On 12/11/18 9:56 AM, Tom Lane wrote: > I've heard that if you want to implement a password aging policy, PAM > authentication can manage that for you; but I don't know the details.
Interesting idea ... could use pam-pgsql[1] and PAM as the authentication method. Might result in another connection (from PAM) to authenticate every connection, though. I suppose the module could use a daemon keeping one connection open for auth queries, but the README doesn't *say* it does. Could set up a pooler just for the auth module to connect through, I guess. It allows you to configure arbitrary auth_query, acct_query, pwd_query, etc., so you could conceivably join pg_authid with some other table where you'd keep expiration info. Looks like our PAM authentication might not support some PAM capabilities like conducting additional message exchanges (for example, to prompt for a new password on the spot if the old one has expired). It might be possible to shoehorn that capability into the existing fe-be protocol by calling it a custom SASL method, something analogous to ssh's "keyboard-interactive"[2]. -Chap [1] https://github.com/pam-pgsql/pam-pgsql [2] https://tools.ietf.org/html/rfc4256
