|
|
|
|
<para>
|
|
To enable this module, add <literal>'$libdir/passwordcheck'</literal>
|
|
to <xref linkend="guc-shared-preload-libraries"> in
|
|
<filename>postgresql.conf</filename>, then restart the server.
|
|
</para>
|
|
|
|
<para>
|
|
You can adapt this module to your needs by changing the source code.
|
|
For example, you can use
|
|
<ulink url="http://sourceforge.net/projects/cracklib/">CrackLib</ulink>
|
|
to check passwords — this only requires uncommenting
|
|
two lines in the <filename>Makefile</filename> and rebuilding the
|
|
module. (We cannot include <productname>CrackLib</productname>
|
|
by default for license reasons.)
|
|
Without <productname>CrackLib</productname>, the module enforces a few
|
|
simple rules for password strength, which you can modify or extend
|
|
as you see fit.
|
|
</para>
|
|
|
|
<caution>
|
|
<para>
|
|
To prevent unencrypted passwords from being sent across the network,
|
|
written to the server log or otherwise stolen by a database administrator,
|
|
<productname>PostgreSQL</productname> allows the user to supply
|
|
pre-encrypted passwords. Many client programs make use of this
|
|
functionality and encrypt the password before sending it to the server.
|
|
</para>
|
|
<para>
|
|
This limits the usefulness of the <filename>passwordcheck</filename>
|
|
module, because in that case it can only try to guess the password.
|
|
For this reason, <filename>passwordcheck</filename> is not
|
|
recommended if your security requirements are high.
|
|
It is more secure to use an external authentication method such as GSSAPI
|
|
(see <xref linkend="client-authentication">) than to rely on
|
|
passwords within the database.
|
|
</para>
|
|
<para>
|
|
Alternatively, you could modify <filename>passwordcheck</filename>
|
|
to reject pre-encrypted passwords, but forcing users to set their
|
|
passwords in clear text carries its own security risks.
|
|
</para>
|
|
</caution>
|
|
|
|
</sect1>
|