On 03/14/2017 09:25 PM, Heikki Linnakangas wrote:
> On 03/14/2017 09:02 PM, Jeff Janes wrote:
>> The message returned to the client for the wrong password differs between
>> pg_hba-set scram and pg_hba-set md5/password methods. Is that OK?
>>
>> psql: error received from server in SASL exchange: invalid-proof
>>
>> psql: FATAL: password authentication failed for user "test"
>
> Ah yeah, I was on the fence on that one. Currently, the server returns
> the invalid-proof error to the client, as defined in RFC5802. That
> results in that error message from libpq. Alternatively, the server
> could elog(FATAL), like the other authentication mechanisms do, with the
> same message. The RFC allows that behavior too but returning the
> invalid-proof error code is potentially more friendly to 3rd party SCRAM
> implementations.
>
> One option would be to recognize the "invalid-proof" message in libpq,
> and construct a more informative error message in libpq. Could use the
> same wording, "password authentication failed", but it would behave
> differently wrt. translation, at least.
I went ahead and changed the backend code to not send the
"invalid-proof" error. That seemed like the easiest fix for this. You
now get the same "password authentication failed" error as with MD5 and
plain password authentication.
- Heikki