Postgres Pro
Downloads
Home   >   mailing lists

Re: Logging of PAM Authentication Failure - Mailing list pgsql-hackers

From Kyotaro HORIGUCHI
Subject Re: Logging of PAM Authentication Failure
Date
Msg-id 20130514.103826.188326109.horiguchi.kyotaro@lab.ntt.co.jp
Whole thread Raw
In response to Re: Logging of PAM Authentication Failure  (Amit Langote <amitlangote09@gmail.com>)
Responses Re: Logging of PAM Authentication Failure  (Amit Langote <amitlangote09@gmail.com>)
List pgsql-hackers
Tree view 
> In fact, this is the behavior with all the authentication methods that
> require a password. But, it is only in the case of PAM authentication
> that auth_failed() logs error when first connection attempt is made
> (without password), since the STATUS_EOF is not passed to it in that
> case.

Well, if we are allowed to use a bit ugry way, the attached patch
seems to cope with this issue. As far as I can see there's no
problem since pg_fe_sendauth() refueses to send empty password.

Any suggestions?

> If we did not drop the connection (unlike what we do now) and
> re-attempted connection with the password added to conn, would the
> backend's authentication state still be waiting for the password? Can
> we do away without having to create a second connection?

Sorry, I've read there incorrectly. I had understood the code
after sendAuthRequest in pam_passwd_conv_proc but it is used
indeed.

regards,

-- 
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3a041d9..304df03 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1816,6 +1816,7 @@ auth_peer(hbaPort *port) * PAM conversation function */
+static int pam_auth_eof = false;static intpam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
         struct pam_response ** resp, void *appdata_ptr)
 
@@ -1824,6 +1825,8 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,    struct pam_response *reply;
  int            i;
 
+    pam_auth_eof = false;
+    if (appdata_ptr)        passwd = (char *) appdata_ptr;    else
@@ -1872,6 +1875,7 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,                         *
Clientdidn't want to send password.  We                         * intentionally do not log anything about this.
               */
 
+                        pam_auth_eof = true;                        goto fail;                    }
if(strlen(passwd) == 0)
 
@@ -1986,6 +1990,16 @@ CheckPAMAuth(Port *port, char *user, char *password)    retval = pam_authenticate(pamh, 0);
+    /*
+     * pam_auth_eof is true when the client disconnected for password request
+     * in pam_passw_conv().
+     */
+    if (pam_auth_eof)
+    {
+        pam_passwd = NULL;        /* Unset pam_passwd */
+        return STATUS_EOF;
+    }
+    if (retval != PAM_SUCCESS)    {        ereport(LOG,

pgsql-hackers by date:

Previous
From: Marti Raudsepp
Date:
Subject: PostgreSQL 9.3 beta breaks some extensions "make install"
Next
From: Jon Nelson
Date:
Subject: fallocate / posix_fallocate for new WAL file creation (etc...)