passwordcheck_cracklib
passwordcheck_cracklib : Strengthen PostgreSQL user password checks with cracklib
Overview
| ID | Extension | Package | Version | Category | License | Language |
|---|---|---|---|---|---|---|
| 7000 | passwordcheck_cracklib
|
passwordcheck_cracklib
|
3.1.0 |
SEC
|
LGPL-2.1
|
C
|
| Attribute | Has Binary | Has Library | Need Load | Has DDL | Relocatable | Trusted |
|---|---|---|---|---|---|---|
--sL---
|
No
|
Yes
|
Yes
|
No
|
no
|
no
|
| Relationships | |
|---|---|
| See Also | pg_auth_mon
credcheck
pgaudit
login_hook
auth_delay
set_user
sepgsql
|
Packages
| Type | Repo | Version | PG Major Compatibility | Package Pattern | Dependencies |
|---|---|---|---|---|---|
| EXT | MIXED
|
3.1.0 |
18
17
16
15
14
|
passwordcheck_cracklib |
- |
| RPM | PGDG
|
3.1.0 |
18
17
16
15
14
|
passwordcheck_cracklib_$v |
- |
| DEB | PIGSTY
|
3.1.0 |
18
17
16
15
14
|
postgresql-$v-passwordcheck-cracklib |
- |
| Linux / PG | PG18 | PG17 | PG16 | PG15 | PG14 |
|---|---|---|---|---|---|
el8.x86_64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
el8.aarch64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
el9.x86_64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
el9.aarch64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
PGDG 3.0.0
|
el10.x86_64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
el10.aarch64
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
PGDG 3.1.0
|
d12.x86_64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
d12.aarch64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
d13.x86_64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
d13.aarch64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
u22.x86_64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
u22.aarch64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
u24.x86_64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
u24.aarch64
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
PIGSTY 3.1.0
|
Source
pig build pkg passwordcheck_cracklib; # build debInstall
Make sure PGDG and PIGSTY repo available:
pig repo add pgsql -u # add both repo and update cacheInstall this extension with pig:
pig install passwordcheck_cracklib; # install via package name, for the active PG version
pig install passwordcheck_cracklib -v 18; # install for PG 18
pig install passwordcheck_cracklib -v 17; # install for PG 17
pig install passwordcheck_cracklib -v 16; # install for PG 16
pig install passwordcheck_cracklib -v 15; # install for PG 15
pig install passwordcheck_cracklib -v 14; # install for PG 14Config this extension to shared_preload_libraries:
shared_preload_libraries = '$libdir/passwordcheck_cracklib';This extension does not need CREATE EXTENSION DDL command
Usage
passwordcheck_cracklib: Strengthen PostgreSQL user password checks with cracklib
passwordcheck_cracklib is like the regular PostgreSQL passwordcheck module, except it is built with cracklib for more strict password checks. It checks users’ passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.
Configuration
Add the library to shared_preload_libraries in postgresql.conf:
shared_preload_libraries = '$libdir/passwordcheck_cracklib'Restart PostgreSQL to activate.
How It Works
Once loaded, any CREATE ROLE or ALTER ROLE command that sets a password will have the password checked against cracklib’s dictionary. Weak or easily guessable passwords will be rejected automatically.
-- This will be rejected if the password is too weak
CREATE ROLE myuser WITH LOGIN PASSWORD 'password123';
-- ERROR: password is easily cracked
-- A strong password will be accepted
CREATE ROLE myuser WITH LOGIN PASSWORD 'X9#kLm$vQ2!pR7';No CREATE EXTENSION is required – this is a shared library module only.