Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit64e43c5

Browse files
committed
Log a detail message for auth failures due to missing or expired password.
It's worth distinguishing these cases from run-of-the-mill wrong-passwordproblems, since users have been known to waste lots of time pursuing thewrong theory about what's failing. Now, our longstanding policy about howto report authentication failures is that we don't really want to tell the*client* such things, since that might be giving information to a bad guy.But there's nothing wrong with reporting the details to the postmaster log,and indeed the comments in this area of the code contemplate thatinteresting details should be so reported. We just weren't handling theseparticular interesting cases usefully.To fix, add infrastructure allowing subroutines of ClientAuthentication()to return a string to be added to the errdetail_log field of the mainauthentication-failed error report. We might later want to use this toreport other subcases of authentication failure the same way, but for themoment I just dealt with password cases.Per discussion of a patch from Josh Drake, though this is not whathe proposed.
1 parentf0d6f20 commit64e43c5

File tree

3 files changed

+42
-20
lines changed

3 files changed

+42
-20
lines changed

‎src/backend/libpq/auth.c

Lines changed: 27 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -38,9 +38,9 @@
3838
*----------------------------------------------------------------
3939
*/
4040
staticvoidsendAuthRequest(Port*port,AuthRequestareq);
41-
staticvoidauth_failed(Port*port,intstatus);
41+
staticvoidauth_failed(Port*port,intstatus,char*logdetail);
4242
staticchar*recv_password_packet(Port*port);
43-
staticintrecv_and_check_password_packet(Port*port);
43+
staticintrecv_and_check_password_packet(Port*port,char**logdetail);
4444

4545

4646
/*----------------------------------------------------------------
@@ -207,10 +207,11 @@ ClientAuthentication_hook_type ClientAuthentication_hook = NULL;
207207
* in use, and these are items that must be presumed known to an attacker
208208
* anyway.
209209
* Note that many sorts of failure report additional information in the
210-
* postmaster log, which we hope is only readable by good guys.
210+
* postmaster log, which we hope is only readable by good guys. In
211+
* particular, if logdetail isn't NULL, we send that string to the log.
211212
*/
212213
staticvoid
213-
auth_failed(Port*port,intstatus)
214+
auth_failed(Port*port,intstatus,char*logdetail)
214215
{
215216
constchar*errstr;
216217
interrcode_return=ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
@@ -273,14 +274,21 @@ auth_failed(Port *port, int status)
273274
}
274275

275276
if (port->hba)
276-
ereport(FATAL,
277-
(errcode(errcode_return),
278-
errmsg(errstr,port->user_name),
279-
errdetail_log("Connection matched pg_hba.conf line %d: \"%s\"",port->hba->linenumber,port->hba->rawline)));
280-
else
281-
ereport(FATAL,
282-
(errcode(errcode_return),
283-
errmsg(errstr,port->user_name)));
277+
{
278+
char*cdetail;
279+
280+
cdetail=psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
281+
port->hba->linenumber,port->hba->rawline);
282+
if (logdetail)
283+
logdetail=psprintf("%s\n%s",logdetail,cdetail);
284+
else
285+
logdetail=cdetail;
286+
}
287+
288+
ereport(FATAL,
289+
(errcode(errcode_return),
290+
errmsg(errstr,port->user_name),
291+
logdetail ?errdetail_log("%s",logdetail) :0));
284292

285293
/* doesn't return */
286294
}
@@ -294,6 +302,7 @@ void
294302
ClientAuthentication(Port*port)
295303
{
296304
intstatus=STATUS_ERROR;
305+
char*logdetail=NULL;
297306

298307
/*
299308
* Get the authentication method to use for this frontend/database
@@ -507,12 +516,12 @@ ClientAuthentication(Port *port)
507516
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
508517
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
509518
sendAuthRequest(port,AUTH_REQ_MD5);
510-
status=recv_and_check_password_packet(port);
519+
status=recv_and_check_password_packet(port,&logdetail);
511520
break;
512521

513522
caseuaPassword:
514523
sendAuthRequest(port,AUTH_REQ_PASSWORD);
515-
status=recv_and_check_password_packet(port);
524+
status=recv_and_check_password_packet(port,&logdetail);
516525
break;
517526

518527
caseuaPAM:
@@ -552,7 +561,7 @@ ClientAuthentication(Port *port)
552561
if (status==STATUS_OK)
553562
sendAuthRequest(port,AUTH_REQ_OK);
554563
else
555-
auth_failed(port,status);
564+
auth_failed(port,status,logdetail);
556565

557566
/* Done with authentication, so we should turn off immediate interrupts */
558567
ImmediateInterruptOK= false;
@@ -680,9 +689,10 @@ recv_password_packet(Port *port)
680689
/*
681690
* Called when we have sent an authorization request for a password.
682691
* Get the response and check it.
692+
* On error, optionally store a detail string at *logdetail.
683693
*/
684694
staticint
685-
recv_and_check_password_packet(Port*port)
695+
recv_and_check_password_packet(Port*port,char**logdetail)
686696
{
687697
char*passwd;
688698
intresult;
@@ -692,7 +702,7 @@ recv_and_check_password_packet(Port *port)
692702
if (passwd==NULL)
693703
returnSTATUS_EOF;/* client wouldn't send password */
694704

695-
result=md5_crypt_verify(port,port->user_name,passwd);
705+
result=md5_crypt_verify(port,port->user_name,passwd,logdetail);
696706

697707
pfree(passwd);
698708

‎src/backend/libpq/crypt.c

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,14 @@
2929
#include"utils/timestamp.h"
3030

3131

32+
/*
33+
* Check given password for given user, and return STATUS_OK or STATUS_ERROR.
34+
* In the error case, optionally store a palloc'd string at *logdetail
35+
* that will be sent to the postmaster log (but not the client).
36+
*/
3237
int
33-
md5_crypt_verify(constPort*port,constchar*role,char*client_pass)
38+
md5_crypt_verify(constPort*port,constchar*role,char*client_pass,
39+
char**logdetail)
3440
{
3541
intretval=STATUS_ERROR;
3642
char*shadow_pass,
@@ -58,6 +64,8 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
5864
if (isnull)
5965
{
6066
ReleaseSysCache(roleTup);
67+
*logdetail=psprintf(_("User \"%s\" has no password assigned."),
68+
role);
6169
returnSTATUS_ERROR;/* user has no password */
6270
}
6371
shadow_pass=TextDatumGetCString(datum);
@@ -148,7 +156,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass)
148156
if (isnull)
149157
retval=STATUS_OK;
150158
elseif (vuntil<GetCurrentTimestamp())
159+
{
160+
*logdetail=psprintf(_("User \"%s\" has an expired password."),
161+
role);
151162
retval=STATUS_ERROR;
163+
}
152164
else
153165
retval=STATUS_OK;
154166
}

‎src/include/libpq/crypt.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515

1616
#include"libpq/libpq-be.h"
1717

18-
externintmd5_crypt_verify(constPort*port,constchar*user,
19-
char*client_pass);
18+
externintmd5_crypt_verify(constPort*port,constchar*role,
19+
char*client_pass,char**logdetail);
2020

2121
#endif

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp