On 20/06/2013 08:47, Markus Wanner wrote:
> On 06/20/2013 12:51 AM, Jeff Janes wrote:
>> I think we need to keep the first "password". "Password authentication"
>> is a single thing, it is the authentication method attempted. It is the
>> password method (which includes MD5) which failed, as opposed to the
>> LDAP method or the Peer method or one of the other methods.
>
> That's against the rule of not revealing any more knowledge than a
> potential attacker already has, no? For that reason, I'd rather go with
> just "authentication failed".
My understanding is that the attacker would already have that
information since the server would have sent an
AuthenticationMD5Password message to get to the error in the first
place. And we still reveal the authentication method to the frontend in
all other cases ("peer authentication failed", for example).
>> Without this level of explicitness, it might be hard to figure out which
>> row in pg_hba.conf was the one that PostgreSQL glommed onto to use for
>> authentication.
>
> As argued before, that should go into the logs for diagnosis by the
> sysadmin, but should not be revealed to an attacker.
Isn't the point of this patch exactly that we didn't want to go down
that road? I.e. "password authentication failed" didn't say that the
password might've expired, but some people thought just logging a
WARNING/LOG wasn't enough.
Regards,
Marko Tiikkaja
