*Casablanca, Maroc - June 10, 2023*

## PostgreSQL credcheck extension

The credcheck PostgreSQL extension provides few general credential checks, 
which will be evaluated during the user creation, during the password change 
and user renaming. By using this extension, we can define a set of rules:

  * allow a specific set of credentials
  * reject a certain type of credentials
  * enforce use of an expiration date with a minimum of day for a password
  * define a password reuse policy
  * define the number of authentication failure allowed before a user is banned


Release v2.0.0 adds a major feature and the compatibility with PostgreSQL 16.
Upgrade require a PostgreSQL restart to reload the credcheck library.

  - Add "Authentication failure ban" new feature
    
        PostgreSQL doesn't have any mechanism to limit the number of 
authentication
        failure attempt before the user being banned.  With the credcheck 
extension,
        after an amount of authentication failure defined by configuration 
directive
        `credcheck.max_auth_failure` the user can be banned and never connect 
anymore
        even if it gives the right password later. This feature requires that 
the
        credcheck extension to be added to to `shared_preload_libraries` 
configuration
        option.

        All users authentication failures are registered in shared memory with 
the
        timestamps of when the user have been banned. The authentication 
failures
        history is saved into memory only, that mean that the history is lost at
        PostgreSQL restart. I have not seen the interest for the moment to 
restore
        the cache at startup.

        The authentication failure cache size is set to 1024 records by default 
and
        can be adjusted using the `credcheck.auth_failure_cache_size` 
configuration
        directive. Change of this GUC require a PostgreSQL restart.

        Two settings allow to control the behavior of this feature:

        * `credcheck.max_auth_failure`: number of authentication failure allowed
        for a user before being banned.
        * `credcheck.reset_superuser` : force superuser to not be banned or 
reset
        a banned superuser when set to true.

        The default value for the first setting is `0` which means that 
authentication
        failure ban feature is disabled. The default value for the second 
setting is
        `false` which means that `postgres` superuser can be banned.

        In case the `postgres` superuser was banned, he can not logged anymore. 
If
        there is no other superuser account that can be used to reset the 
record of
        the banned superuser, set the `credcheck.reset_superuser`configuration 
directive
        to `true` into postgresql.conf file and send the SIGHUP signal to the 
PostgreSQL
        process pid so that it will reread the configuration. Next time the 
superuser will
        try to connect, its authentication failure cache entry will be removed.

Complete list of changes is available 
[here](https://github.com/MigOpsRepos/credcheck/blob/v2.0/ChangeLog)

## Links & Credits

credcheck is an open project under the PostgreSQL license originally created at 
[MigOps Inc](https://migops.com/), developed and maintained by [Gilles 
Darold](https://www.darold.net/).
Any contribution to build a better tool is welcome. You can send your ideas, 
features requests or patches
using the GitHub tools.

**Links :**

* Download:  
[https://github.com/MigOpsRepos/credcheck/releases/](https://github.com/MigOpsRepos/credcheck/releases/)
* Support: use GitHub report tool at 
[https://github.com/MigOpsRepos/credcheck/issues](https://github.com/MigOpsRepos/credcheck/issues)

## About credcheck

The credcheck extension is an original work of [MigOps 
Inc](https://migops.com/), Since MigOPs is closed Gilles Darold is the official 
maintainer. If you need more information please [contact 
me](mailto:gil...@darold.net)

Documentation at 
[https://github.com/MigOpsRepos/credcheck#readme](https://github.com/MigOpsRepos/credcheck#readme)

Reply via email to