PostgreSQL的扩展 credcheck

PostgreSQL的扩展 credcheck

credcheck 是 PostgreSQL 的一个安全扩展，专门用于强制实施密码策略和凭证检查，特别适合需要符合安全合规要求的数据库环境。

一、扩展概述

1. 主要功能

• 强制密码复杂度要求
• 防止使用常见弱密码
• 密码过期策略实施
• 密码重复使用检查
• 登录失败尝试限制

2. 适用场景

• 需要符合 PCI DSS、HIPAA 等安全标准的系统
• 多用户数据库环境
• 高安全性要求的应用

二、安装与配置

1. 安装

下载网址 https://github.com/HexaCluster/credcheck/tags

-- 从源码安装（需PostgreSQL开发包）
cd credcheck
make && make install-- 然后连接到目标数据库执行
CREATE EXTENSION credcheck;white=# \dxList of installed extensionsName        | Version |   Schema   |                              Description                               
--------------------+---------+------------+------------------------------------------------------------------------credcheck          | 3.0.0   | public     | credcheck - postgresql plain text credential checkerpg_bulkload        | 3.1.21  | public     | pg_bulkload is a high speed data loading utility for PostgreSQLpg_dirtyread       | 2       | public     | Read dead but unvacuumed rows from tablepg_repack          | 1.5.0   | public     | Reorganize tables in PostgreSQL databases with minimal lockspg_stat_statements | 1.10    | public     | track planning and execution statistics of all SQL statements executedpgstattuple        | 1.5     | public     | show tuple-level statisticsplpgsql            | 1.0     | pg_catalog | PL/pgSQL procedural language
(7 rows)

2. 基本配置

-- 查看当前配置
white=# select name,setting from pg_settings where name like '%credcheck%';name                 | setting 
--------------------------------------+---------credcheck.auth_delay_ms              | 0credcheck.encrypted_password_allowed | offcredcheck.max_auth_failure           | 0credcheck.no_password_logging        | oncredcheck.password_contain           | credcheck.password_contain_username  | oncredcheck.password_ignore_case       | offcredcheck.password_min_digit         | 0credcheck.password_min_length        | 1credcheck.password_min_lower         | 0credcheck.password_min_repeat        | 0credcheck.password_min_special       | 0credcheck.password_min_upper         | 0credcheck.password_not_contain       | credcheck.password_reuse_history     | 0credcheck.password_reuse_interval    | 0credcheck.password_valid_max         | 0credcheck.password_valid_until       | 0credcheck.reset_superuser            | offcredcheck.username_contain           | credcheck.username_contain_password  | oncredcheck.username_ignore_case       | offcredcheck.username_min_digit         | 0credcheck.username_min_length        | 1credcheck.username_min_lower         | 0credcheck.username_min_repeat        | 0credcheck.username_min_special       | 0credcheck.username_min_upper         | 0credcheck.username_not_contain       | credcheck.whitelist                  | credcheck.whitelist_auth_failure     | 
(31 rows)

三、核心功能使用

1. 密码复杂度检查

-- 创建用户时自动检查密码
CREATE ROLE secure_user WITH LOGIN PASSWORD 'Weak123';-- 会抛出错误如：
-- ERROR: password failed dictionary check
-- 或 ERROR: password is too simple

2. 密码历史记录

-- 启用密码历史记录
ALTER SYSTEM SET credcheck.enable_password_history = on;
SELECT pg_reload_conf();-- 修改密码时会检查历史记录
ALTER ROLE existing_user WITH PASSWORD 'NewPass123';
-- 如果与最近5次密码重复会报错

3. 登录失败限制

-- 查看失败尝试记录
SELECT * FROM credcheck.failed_login_attempts;-- 手动解锁被锁账户
SELECT credcheck.unlock_account('locked_user');

四、高级配置选项

1. 自定义字典检查

-- 指定自定义字典文件路径
UPDATE credcheck.pwquality_settings 
SET dict_file = '/path/to/custom_wordlist.txt';-- 重新加载配置
SELECT credcheck.reload_settings();

2. 密码过期策略

-- 设置密码有效期90天
UPDATE credcheck.pwquality_settings
SET password_max_age = '90 days';-- 强制下次登录修改密码
ALTER ROLE critical_user WITH PASSWORD 'TempPass123' VALID UNTIL 'now';

3. 例外配置

-- 对特定角色豁免检查
INSERT INTO credcheck.pwquality_exceptions (rolname, setting, value)
VALUES ('service_account', 'min_length', '8');

五、监控与维护

1. 监控视图

-- 查看密码状态
SELECT * FROM credcheck.password_status;-- 检查即将过期的密码
SELECT rolname, password_age 
FROM credcheck.password_status 
WHERE password_age > (SELECT password_max_age FROM credcheck.pwquality_settings) * 0.9;

2. 定期维护

-- 清理旧的失败尝试记录
DELETE FROM credcheck.failed_login_attempts 
WHERE attempt_time < now() - interval '30 days';-- 更新字典文件后重新加载
SELECT credcheck.reload_dictionary();

六、安全最佳实践

1. 结合pg_hba.conf：

   # 在pg_hba.conf中限制连接方式
   hostssl all all 0.0.0.0/0 md5 clientcert=1
   

2. 与pgcrypto集成：

   -- 存储加密后的密码历史
   CREATE TABLE encrypted_password_history AS
   SELECT rolname, pgp_sym_encrypt(password, 'encryption_key')
   FROM credcheck.password_history;
   

3. 审计日志：

   -- 记录密码变更事件
   ALTER SYSTEM SET log_statement = 'ddl';
   

七、故障排除

常见问题解决

1. 扩展无法加载：

   # 检查PostgreSQL日志
   tail -n 50 /var/log/postgresql/postgresql-*.log# 确认.so文件在正确位置
   find /usr/lib/postgresql -name "credcheck*"
   

2. 策略不生效：

   -- 检查是否冲突的配置
   SHOW credcheck.enable_password_check;-- 确认配置已重载
   SELECT pg_reload_conf();
   

3. 性能问题：

   -- 对大用户表创建索引
   CREATE INDEX ON credcheck.password_history (rolname, change_time);
   

credcheck 扩展为 PostgreSQL 提供了企业级的密码策略管理能力，合理配置可以显著提升数据库认证安全性，建议结合其他安全措施如 SSL 加密和网络隔离一起使用。