Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0238a50

Browse files
committed
Avoid logging complaints about abandoned connections when using PAM.
For a long time (since commitaed378e) we have had a policy to lognothing about a connection if the client disconnects when challengedfor a password. This is because libpq-using clients will typicallydo that, and then come back for a new connection attempt once they'vecollected a password from their user, so that logging the abandonedconnection attempt will just result in log spam. However, this didnot work well for PAM authentication: the bottom-level functionpam_passwd_conv_proc() was on board with it, but we logged messagesat higher levels anyway, for lack of any reporting mechanism.Add a flag and tweak the logic so that the case is silent, as it isfor other password-using auth mechanisms.Per complaint from Yoann La Cancellera. It's been like this for awhile,so back-patch to all supported branches.Discussion:https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com
1 parent5ee8f0f commit0238a50

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

‎src/backend/libpq/auth.c

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ static struct pam_conv pam_passw_conv = {
103103
staticchar*pam_passwd=NULL;/* Workaround for Solaris 2.6 brokenness */
104104
staticPort*pam_port_cludge;/* Workaround for passing "Port *port" into
105105
* pam_passwd_conv_proc */
106+
staticboolpam_no_password;/* For detecting no-password-given */
106107
#endif/* USE_PAM */
107108

108109

@@ -2106,8 +2107,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
21062107
{
21072108
/*
21082109
* Client didn't want to send password. We
2109-
* intentionally do not log anything about this.
2110+
* intentionally do not log anything about this,
2111+
* either here or at higher levels.
21102112
*/
2113+
pam_no_password= true;
21112114
gotofail;
21122115
}
21132116
}
@@ -2166,6 +2169,7 @@ CheckPAMAuth(Port *port, char *user, char *password)
21662169
*/
21672170
pam_passwd=password;
21682171
pam_port_cludge=port;
2172+
pam_no_password= false;
21692173

21702174
/*
21712175
* Set the application data portion of the conversation struct. This is
@@ -2251,22 +2255,26 @@ CheckPAMAuth(Port *port, char *user, char *password)
22512255

22522256
if (retval!=PAM_SUCCESS)
22532257
{
2254-
ereport(LOG,
2255-
(errmsg("pam_authenticate failed: %s",
2256-
pam_strerror(pamh,retval))));
2258+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2259+
if (!pam_no_password)
2260+
ereport(LOG,
2261+
(errmsg("pam_authenticate failed: %s",
2262+
pam_strerror(pamh,retval))));
22572263
pam_passwd=NULL;/* Unset pam_passwd */
2258-
returnSTATUS_ERROR;
2264+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22592265
}
22602266

22612267
retval=pam_acct_mgmt(pamh,0);
22622268

22632269
if (retval!=PAM_SUCCESS)
22642270
{
2265-
ereport(LOG,
2266-
(errmsg("pam_acct_mgmt failed: %s",
2267-
pam_strerror(pamh,retval))));
2271+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2272+
if (!pam_no_password)
2273+
ereport(LOG,
2274+
(errmsg("pam_acct_mgmt failed: %s",
2275+
pam_strerror(pamh,retval))));
22682276
pam_passwd=NULL;/* Unset pam_passwd */
2269-
returnSTATUS_ERROR;
2277+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22702278
}
22712279

22722280
retval=pam_end(pamh,retval);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp