On Fri, 07 Jun 2013 13:07:21 -0700
"Joshua D. Drake" <jd@commandprompt.com> wrote:
>
> On 06/07/2013 12:31 PM, Tom Lane wrote:
> > "Joshua D. Drake" <jd@commandprompt.com> writes:
> >> On 06/07/2013 11:57 AM, Tom Lane wrote:
> >>> I think it's intentional that we don't tell the *client* that
> >>> level of detail.
> >
> >> Why? That seems rather silly.
> >
> > The general policy on authentication failure reports is that we
> > don't tell the client anything it doesn't know already about what
> > the auth method is. We can log additional info into the postmaster
> > log if it seems useful to do so, but the more you tell a client,
> > the more you risk undesirable info leakage to a bad guy. As an
> > example here, reporting the valuntil condition would be acking to
> > an attacker that he had the right password.
>
> So security by obscurity? Alright, without getting into that argument
> how about we change the error message to:
>
> FATAL: Authentication failed: Check server log for specifics
>
> And then we make sure we log proper info?
+1
