Re: Change authentication error message (patch) - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Change authentication error message (patch)
Date
Msg-id 20140124035409.GF8993@momjian.us
Whole thread Raw
In response to Re: Change authentication error message (patch)  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Change authentication error message (patch)
List pgsql-hackers
On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I have developed the attached patch to fix this problem.  Do I need to
> > say "invalid user or invalid or expired password"?
> 
> I'm not convinced that this improves anything.  The problem might not in
> fact be either of the things you mention, in which case the new message 
> is outright misleading.  Also, what of the policy stated in the header
> comment for the function you're hacking, ie we intentionally don't reveal
> the precise cause of the failure to the client?

Well, the only solution then would be to add some weasel words like
"perhaps expired password", but that seems so rare that I doubt it would
apply very often and seems like an odd suggestion.   We could go with:
password authentication failed for user \"%s\": perhaps invalid or expired password

We did have two threads on this issue in the past 12 months so I figured
we should try to do something.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + Everyone has their own god. +



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Postgresql for cygwin - 3rd
Next
From: Andrew Dunstan
Date:
Subject: Re: Postgresql for cygwin - 3rd