Thread: Better auth errors from libpq
Folks,
Far and away the most common question we get in IRC includes phrases
like:
psql: FATAL: Ident authentication failed for user "root"
This isn't exactly informative to newbies, so I'm proposing a patch
like that attached for such failures. Instead of seeing that
mysterious message, they'd get something like this:
psql: FATAL: Ident authentication failed for user "root"
HINT: Is pg_hba.conf set properly on the server?
Also good would be some way to make man pages and whatever Windows
uses both for pg_hba.conf and for postgresql.conf. Any hints as to
how to start this would be most welcome :)
Cheers,
David.
--
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david.fetter@gmail.com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
Attachment
David Fetter <david@fetter.org> writes:
> This isn't exactly informative to newbies, so I'm proposing a patch
> like that attached for such failures. Instead of seeing that
> mysterious message, they'd get something like this:
> psql: FATAL: Ident authentication failed for user "root"
> HINT: Is pg_hba.conf set properly on the server?
Seems pretty useless. What does "set properly" mean? There isn't even
any good reason to think that the solution to most auth failures is to
change pg_hba.conf, so I'd bet that this hint is wrong far more often
than it's right.
You have to recall also that we deliberately suppress details in auth
failure messages sent to the client, since they might provide useful
clues to someone trying to break in. Admittedly, the above is so
content-free that it gives no aid or comfort to an attacker, but
I don't see that it provides any to a novice DBA either.
regards, tom lane
On Thu, 11 Sep 2008 22:59:40 -0400 Tom Lane <tgl@sss.pgh.pa.us> wrote: > > psql: FATAL: Ident authentication failed for user "root" > > HINT: Is pg_hba.conf set properly on the server? > > Seems pretty useless. What does "set properly" mean? There isn't > even any good reason to think that the solution to most auth failures > is to change pg_hba.conf, so I'd bet that this hint is wrong far more > often than it's right. I think something like: psql: FATAL: Ident authentication failed for user "root" HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html Would be nice. Heck in most modern terminals the HINT would be clickable too :) Sincerely, Joshua D. Drake -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ United States PostgreSQL Association: http://www.postgresql.us/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
On Thu, Sep 11, 2008 at 08:10:45PM -0700, Joshua D. Drake wrote: > On Thu, 11 Sep 2008 22:59:40 -0400 > Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > psql: FATAL: Ident authentication failed for user "root" > > > HINT: Is pg_hba.conf set properly on the server? > > > > Seems pretty useless. What does "set properly" mean? There isn't > > even any good reason to think that the solution to most auth failures > > is to change pg_hba.conf, so I'd bet that this hint is wrong far more > > often than it's right. > > I think something like: > > psql: FATAL: Ident authentication failed for user "root" > HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > > Would be nice. Heck in most modern terminals the HINT would be > clickable too :) I'm all for something, and that's a much better something. What we have now--nothing--actively distresses newbies for no good reason. I don't know how many people we've lost right at that point, but the number has to be high, as most people don't just hop into IRC with their problem. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Joshua Drake <jd@commandprompt.com> writes: > I think something like: > psql: FATAL: Ident authentication failed for user "root" > HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > Would be nice. Do you really think that's helpful in the typical case where someone fat-fingered their password? I'm not averse to hint messages that are actually helpful, ie, reasonably connected to the *specific* failure situation. The problem I've got with David's proposal is that it provides a one-size-fits-all hint for every possible auth failure. One size does not fit all here. Or to put it even more baldly: this is not an area in which you can improve matters significantly with five minutes' thought and a one-line patch. It would take some actual work. regards, tom lane
On Thu, Sep 11, 2008 at 11:28:36PM -0400, Tom Lane wrote: > Joshua Drake <jd@commandprompt.com> writes: > > I think something like: > > > psql: FATAL: Ident authentication failed for user "root" > > HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > > > Would be nice. > > Do you really think that's helpful in the typical case where someone > fat-fingered their password? Possibly not. > I'm not averse to hint messages that are actually helpful, ie, > reasonably connected to the *specific* failure situation. The > problem I've got with David's proposal is that it provides a > one-size-fits-all hint for every possible auth failure. One size > does not fit all here. I'd be delighted to make more different sizes. > Or to put it even more baldly: this is not an area in which you can > improve matters significantly with five minutes' thought and a > one-line patch. It would take some actual work. It's work that hasn't yet been done, and thanks for your input on the first versions :) Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
On Thu, Sep 11, 2008 at 11:28:36PM -0400, Tom Lane wrote: > Joshua Drake <jd@commandprompt.com> writes: > > I think something like: > > > psql: FATAL: Ident authentication failed for user "root" > > HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > > > Would be nice. > > Do you really think that's helpful in the typical case where someone > fat-fingered their password? > > I'm not averse to hint messages that are actually helpful, ie, > reasonably connected to the *specific* failure situation. The problem > I've got with David's proposal is that it provides a one-size-fits-all > hint for every possible auth failure. One size does not fit all here. Here's a few different sizes: one for each auth method. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Attachment
Tom Lane wrote: > Joshua Drake <jd@commandprompt.com> writes: >> I think something like: > >> psql: FATAL: Ident authentication failed for user "root" >> HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > >> Would be nice. > > Do you really think that's helpful in the typical case where someone > fat-fingered their password? No but I do think it is helpful based on the error provided. > > I'm not averse to hint messages that are actually helpful, ie, > reasonably connected to the *specific* failure situation. The problem > I've got with David's proposal is that it provides a one-size-fits-all > hint for every possible auth failure. One size does not fit all here. I can agree with that. > > Or to put it even more baldly: this is not an area in which you can > improve matters significantly with five minutes' thought and a one-line > patch. It would take some actual work. Fair enough. Joshua D. Drake > > regards, tom lane >
David Fetter wrote: > On Thu, Sep 11, 2008 at 11:28:36PM -0400, Tom Lane wrote: >> Joshua Drake <jd@commandprompt.com> writes: >>> I think something like: >>> psql: FATAL: Ident authentication failed for user "root" >>> HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html >>> Would be nice. >> Do you really think that's helpful in the typical case where someone >> fat-fingered their password? >> >> I'm not averse to hint messages that are actually helpful, ie, >> reasonably connected to the *specific* failure situation. The problem >> I've got with David's proposal is that it provides a one-size-fits-all >> hint for every possible auth failure. One size does not fit all here. > > Here's a few different sizes: one for each auth method. The only thing I would say here is that you point the URL to current which will be wrong in one release. Perhaps something that pulls the pgversion macro? Sincerely, Joshua D. Drake > > Cheers, > David. >
Joshua D. Drake wrote: > David Fetter wrote: >> On Thu, Sep 11, 2008 at 11:28:36PM -0400, Tom Lane wrote: >>> Joshua Drake <jd@commandprompt.com> writes: >>>> I think something like: >>>> psql: FATAL: Ident authentication failed for user "root" >>>> HINT: >>>> http://www.postgresql.org/docs/8.3/static/client-authentication.html >>>> Would be nice. >>> Do you really think that's helpful in the typical case where someone >>> fat-fingered their password? >>> >>> I'm not averse to hint messages that are actually helpful, ie, >>> reasonably connected to the *specific* failure situation. The problem >>> I've got with David's proposal is that it provides a one-size-fits-all >>> hint for every possible auth failure. One size does not fit all here. >> >> Here's a few different sizes: one for each auth method. > > The only thing I would say here is that you point the URL to current > which will be wrong in one release. Perhaps something that pulls the > pgversion macro? We don't put URLs in error messages. The hint needs to be a real sentence. -- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com
Tom Lane <tgl@sss.pgh.pa.us> writes: > Joshua Drake <jd@commandprompt.com> writes: >> I think something like: > >> psql: FATAL: Ident authentication failed for user "root" >> HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > >> Would be nice. ... > > Or to put it even more baldly: this is not an area in which you can > improve matters significantly with five minutes' thought and a one-line > patch. It would take some actual work. Actually I think there is a problem with the original message that could be improved. The problem is that "Ident" is a Postgres-specific term that a newbie DBA is unlikely to understand. What's worse it's an ambiguous term that is easily misunderstood to refer to the rfc1413 ident protocol which Postgres might or might not be using. I would suggest instead describing it using more generic terminology though offhand I'm not sure what that would be. A detail line could include the Postgres-specific authentication method which failed. I do think it's true that the pg_hba setup is far more complex than it has to be and that that's a bigger problem than a simple error message too. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Get trained by Bruce Momjian - ask me about EnterpriseDB'sPostgreSQL training!
Hi, David Fetter wrote: > I'm all for something, and that's a much better something. What we > have now--nothing--actively distresses newbies for no good reason. > > I don't know how many people we've lost right at that point, but the > number has to be high, as most people don't just hop into IRC with > their problem. Maybe something much more specific, i.e. triggering only if one tried to connect via localhost or unix sockets, and only if one tried to authenticate as 'root' without a password. The hint shoud IMO say something like: "The default superuser is postgres, not root". Something that's useful for this specific case and doesn't disturb in others. And something that's public knowledge, which any reasonably serious attacker already knows anyway. Maybe also point out that the unix user is chosen by default. Assuming that most of these users didn't explicitly type 'root' and are wondering where that 'root' user came from. Regards Markus Wanner
On Fri, Sep 12, 2008 at 10:08:56AM +0200, Markus Schiltknecht wrote: > Hi, > > David Fetter wrote: >> I'm all for something, and that's a much better something. What we >> have now--nothing--actively distresses newbies for no good reason. >> >> I don't know how many people we've lost right at that point, but >> the number has to be high, as most people don't just hop into IRC >> with their problem. > > Maybe something much more specific, i.e. triggering only if one > tried to connect via localhost or unix sockets, and only if one > tried to authenticate as 'root' without a password. It's not the root part that confuses people, but the entire message. > The hint shoud IMO say something like: "The default superuser is > postgres, not root". Something that's useful for this specific case > and doesn't disturb in others. And something that's public > knowledge, which any reasonably serious attacker already knows > anyway. I, too, disagree with the "security by obscurity" approach to auth error messages. A system cracker will not be deterred by any such a thing, but a new user can easily be. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
On Fri, Sep 12, 2008 at 08:53:39AM +0100, Gregory Stark wrote: > > Tom Lane <tgl@sss.pgh.pa.us> writes: > > > Joshua Drake <jd@commandprompt.com> writes: > >> I think something like: > > > >> psql: FATAL: Ident authentication failed for user "root" > >> HINT: http://www.postgresql.org/docs/8.3/static/client-authentication.html > > > >> Would be nice. > ... > > > > Or to put it even more baldly: this is not an area in which you > > can improve matters significantly with five minutes' thought and a > > one-line patch. It would take some actual work. > > Actually I think there is a problem with the original message that > could be improved. The problem is that "Ident" is a > Postgres-specific term that a newbie DBA is unlikely to understand. > What's worse it's an ambiguous term that is easily misunderstood to > refer to the rfc1413 ident protocol which Postgres might or might > not be using. For "Ident" auth, we need to split that functionality into two separate pieces: socket and network, and add descriptive error messages for each. > I would suggest instead describing it using more generic terminology > though offhand I'm not sure what that would be. A detail line could > include the Postgres-specific authentication method which failed. Excellent idea :) > I do think it's true that the pg_hba setup is far more complex than > it has to be and that that's a bigger problem than a simple error > message too. Agreed. Any ideas as to how we might address this? Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Heikki Linnakangas wrote: >> The only thing I would say here is that you point the URL to current >> which will be wrong in one release. Perhaps something that pulls the >> pgversion macro? > > We don't put URLs in error messages. The hint needs to be a real sentence. > Which is exactly why its the first thing we do when supporting people. Point them to the URL in the docs. Perhaps the middle man isn't needed. Joshua D. Drake
Joshua D. Drake wrote: > Heikki Linnakangas wrote: > >>> The only thing I would say here is that you point the URL to current >>> which will be wrong in one release. Perhaps something that pulls the >>> pgversion macro? >> >> We don't put URLs in error messages. The hint needs to be a real sentence. > > Which is exactly why its the first thing we do when supporting people. > Point them to the URL in the docs. Let's add a new field in error reports: errurl() -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
On Fri, Sep 12, 2008 at 12:30:12PM -0400, Alvaro Herrera wrote: > Joshua D. Drake wrote: > > Heikki Linnakangas wrote: > > > >>> The only thing I would say here is that you point the URL to > >>> current which will be wrong in one release. Perhaps something > >>> that pulls the pgversion macro? > >> > >> We don't put URLs in error messages. The hint needs to be a real > >> sentence. > > > > Which is exactly why its the first thing we do when supporting > > people. Point them to the URL in the docs. > > Let's add a new field in error reports: errurl() Excellent idea :) Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
David Fetter wrote: > On Fri, Sep 12, 2008 at 12:30:12PM -0400, Alvaro Herrera wrote: >> Joshua D. Drake wrote: >>> Heikki Linnakangas wrote: >>> >>>>> The only thing I would say here is that you point the URL to >>>>> current which will be wrong in one release. Perhaps something >>>>> that pulls the pgversion macro? >>>> We don't put URLs in error messages. The hint needs to be a real >>>> sentence. >>> Which is exactly why its the first thing we do when supporting >>> people. Point them to the URL in the docs. >> Let's add a new field in error reports: errurl() > > Excellent idea :) > > Cheers, > David. If you start using urls in error messages, it might be helpful to point everything at a single url and only change the query_string, maybe.... http://www.postgresql.org/docs/?err_id Not sure if err_id is the correct value for the query_string, but I'm sure something like the above would simply/centralize management. -- Andrew Chernow eSilo, LLC every bit counts http://www.esilo.com/