passwordpolicy

可动态配置的 PostgreSQL 密码复杂度检查扩展。

概览

扩展包名版本分类许可证语言
passwordpolicy2.0.5SECPostgreSQLC
ID扩展名BinLibLoadCreateTrustReloc模式
7040passwordpolicy-
相关扩展passwordcheck passwordcheck_cracklib credcheck

PGDG RPM and Pigsty DEB package fmbiete/passwordpolicy 2.0.5; requires shared_preload_libraries and cracklib runtime.

版本

类型仓库版本PG 大版本包名依赖
EXTPGDG2.0.51817161514passwordpolicy-
RPMPGDG2.0.51817161514passwordpolicy_$vcracklib
DEBPIGSTY2.0.51817161514postgresql-$v-passwordpolicycracklib-runtime, libcrack2
OS / PGPG18PG17PG16PG15PG14
el8.x86_64
el8.aarch64
el9.x86_64
el9.aarch64
el10.x86_64
el10.aarch64
d12.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d12.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
d13.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u22.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u24.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.x86_64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
u26.aarch64
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5
PIGSTY 2.0.5

构建

您可以使用 pig build 命令构建 passwordpolicy 扩展的 RPM / DEB 包:

pig build pkg passwordpolicy         # 构建 RPM / DEB 包

安装

您可以直接安装 passwordpolicy 扩展包的预置二进制包,首先确保 PGDG 仓库已经添加并启用:

pig repo add pgdg -u          # 添加 PGDG 仓库并更新缓存

使用 pig 或者是 apt/yum/dnf 安装扩展:

pig install passwordpolicy;          # 当前活跃 PG 版本安装
pig ext install -y passwordpolicy -v 18  # PG 18
pig ext install -y passwordpolicy -v 17  # PG 17
pig ext install -y passwordpolicy -v 16  # PG 16
pig ext install -y passwordpolicy -v 15  # PG 15
pig ext install -y passwordpolicy -v 14  # PG 14
dnf install -y passwordpolicy_18       # PG 18
dnf install -y passwordpolicy_17       # PG 17
dnf install -y passwordpolicy_16       # PG 16
dnf install -y passwordpolicy_15       # PG 15
dnf install -y passwordpolicy_14       # PG 14
apt install -y postgresql-18-passwordpolicy   # PG 18
apt install -y postgresql-17-passwordpolicy   # PG 17
apt install -y postgresql-16-passwordpolicy   # PG 16
apt install -y postgresql-15-passwordpolicy   # PG 15
apt install -y postgresql-14-passwordpolicy   # PG 14

预加载配置

shared_preload_libraries = '$libdir/passwordpolicy';

创建扩展

CREATE EXTENSION passwordpolicy;

用法

来源:READMEv2.0.5 releasecontrol file

passwordpolicy 是 PostgreSQL passwordcheck module 的可配置替代方案。它会在 CREATE ROLEALTER ROLE 时检查密码,可以强制执行 password history 和 validity rules,也能在重复登录失败后模拟 soft account lock。

启用 Hook

在其他 password-check modules 前加载该 module,然后重启 PostgreSQL:

shared_preload_libraries = 'passwordpolicy'

使用 account soft-lock 或 password-history 功能时,在 postgres 数据库中安装 SQL 扩展:

CREATE EXTENSION passwordpolicy;

密码复杂度

配置项是动态的,但新值只对新 session 生效:

password_policy.min_password_len = 15
password_policy.min_special_chars = 1
password_policy.min_numbers = 1
password_policy.min_uppercase_letter = 1
password_policy.min_lowercase_letter = 1
password_policy.require_validuntil = off

只有创建 dictionary file 之后,才启用 CrackLib dictionary checks:

password_policy.cracklib_dictpath = '/var/cache/cracklib/postgresql_dict'
password_policy.enable_dictionary_check = on

Soft Account Lock

Soft-locking 会跟踪登录失败次数,并在超过阈值后延迟或拒绝响应:

password_policy_lock.number_failures = 5
password_policy_lock.failure_delay = 5
password_policy_lock.auto_unlock = on
password_policy_lock.auto_unlock_after = 0
password_policy_lock.max_number_accounts = 100

查看并重置 lock state:

SELECT * FROM passwordpolicy.accounts_locked() ORDER BY usename;
SELECT passwordpolicy.account_locked_reset('app_user');

如果 password_policy_lock.include_all = false,只有列在 passwordpolicy.accounts_lockable 中的 roles 才参与 soft-lock。

密码历史

Password history 会在 postgres 数据库中存储最近的 password hashes,并检查新密码是否复用:

password_policy_history.max_password_history = 5
password_policy_history.max_number_accounts = 100

注意事项

  • 版本 2.0.5 支持 PostgreSQL 14-18。
  • 该 module 必须 preload;修改 shared_preload_libraries 需要重启。
  • PostgreSQL 无法在认证发生前真正阻止认证,因此 soft-lock 通过延迟和返回错误来模拟 lock。它不能缓解 authentication DoS attacks。
  • 合理设置 password_policy_lock.max_number_accountspassword_policy_history.max_number_accounts,避免浪费内存或漏掉账号。

最后修改 2026-07-01: routine extension update (d1ad21a)