pwdcheck-contrib-doc.patch
application/octet-stream
Filename: pwdcheck-contrib-doc.patch
Type: application/octet-stream
Part: 2
Message:
Re: Rejecting weak passwords
Patch
Format: context
| File | + | − |
|---|---|---|
| doc/src/sgml/contrib.sgml | 1 | 0 |
| doc/src/sgml/filelist.sgml | 1 | 0 |
| doc/src/sgml/passwordcheck.sgml | 49 | 0 |
diff --new-file -c -r postgresql-8.5.orig/doc/src/sgml/contrib.sgml postgresql-8.5/doc/src/sgml/contrib.sgml *** postgresql-8.5.orig/doc/src/sgml/contrib.sgml 2009-11-16 11:31:13.000000000 +0100 --- postgresql-8.5/doc/src/sgml/contrib.sgml 2009-11-16 11:34:04.000000000 +0100 *************** *** 98,103 **** --- 98,104 ---- <ree; &oid2name; &pageinspect; + &passwordcheck; &pgbench; &pgbuffercache; &pgcrypto; diff --new-file -c -r postgresql-8.5.orig/doc/src/sgml/filelist.sgml postgresql-8.5/doc/src/sgml/filelist.sgml *** postgresql-8.5.orig/doc/src/sgml/filelist.sgml 2009-11-16 11:31:14.000000000 +0100 --- postgresql-8.5/doc/src/sgml/filelist.sgml 2009-11-16 11:34:04.000000000 +0100 *************** *** 111,116 **** --- 111,117 ---- <!entity ltree SYSTEM "ltree.sgml"> <!entity oid2name SYSTEM "oid2name.sgml"> <!entity pageinspect SYSTEM "pageinspect.sgml"> + <!entity passwordcheck SYSTEM "passwordcheck.sgml"> <!entity pgbench SYSTEM "pgbench.sgml"> <!entity pgbuffercache SYSTEM "pgbuffercache.sgml"> <!entity pgcrypto SYSTEM "pgcrypto.sgml"> diff --new-file -c -r postgresql-8.5.orig/doc/src/sgml/passwordcheck.sgml postgresql-8.5/doc/src/sgml/passwordcheck.sgml *** postgresql-8.5.orig/doc/src/sgml/passwordcheck.sgml 1970-01-01 01:00:00.000000000 +0100 --- postgresql-8.5/doc/src/sgml/passwordcheck.sgml 2009-11-16 11:34:04.000000000 +0100 *************** *** 0 **** --- 1,49 ---- + <sect1 id="passwordcheck"> + <title>passwordcheck</title> + + <indexterm zone="passwordcheck"> + <primary>passwordcheck</primary> + </indexterm> + + <para> + The <filename>passwordcheck</filename> module checks passwords set with + <xref linkend="SQL-CREATEROLE" endterm="SQL-CREATEROLE-title"> or + <xref linkend="SQL-ALTERROLE" endterm="SQL-ALTERROLE-title">. + If a password is considered too weak, it will be rejected and + the command will terminate with error. + </para> + + <para> + To enable this module, add <literal>'$libdir/passwordcheck.so'</literal> + to <varname>shared_preload_libraries</varname> in + <filename>postgresql.conf</filename> and restart the server. + </para> + + <warning> + <para> + To prevent unencrypted passwords from being sent across the network, + written to the server log or otherwise stolen by a database administrator, + <productname>PostgreSQL</productname> allows the user to supply + pre-encrypted passwords. Many client programs make use of this + functionality and encrypt the password before sending it to the server. + </para> + <para> + This limits the usefulness of the <filename>passwordcheck</filename> + module, because in that case it can only try to guess the password. + For this reason, <filename>passwordcheck</filename> is not + commendable if your security requirements are high. You should use + an external authentication method in that case + (see <xref linkend="client-authentication">). + </para> + </warning> + + <para> + You can adapt this module to your needs by changing the source code. + For example, you can use + <ulink url="http://sourceforge.net/projects/cracklib/">CrackLib</ulink> + to check unencrypted passwords - this can be done by uncommenting + two lines in the <filename>Makefile</filename> and rebuilding the + module. We cannot include <productname>CrackLib</productname> + by default for license reasons. + </para> + </sect1>