credcheck
更新时间:2024-07-01 14:39:41
credcheck 插件描述
credcheck 是一个 AntDB 扩展。提供了一些通用的凭据检查,这些检查将在用户创建、密码更改和用户重命名期间进行评估。通过使用此扩展,我们可以定义一组规则:
-
允许一组特定的凭据
-
拒绝特定类型的凭据
-
拒绝容易破解的密码
-
强制使用密码最短为天的过期日期
-
定义密码重用策略
-
定义禁止用户之前允许的身份验证失败次数
此扩展将所有检查作为可配置参数提供。默认配置设置不会强制执行任何复杂的检查,并将尝试允许大多数凭据。通过使用如下命令,强制执行凭据检查的新设置。设置只能由超级用户更改。
SET credcheck<check-name> TO <some value>;
使用准备
- 修改配置文件后重启数据库
# 修改postgresql.conf文件
shared_preload_libraries = 'credcheck'
- 登陆数据库,执行 SQL 命令,创建扩展
CREATE EXTENSION credcheck;
检查列表
下面是常规检查列表,我们可以对凭据强制执行这些检查。
| 检查 | 类型 | Description | 设置的值 | 认可的 | 不认可的 |
|---|---|---|---|---|---|
| username_min_length | username | 用户名的最小长度 | 4 | ✓ abcd | ✘ abc |
| username_min_special | username | 最小特殊字符数 | 1 | ✓ a@bc | ✘ abcd |
| username_min_digit | username | 最小位数 | 1 | ✓ a1bc | ✘ abcd |
| username_min_upper | username | 大写字母的最小数目 | 2 | ✓ aBC | ✘ aBc |
| username_min_lower | username | 小写字母的最小数目 | 1 | ✓ aBC | ✘ ABC |
| username_min_repeat | username | 字符应重复的最大次数 | 2 | ✓ aaBCa | ✘ aaaBCa |
| username_contain_password | username | 用户名不应包含密码 | on | ✓ username - password | ✘ username + password |
| username_contain | username | 用户名应包含以下字符之一 | a,b,c | ✓ ade | ✘ efg |
| username_not_contain | username | 用户名不应包含以下字符之一 | x,y,z | ✓ ade | ✘ axf |
| username_ignore_case | username | 执行上述检查时忽略 case | on | ✓ Ade | ✘ aXf |
| password_min_length | password | 密码的最小长度 | 4 | ✓ abcd | ✘ abc |
| password_min_special | password | 最小特殊字符数 | 1 | ✓ a@bc | ✘ abc |
| password_min_digit | password | 密码中的最小位数 | 1 | ✓ a1bc | ✘ abc |
| password_min_upper | password | 最小大写字符数 | 1 | ✓ Abc | ✘ abc |
| password_min_lower | password | 最小小写字符数 | 1 | ✓ aBC | ✘ ABC |
| password_min_repeat | password | 字符应重复的最大次数 | 2 | ✓ aab | ✘ aaab |
| password_contain_username | password | 密码不应包含密码 | on | ✓ password - username | ✘ password + username |
| password_contain | password | 密码应包含以下字符 | a,b,c | ✓ ade | ✘ xfg |
| password_not_contain | password | 密码不应包含以下字符 | x,y,z | ✓ abc | ✘ axf |
| password_ignore_case | password | 执行上述检查时忽略 case | on | ✓ Abc | ✘ aXf |
| password_valid_until | password | 强制使用CREATE ROLE 语句中的 VALID UNTIL子句的最少天数 | 60 | ✓ CREATE ROLE abcd VALID UNTIL (now()+'3 months'::interval)::date | ✘ CREATE ROLE abcd LOGIN; |
| password_valid_max | password | 强制使用CREATE ROLE语句中的 VALID UNTIL子句的最大天数 | 365 | ✓ CREATE ROLE abcd VALID UNTIL (now()+'6 months'::interval)::date | ✘ CREATE ROLE abcd VALID UNTIL (now()+'2 years'::interval)::date; |
使用范例:
#查询credcheck的配置参数名
antdb=# SELECT name,setting FROM pg_settings WHERE name LIKE '%credcheck%';
name | setting
-------------------------------------+---------
credcheck.auth_failure_cache_size | 1024
credcheck.history_max_size | 65535
credcheck.max_auth_failure | 0
credcheck.no_password_logging | on
credcheck.password_contain |
credcheck.password_contain_username | on
credcheck.password_ignore_case | off
credcheck.password_min_digit | 0
credcheck.password_min_length | 1
credcheck.password_min_lower | 0
credcheck.password_min_repeat | 0
credcheck.password_min_special | 0
credcheck.password_min_upper | 0
credcheck.password_not_contain |
credcheck.password_reuse_history | 0
credcheck.password_reuse_interval | 0
credcheck.password_valid_max | 0
credcheck.password_valid_until | 0
credcheck.reset_superuser | off
credcheck.username_contain |
credcheck.username_contain_password | on
credcheck.username_ignore_case | off
credcheck.username_min_digit | 0
credcheck.username_min_length | 4
credcheck.username_min_lower | 0
credcheck.username_min_repeat | 0
credcheck.username_min_special | 0
credcheck.username_min_upper | 0
credcheck.username_not_contain |
(29 rows)
1. 测试 credcheck.username_min_length
# 查看credcheck.username_min_length的值
antdb=# SHOW credcheck.username_min_length;
credcheck.username_min_length
-------------------------------
1
(1 row)
# 设置credcheck.username_min_length的值
antdb=# SET credcheck.username_min_length TO 4;
SET
# 创建满足credcheck.username_min_length的值设置的用户才会成功
antdb=# CREATE USER abc WITH PASSWORD 'pass';
ERROR: username length should match the configured credcheck.username_min_length
antdb=# CREATE USER abcd WITH PASSWORD 'pass';
CREATE ROLE
2. 设置 credcheck.password_ignore_case,忽略大小写
antdb=# SET credcheck.password_ignore_case=on;
SET
antdb=# SHOW credcheck.password_ignore_case;
credcheck.password_ignore_case
--------------------------------
on
(1 row)
antdb=# CREATE USER user6 WITH PASSWORD 'user6@123';
ERROR: password should not contain username
antdb=# CREATE USER user6 WITH PASSWORD 'USER6@123'; --忽略大小写后,跟'user6@123'一样
ERROR: password should not contain username
antdb=# CREATE USER user6 WITH PASSWORD 'abcd@123';
CREATE ROLE
问题反馈