Setting Password Security Policies
Procedure
User passwords are stored in the system catalog pg_authid. To prevent password leakage, openGauss encrypts user passwords before storing them. The encryption algorithm is determined by the configuration parameter password_encryption_type.
- If parameter password_encryption_type is set to 0, passwords are encrypted using MD5. MD5 is an insecure encryption algorithm. Therefore, you are not advised to use MD5.
- If parameter password_encryption_type is set to 1, passwords are encrypted using SHA-256 and MD5. MD5 is an insecure encryption algorithm. Therefore, you are not advised to use MD5.
- If parameter password_encryption_type is set to 2, passwords are encrypted using SHA-256. This is the default configuration.
Log in as the OS user omm to the primary node of the database.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the configured encryption algorithm.
postgres=# SHOW password_encryption_type; password_encryption_type -------------------------- 2 (1 row)If the command output is 0 or 1, run the \q command to exit the database.
Set gs_guc reload -Z coordinator -D using a secure encryption algorithm:
gs_guc reload -N all -I all -c "password_encryption_type=2"
NOTICE:
To prevent password leakage, when running CREATE USER/ROLE to create a database user, do not specify the UNENCRYPTED attribute. In this way, the password of the newly created user must be encrypted for storage.Configure password security parameters.
Password complexity
You need to specify a password when initializing a database, creating a user, or modifying a user. The password must meet the complexity check rules (see password_policy). Otherwise, you are prompted to enter the password again.
- If parameter password_policy is set to 1, the default password complexity rule is used to check passwords.
- If parameter password_policy is set to 0, the password complexity is not verified. You are not advised to set the parameter to this value because it is insecure. Password complexity is skipped only if the password_policy parameter is set to 0 for all openGauss nodes.
Configure the password_policy parameter.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the current value.
postgres=# SHOW password_policy; password_policy --------------------- 1 (1 row)If the command output is not 1, run the \q command to exit the database.
Run the following command to set the parameter to its default value 1:
gs_guc reload -N all -I all -c "password_policy=1"
The password complexity requirements are as follows:
- Minimum number of uppercase letters (A-Z) (password_min_uppercase)
- Minimum number of lowercase letters (a-z) (password_min_uppercase)
- Minimum number of digits (0-9) (password_min_digital)
- Minimum number of special characters (password_min_special) (Table 1 lists special characters.)
- Minimum password length (password_min_length)
- Maximum password length (password_max_length)
- A password must contain at least three types of the characters (uppercase letters, lowercase letters, digits, and special characters).
- A password is case insensitive and cannot be the username or the username spelled backwards.
- A new password cannot be the current password and the current password spelled backwards.
Password reuse
An old password can be reused only when it meets the requirements on reuse days (password_reuse_time) and reuse times (password_reuse_max). Table 2 lists the parameter configurations.
NOTE:
The default values of the password_reuse_time and password_reuse_max parameters are 60 and 0, respectively. Large values of the two parameters bring higher security. However, if the values of the parameters are set too large, inconvenience may occur. The default values of the two parameters meet the security requirements. You can change the parameter values as needed for higher security.Configure the password_reuse_time parameter.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the current value.
postgres=# SHOW password_reuse_time; password_reuse_time --------------------- 60 (1 row)If the command output is not 60, run the \q command to exit the database.
Run the following command to set the parameter to its default value 60:
NOTE:
You are not advised to set the parameter to 0. This value is valid only when password_reuse_time for all openGauss nodes is set to 0.gs_guc reload -N all -I all -c "password_reuse_time=60"
Configure the password_reuse_max parameter.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the current value.
postgres=# SHOW password_reuse_max; password_reuse_max -------------------- 0 (1 row)If the command output is not 0, run the \q command to exit the database.
Run the following command to set the parameter to its default value 0:
gs_guc reload -N all -I all -c "password_reuse_max = 0"
Password validity period
A validity period (password_effect_time) is set for each database user password. If the password is about to expire (password_notify_time), the system displays a message to remind the user to change it upon login.
NOTE:
Considering the usage and service continuity of a database, the database still allows a user to log in after the password expires. A password change notification is displayed every time the user logs in to the database until the password is changed.Configure the password_effect_time parameter.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the current value.
postgres=# SHOW password_effect_time; password_effect_time ---------------------- 90 (1 row)If the command output is not 90, run the \q command to exit the database.
Run the following command to set the parameter to 90 (0 is not recommended):
gs_guc reload -N all -I all -c "password_effect_time = 90"
Configure the password_notify_time parameter.
Run the following command to connect to the database:
gsql -d postgres -p 8000postgres is the name of the database to be connected, and 8000 is the port number of the database primary node.
If information similar to the following is displayed, the connection succeeds:
gsql ((openGauss x.x.x build 50dc16a6) compiled at 2020-11-29 05:49:21 commit 1071 last mr 1373) Non-SSL connection (SSL connection is recommended when requiring high-security) Type "help" for help. postgres=#View the current value.
postgres=# SHOW password_notify_time; password_notify_time ---------------------- 7 (1 row)If 7 is not displayed, run the following command to set the parameter to 7 (0 is not recommended):
gs_guc reload -N all -I all -c "password_notify_time = 7"
Password change
During database installation, an OS user with the same name as the initial user is created. The password of the OS user needs to be periodically changed for account security.
To change the password of user user1, run the following command:
passwd user1Change the password as prompted.
System administrators and common users need to periodically change their passwords to prevent the accounts from being stolen.
For example, to change the password of user user1, connect to the database as the system administrator and run the following commands:
postgres=# ALTER USER user1 IDENTIFIED BY "1234@abc" REPLACE "5678@def"; ALTER ROLE NOTE:
1234@abc and 5678@def represent the new password and the original password of user user1, respectively. If the new password does not have the required complexity, the change will not take effect.Administrators can change their own and common users' passwords. If common users forget their passwords, they can ask administrators to change the passwords.
To change the password of user joe, run the following command:
postgres=# ALTER USER joe IDENTIFIED BY "abc@1234"; ALTER ROLE
NOTE:- System administrators are not allowed to change passwords for each other.
- A system administrator can change the password of a common user without being required to provide the common user's old password.
- A system administrator can change their own password but is required to provide the old password.
Password verification
Password verification is required when you set the user or role in the current session. If the entered password is inconsistent with the stored password of the user, an error is reported.
If user joe needs to be set, run the following command:
postgres=# SET ROLE joe PASSWORD "abc@1234"; ERROR: Invalid username/password,set role denied.
Table 1 Special characters
Table 2 Parameter description for reuse days and reuse times
Set user password expiration.
A user with the CREATEROLE permission can create a user with the password expiration feature. The command format is as follows:
postgres=# CREATE USER joe PASSWORD "abc@1234" EXPIRED; CREATE ROLEA user with the CREATEROLE permission can force a user password to expire or force a user to change the forcibly expired password. The command format is as follows:
postgres=# ALTER USER joe PASSWORD EXPIRED; ALTER ROLEpostgres=# ALTER USER joe PASSWORD "abc@2345" EXPIRED; ALTER ROLE NOTE:- After logging in to the database, a user with the password expiration feature is prompted to change the password when the user tries to perform a simple or extended query. The user can then execute the statement after changing the password.
- If a user has the permission to change passwords of other users, the user also has the permission related to password expiration.