void DefineCustomIntVariable(const char *name, const char *short_desc, const char *long_desc, int *valueAddr, int bootValue, int minValue, int maxValue, GucContext context, int flags, GucIntCheckHook check_hook, GucIntAssignHook assign_hook, GucShowHook show_hook)

Definition: guc.c:5180

PGC_SUSET

@ PGC_SUSET

Definition: guc.h:78

GUC_UNIT_BYTE

#define GUC_UNIT_BYTE

Definition: guc.h:236

min_password_length

static int min_password_length

Definition: passwordcheck.c:37

check_password

static void check_password(const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null)

Definition: passwordcheck.c:57

prev_check_password_hook

static check_password_hook_type prev_check_password_hook

Definition: passwordcheck.c:34

check_password_hook

check_password_hook_type check_password_hook

Definition: user.c:91

References check_password(), check_password_hook, DefineCustomIntVariable(), GUC_UNIT_BYTE, MarkGUCPrefixReserved(), min_password_length, PGC_SUSET, and prev_check_password_hook.

◆ check_password()

static void check_password ( const char * username,

const char * shadow_pass,

PasswordType password_type,

Datum validuntil_time,

bool validuntil_null

)

static

Definition at line 57 of file passwordcheck.c.

62{

63 if (prev_check_password_hook)

64 prev_check_password_hook(username, shadow_pass,

65 password_type, validuntil_time,

66 validuntil_null);

67

68 if (password_type != PASSWORD_TYPE_PLAINTEXT)

69 {

70 /*

71 * Unfortunately we cannot perform exhaustive checks on encrypted

72 * passwords - we are restricted to guessing. (Alternatively, we could

73 * insist on the password being presented non-encrypted, but that has

74 * its own security disadvantages.)

75 *

76 * We only check for username = password.

77 */

78 const char *logdetail = NULL;

79

80 if (plain_crypt_verify(username, shadow_pass, username, &logdetail) == STATUS_OK)

81 ereport(ERROR,

82 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

83 errmsg("password must not equal user name")));

84 }

85 else

86 {

87 /*

88 * For unencrypted passwords we can perform better checks

89 */

90 const char *password = shadow_pass;

91 int pwdlen = strlen(password);

92 int i;

93 bool pwd_has_letter,

94 pwd_has_nonletter;

95#ifdef USE_CRACKLIB

96 const char *reason;

97#endif

98

99 /* enforce minimum length */

100 if (pwdlen < min_password_length)

101 ereport(ERROR,

102 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

103 errmsg("password is too short"),

104 errdetail("password must be at least \"passwordcheck.min_password_length\" (%d) bytes long",

105 min_password_length)));

106

107 /* check if the password contains the username */

108 if (strstr(password, username))

109 ereport(ERROR,

110 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

111 errmsg("password must not contain user name")));

112

113 /* check if the password contains both letters and non-letters */

114 pwd_has_letter = false;

115 pwd_has_nonletter = false;

116 for (i = 0; i < pwdlen; i++)

117 {

118 /*

119 * isalpha() does not work for multibyte encodings but let's

120 * consider non-ASCII characters non-letters

121 */

122 if (isalpha((unsigned char) password[i]))

123 pwd_has_letter = true;

124 else

125 pwd_has_nonletter = true;

126 }

127 if (!pwd_has_letter || !pwd_has_nonletter)

128 ereport(ERROR,

129 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

130 errmsg("password must contain both letters and nonletters")));

131

132#ifdef USE_CRACKLIB

133 /* call cracklib to check password */

134 if ((reason = FascistCheck(password, CRACKLIB_DICTPATH)))

135 ereport(ERROR,

136 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

137 errmsg("password is easily cracked"),

138 errdetail_log("cracklib diagnostic: %s", reason)));

139#endif

140 }

141

142 /* all checks passed, password is ok */

143}

STATUS_OK

#define STATUS_OK

Definition: c.h:1168

plain_crypt_verify

int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char **logdetail)

Definition: crypt.c:256

PASSWORD_TYPE_PLAINTEXT

@ PASSWORD_TYPE_PLAINTEXT

Definition: crypt.h:42

errdetail

int errdetail(const char *fmt,...)

Definition: elog.c:1207

errcode

int errcode(int sqlerrcode)

Definition: elog.c:854

errmsg

int errmsg(const char *fmt,...)

Definition: elog.c:1071

errdetail_log

int errdetail_log(const char *fmt,...)

Definition: elog.c:1255

ERROR

#define ERROR

Definition: elog.h:39

ereport

#define ereport(elevel,...)

Definition: elog.h:150

username

static char * username

Definition: initdb.c:153

i

int i

Definition: isn.c:77

password

static char * password

Definition: streamutil.c:51

References ereport, errcode(), errdetail(), errdetail_log(), errmsg(), ERROR, i, min_password_length, password, PASSWORD_TYPE_PLAINTEXT, plain_crypt_verify(), prev_check_password_hook, STATUS_OK, and username.

Referenced by _PG_init().

◆ PG_MODULE_MAGIC_EXT()

PG_MODULE_MAGIC_EXT ( . name = "passwordcheck",

. version = PG_VERSION

)

Variable Documentation

◆ min_password_length

int min_password_length = 8

static

Definition at line 37 of file passwordcheck.c.

Referenced by _PG_init(), and check_password().

◆ prev_check_password_hook

check_password_hook_type prev_check_password_hook = NULL

static

Definition at line 34 of file passwordcheck.c.

Referenced by _PG_init(), and check_password().