Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3affe76

Browse files
committed
Avoid logging complaints about abandoned connections when using PAM.
For a long time (since commitaed378e) we have had a policy to lognothing about a connection if the client disconnects when challengedfor a password. This is because libpq-using clients will typicallydo that, and then come back for a new connection attempt once they'vecollected a password from their user, so that logging the abandonedconnection attempt will just result in log spam. However, this didnot work well for PAM authentication: the bottom-level functionpam_passwd_conv_proc() was on board with it, but we logged messagesat higher levels anyway, for lack of any reporting mechanism.Add a flag and tweak the logic so that the case is silent, as it isfor other password-using auth mechanisms.Per complaint from Yoann La Cancellera. It's been like this for awhile,so back-patch to all supported branches.Discussion:https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com
1 parenta30531c commit3affe76

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

‎src/backend/libpq/auth.c

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,7 @@ static const char *pam_passwd = NULL;/* Workaround for Solaris 2.6
110110
* brokenness */
111111
staticPort*pam_port_cludge;/* Workaround for passing "Port *port" into
112112
* pam_passwd_conv_proc */
113+
staticboolpam_no_password;/* For detecting no-password-given */
113114
#endif/* USE_PAM */
114115

115116

@@ -2099,8 +2100,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
20992100
{
21002101
/*
21012102
* Client didn't want to send password. We
2102-
* intentionally do not log anything about this.
2103+
* intentionally do not log anything about this,
2104+
* either here or at higher levels.
21032105
*/
2106+
pam_no_password= true;
21042107
gotofail;
21052108
}
21062109
}
@@ -2159,6 +2162,7 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
21592162
*/
21602163
pam_passwd=password;
21612164
pam_port_cludge=port;
2165+
pam_no_password= false;
21622166

21632167
/*
21642168
* Set the application data portion of the conversation struct. This is
@@ -2244,22 +2248,26 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
22442248

22452249
if (retval!=PAM_SUCCESS)
22462250
{
2247-
ereport(LOG,
2248-
(errmsg("pam_authenticate failed: %s",
2249-
pam_strerror(pamh,retval))));
2251+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2252+
if (!pam_no_password)
2253+
ereport(LOG,
2254+
(errmsg("pam_authenticate failed: %s",
2255+
pam_strerror(pamh,retval))));
22502256
pam_passwd=NULL;/* Unset pam_passwd */
2251-
returnSTATUS_ERROR;
2257+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22522258
}
22532259

22542260
retval=pam_acct_mgmt(pamh,0);
22552261

22562262
if (retval!=PAM_SUCCESS)
22572263
{
2258-
ereport(LOG,
2259-
(errmsg("pam_acct_mgmt failed: %s",
2260-
pam_strerror(pamh,retval))));
2264+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2265+
if (!pam_no_password)
2266+
ereport(LOG,
2267+
(errmsg("pam_acct_mgmt failed: %s",
2268+
pam_strerror(pamh,retval))));
22612269
pam_passwd=NULL;/* Unset pam_passwd */
2262-
returnSTATUS_ERROR;
2270+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22632271
}
22642272

22652273
retval=pam_end(pamh,retval);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp