From e02fda966877e80c75884f4940d24dacbfe595bd Mon Sep 17 00:00:00 2001 From: Thomas Munro Date: Mon, 26 Nov 2018 11:14:16 +1300 Subject: [PATCH] Don't set PAM_RHOST for Unix sockets. Since commit 2f1d2b7a we have set PAM_RHOST to "[local]" for Unix sockets. This caused Linux PAM's libaudit integeration to make DNS requests for that name. It's not exactly clear what value PAM_RHOST should have in that case, but it seems clear that we shouldn't set it to an unresolvable value. Back-patch to 9.6. Bug #15520. Author: Thomas Munro Reported-by: Albert Schabhuetl Discussion: https://postgr.es/m/15520-4c266f986998e1c5%40postgresql.org --- src/backend/libpq/auth.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 4f9d697d6da..57725fd9dda 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -2219,15 +2219,18 @@ CheckPAMAuth(Port *port, const char *user, const char *password) return STATUS_ERROR; } - retval = pam_set_item(pamh, PAM_RHOST, hostinfo); - - if (retval != PAM_SUCCESS) + if (port->hba->conntype != ctLocal) { - ereport(LOG, - (errmsg("pam_set_item(PAM_RHOST) failed: %s", - pam_strerror(pamh, retval)))); - pam_passwd = NULL; - return STATUS_ERROR; + retval = pam_set_item(pamh, PAM_RHOST, hostinfo); + + if (retval != PAM_SUCCESS) + { + ereport(LOG, + (errmsg("pam_set_item(PAM_RHOST) failed: %s", + pam_strerror(pamh, retval)))); + pam_passwd = NULL; + return STATUS_ERROR; + } } retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv); -- 2.19.1