Add a hook to CREATE/ALTER ROLE to allow an external module to check the

strength of database passwords, and create a sample implementation of
such a hook as a new contrib module "passwordcheck".

Laurenz Albe, reviewed by Takahiro Itagaki
This commit is contained in:
Tom Lane 2009-11-18 21:57:56 +00:00
parent 5e66a51c2e
commit c742b795dd
9 changed files with 313 additions and 23 deletions

View file

@ -1,4 +1,4 @@
# $PostgreSQL: pgsql/contrib/Makefile,v 1.89 2009/08/18 10:34:39 teodor Exp $
# $PostgreSQL: pgsql/contrib/Makefile,v 1.90 2009/11/18 21:57:56 tgl Exp $
subdir = contrib
top_builddir = ..
@ -25,6 +25,7 @@ SUBDIRS = \
ltree \
oid2name \
pageinspect \
passwordcheck \
pg_buffercache \
pg_freespacemap \
pg_standby \

View file

@ -104,6 +104,10 @@ pageinspect -
Allows inspection of database pages
Heikki Linnakangas <heikki@enterprisedb.com>
passwordcheck -
Simple password strength checker
Laurenz Albe <laurenz.albe@wien.gv.at>
pg_buffercache -
Real time queries on the shared buffer cache
by Mark Kirkwood <markir@paradise.net.nz>

View file

@ -0,0 +1,19 @@
# $PostgreSQL: pgsql/contrib/passwordcheck/Makefile,v 1.1 2009/11/18 21:57:56 tgl Exp $
MODULE_big = passwordcheck
OBJS = passwordcheck.o
# uncomment the following two lines to enable cracklib support
# PG_CPPFLAGS = -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/usr/lib/cracklib_dict"'
# SHLIB_LINK = -lcrack
ifdef USE_PGXS
PG_CONFIG = pg_config
PGXS := $(shell $(PG_CONFIG) --pgxs)
include $(PGXS)
else
subdir = contrib/passwordcheck
top_builddir = ../..
include $(top_builddir)/src/Makefile.global
include $(top_srcdir)/contrib/contrib-global.mk
endif

View file

@ -0,0 +1,147 @@
/*-------------------------------------------------------------------------
*
* passwordcheck.c
*
*
* Copyright (c) 2009, PostgreSQL Global Development Group
*
* Author: Laurenz Albe <laurenz.albe@wien.gv.at>
*
* IDENTIFICATION
* $PostgreSQL: pgsql/contrib/passwordcheck/passwordcheck.c,v 1.1 2009/11/18 21:57:56 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#include "postgres.h"
#include <ctype.h>
#ifdef USE_CRACKLIB
#include <crack.h>
#endif
#include "commands/user.h"
#include "fmgr.h"
#include "libpq/md5.h"
PG_MODULE_MAGIC;
/* passwords shorter than this will be rejected */
#define MIN_PWD_LENGTH 8
extern void _PG_init(void);
/*
* check_password
*
* performs checks on an encrypted or unencrypted password
* ereport's if not acceptable
*
* username: name of role being created or changed
* password: new password (possibly already encrypted)
* password_type: PASSWORD_TYPE_PLAINTEXT or PASSWORD_TYPE_MD5 (there
* could be other encryption schemes in future)
* validuntil_time: password expiration time, as a timestamptz Datum
* validuntil_null: true if password expiration time is NULL
*
* This sample implementation doesn't pay any attention to the password
* expiration time, but you might wish to insist that it be non-null and
* not too far in the future.
*/
static void
check_password(const char *username,
const char *password,
int password_type,
Datum validuntil_time,
bool validuntil_null)
{
int namelen = strlen(username);
int pwdlen = strlen(password);
char encrypted[MD5_PASSWD_LEN + 1];
int i;
bool pwd_has_letter,
pwd_has_nonletter;
switch (password_type)
{
case PASSWORD_TYPE_MD5:
/*
* Unfortunately we cannot perform exhaustive checks on
* encrypted passwords - we are restricted to guessing.
* (Alternatively, we could insist on the password being
* presented non-encrypted, but that has its own security
* disadvantages.)
*
* We only check for username = password.
*/
if (!pg_md5_encrypt(username, username, namelen, encrypted))
elog(ERROR, "password encryption failed");
if (strcmp(password, encrypted) == 0)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password must not contain user name")));
break;
case PASSWORD_TYPE_PLAINTEXT:
/*
* For unencrypted passwords we can perform better checks
*/
/* enforce minimum length */
if (pwdlen < MIN_PWD_LENGTH)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password is too short")));
/* check if the password contains the username */
if (strstr(password, username))
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password must not contain user name")));
/* check if the password contains both letters and non-letters */
pwd_has_letter = false;
pwd_has_nonletter = false;
for (i = 0; i < pwdlen; i++)
{
/*
* isalpha() does not work for multibyte encodings
* but let's consider non-ASCII characters non-letters
*/
if (isalpha((unsigned char) password[i]))
pwd_has_letter = true;
else
pwd_has_nonletter = true;
}
if (!pwd_has_letter || !pwd_has_nonletter)
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password must contain both letters and nonletters")));
#ifdef USE_CRACKLIB
/* call cracklib to check password */
if (FascistCheck(password, CRACKLIB_DICTPATH))
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("password is easily cracked")));
#endif
break;
default:
elog(ERROR, "unrecognized password type: %d", password_type);
break;
}
/* all checks passed, password is ok */
}
/*
* Module initialization function
*/
void
_PG_init(void)
{
/* activate password checks when the module is loaded */
check_password_hook = check_password;
}

View file

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/contrib.sgml,v 1.14 2009/08/18 10:34:39 teodor Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/contrib.sgml,v 1.15 2009/11/18 21:57:56 tgl Exp $ -->
<appendix id="contrib">
<title>Additional Supplied Modules</title>
@ -98,6 +98,7 @@ psql -d dbname -f <replaceable>SHAREDIR</>/contrib/<replaceable>module</>.sql
&ltree;
&oid2name;
&pageinspect;
&passwordcheck;
&pgbench;
&pgbuffercache;
&pgcrypto;

View file

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/filelist.sgml,v 1.64 2009/08/18 10:34:39 teodor Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/filelist.sgml,v 1.65 2009/11/18 21:57:56 tgl Exp $ -->
<!entity history SYSTEM "history.sgml">
<!entity info SYSTEM "info.sgml">
@ -111,6 +111,7 @@
<!entity ltree SYSTEM "ltree.sgml">
<!entity oid2name SYSTEM "oid2name.sgml">
<!entity pageinspect SYSTEM "pageinspect.sgml">
<!entity passwordcheck SYSTEM "passwordcheck.sgml">
<!entity pgbench SYSTEM "pgbench.sgml">
<!entity pgbuffercache SYSTEM "pgbuffercache.sgml">
<!entity pgcrypto SYSTEM "pgcrypto.sgml">

View file

@ -0,0 +1,62 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/passwordcheck.sgml,v 1.1 2009/11/18 21:57:56 tgl Exp $ -->
<sect1 id="passwordcheck">
<title>passwordcheck</title>
<indexterm zone="passwordcheck">
<primary>passwordcheck</primary>
</indexterm>
<para>
The <filename>passwordcheck</filename> module checks users' passwords
whenever they are set with
<xref linkend="SQL-CREATEROLE" endterm="SQL-CREATEROLE-title"> or
<xref linkend="SQL-ALTERROLE" endterm="SQL-ALTERROLE-title">.
If a password is considered too weak, it will be rejected and
the command will terminate with an error.
</para>
<para>
To enable this module, add <literal>'$libdir/passwordcheck'</literal>
to <xref linkend="guc-shared-preload-libraries"> in
<filename>postgresql.conf</filename>, then restart the server.
</para>
<para>
You can adapt this module to your needs by changing the source code.
For example, you can use
<ulink url="http://sourceforge.net/projects/cracklib/">CrackLib</ulink>
to check passwords &mdash; this only requires uncommenting
two lines in the <filename>Makefile</filename> and rebuilding the
module. (We cannot include <productname>CrackLib</productname>
by default for license reasons.)
Without <productname>CrackLib</productname>, the module enforces a few
simple rules for password strength, which you can modify or extend
as you see fit.
</para>
<caution>
<para>
To prevent unencrypted passwords from being sent across the network,
written to the server log or otherwise stolen by a database administrator,
<productname>PostgreSQL</productname> allows the user to supply
pre-encrypted passwords. Many client programs make use of this
functionality and encrypt the password before sending it to the server.
</para>
<para>
This limits the usefulness of the <filename>passwordcheck</filename>
module, because in that case it can only try to guess the password.
For this reason, <filename>passwordcheck</filename> is not
recommendable if your security requirements are high.
It is more secure to use an external authentication method such as Kerberos
(see <xref linkend="client-authentication">) than to rely on
passwords within the database.
</para>
<para>
Alternatively, you could modify <filename>passwordcheck</filename>
to reject pre-encrypted passwords, but forcing users to set their
passwords in clear text carries its own security risks.
</para>
</caution>
</sect1>

View file

@ -6,7 +6,7 @@
* Portions Copyright (c) 1996-2009, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.189 2009/10/07 22:14:19 alvherre Exp $
* $PostgreSQL: pgsql/src/backend/commands/user.c,v 1.190 2009/11/18 21:57:56 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -35,8 +35,12 @@
#include "utils/tqual.h"
/* GUC parameter */
extern bool Password_encryption;
/* Hook to check passwords in CreateRole() and AlterRole() */
check_password_hook_type check_password_hook = NULL;
static List *roleNamesToIds(List *memberNames);
static void AddRoleMems(const char *rolename, Oid roleid,
List *memberNames, List *memberIds,
@ -96,6 +100,8 @@ CreateRole(CreateRoleStmt *stmt)
List *rolemembers = NIL; /* roles to be members of this role */
List *adminmembers = NIL; /* roles to be admins of this role */
char *validUntil = NULL; /* time the login is valid until */
Datum validUntil_datum; /* same, as timestamptz Datum */
bool validUntil_null;
DefElem *dpassword = NULL;
DefElem *dissuper = NULL;
DefElem *dinherit = NULL;
@ -298,6 +304,31 @@ CreateRole(CreateRoleStmt *stmt)
errmsg("role \"%s\" already exists",
stmt->role)));
/* Convert validuntil to internal form */
if (validUntil)
{
validUntil_datum = DirectFunctionCall3(timestamptz_in,
CStringGetDatum(validUntil),
ObjectIdGetDatum(InvalidOid),
Int32GetDatum(-1));
validUntil_null = false;
}
else
{
validUntil_datum = (Datum) 0;
validUntil_null = true;
}
/*
* Call the password checking hook if there is one defined
*/
if (check_password_hook && password)
(*check_password_hook) (stmt->role,
password,
isMD5(password) ? PASSWORD_TYPE_MD5 : PASSWORD_TYPE_PLAINTEXT,
validUntil_datum,
validUntil_null);
/*
* Build a tuple to insert
*/
@ -333,15 +364,8 @@ CreateRole(CreateRoleStmt *stmt)
else
new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
if (validUntil)
new_record[Anum_pg_authid_rolvaliduntil - 1] =
DirectFunctionCall3(timestamptz_in,
CStringGetDatum(validUntil),
ObjectIdGetDatum(InvalidOid),
Int32GetDatum(-1));
else
new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = true;
new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
tuple = heap_form_tuple(pg_authid_dsc, new_record, new_record_nulls);
@ -419,6 +443,8 @@ AlterRole(AlterRoleStmt *stmt)
int connlimit = -1; /* maximum connections allowed */
List *rolemembers = NIL; /* roles to be added/removed */
char *validUntil = NULL; /* time the login is valid until */
Datum validUntil_datum; /* same, as timestamptz Datum */
bool validUntil_null;
DefElem *dpassword = NULL;
DefElem *dissuper = NULL;
DefElem *dinherit = NULL;
@ -587,6 +613,33 @@ AlterRole(AlterRoleStmt *stmt)
errmsg("permission denied")));
}
/* Convert validuntil to internal form */
if (validUntil)
{
validUntil_datum = DirectFunctionCall3(timestamptz_in,
CStringGetDatum(validUntil),
ObjectIdGetDatum(InvalidOid),
Int32GetDatum(-1));
validUntil_null = false;
}
else
{
/* fetch existing setting in case hook needs it */
validUntil_datum = SysCacheGetAttr(AUTHNAME, tuple,
Anum_pg_authid_rolvaliduntil,
&validUntil_null);
}
/*
* Call the password checking hook if there is one defined
*/
if (check_password_hook && password)
(*check_password_hook) (stmt->role,
password,
isMD5(password) ? PASSWORD_TYPE_MD5 : PASSWORD_TYPE_PLAINTEXT,
validUntil_datum,
validUntil_null);
/*
* Build an updated tuple, perusing the information just obtained
*/
@ -666,15 +719,9 @@ AlterRole(AlterRoleStmt *stmt)
}
/* valid until */
if (validUntil)
{
new_record[Anum_pg_authid_rolvaliduntil - 1] =
DirectFunctionCall3(timestamptz_in,
CStringGetDatum(validUntil),
ObjectIdGetDatum(InvalidOid),
Int32GetDatum(-1));
new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
}
new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
new_tuple = heap_modify_tuple(tuple, pg_authid_dsc, new_record,
new_record_nulls, new_record_repl);

View file

@ -4,7 +4,7 @@
* Commands for manipulating roles (formerly called users).
*
*
* $PostgreSQL: pgsql/src/include/commands/user.h,v 1.30 2006/10/04 00:30:08 momjian Exp $
* $PostgreSQL: pgsql/src/include/commands/user.h,v 1.31 2009/11/18 21:57:56 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -14,6 +14,14 @@
#include "nodes/parsenodes.h"
/* Hook to check passwords in CreateRole() and AlterRole() */
#define PASSWORD_TYPE_PLAINTEXT 0
#define PASSWORD_TYPE_MD5 1
typedef void (*check_password_hook_type) (const char *username, const char *password, int password_type, Datum validuntil_time, bool validuntil_null);
extern PGDLLIMPORT check_password_hook_type check_password_hook;
extern void CreateRole(CreateRoleStmt *stmt);
extern void AlterRole(AlterRoleStmt *stmt);
extern void AlterRoleSet(AlterRoleSetStmt *stmt);