HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Is there any way to prevent a PostgreSQL user to change his/her own password?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
postgresqlherpreventhisuseranywaypasswordownthere

Problem

I'm administering a PotsgreSQL server and recently I realized that my "nonsuperuser" users have the possibility to change the secure passwords that I assign them for insecure ones.

I searched in the REVOKE docs, but I couldn't find a way to prevent that. It is possible?

Thanks in advance!

Solution

AFAIK, there is no way to prevent a user from changing his/her password. It's been discussed (quite long ago) on ocassion on PostgreSQL mailing list, and all the answers I remember were basically "no, you can't".

However, there's a contrib module, called passwordcheck, whose objective is to guarantee the strength of passwords, if that's what you wish (as already commented by @RDFozz).

From the docs:

The passwordcheck module checks users' passwords whenever they are set with CREATE ROLE or ALTER ROLE. If a password is considered too weak, it will be rejected and the command will terminate with an error.

To enable this module, add '$libdir/passwordcheck' to shared_preload_libraries in postgresql.conf, then restart the server.

I've never used the module myself.

Context

StackExchange Database Administrators Q#176205, answer score: 7

Revisions (0)

No revisions yet.