Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit97ddc47

Browse files
committed
Avoid logging complaints about abandoned connections when using PAM.
For a long time (since commitaed378e) we have had a policy to lognothing about a connection if the client disconnects when challengedfor a password. This is because libpq-using clients will typicallydo that, and then come back for a new connection attempt once they'vecollected a password from their user, so that logging the abandonedconnection attempt will just result in log spam. However, this didnot work well for PAM authentication: the bottom-level functionpam_passwd_conv_proc() was on board with it, but we logged messagesat higher levels anyway, for lack of any reporting mechanism.Add a flag and tweak the logic so that the case is silent, as it isfor other password-using auth mechanisms.Per complaint from Yoann La Cancellera. It's been like this for awhile,so back-patch to all supported branches.Discussion:https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com
1 parent2bfe015 commit97ddc47

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

‎src/backend/libpq/auth.c

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ static const char *pam_passwd = NULL;/* Workaround for Solaris 2.6
105105
* brokenness */
106106
staticPort*pam_port_cludge;/* Workaround for passing "Port *port" into
107107
* pam_passwd_conv_proc */
108+
staticboolpam_no_password;/* For detecting no-password-given */
108109
#endif/* USE_PAM */
109110

110111

@@ -2110,8 +2111,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
21102111
{
21112112
/*
21122113
* Client didn't want to send password. We
2113-
* intentionally do not log anything about this.
2114+
* intentionally do not log anything about this,
2115+
* either here or at higher levels.
21142116
*/
2117+
pam_no_password= true;
21152118
gotofail;
21162119
}
21172120
}
@@ -2170,6 +2173,7 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
21702173
*/
21712174
pam_passwd=password;
21722175
pam_port_cludge=port;
2176+
pam_no_password= false;
21732177

21742178
/*
21752179
* Set the application data portion of the conversation struct. This is
@@ -2255,22 +2259,26 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
22552259

22562260
if (retval!=PAM_SUCCESS)
22572261
{
2258-
ereport(LOG,
2259-
(errmsg("pam_authenticate failed: %s",
2260-
pam_strerror(pamh,retval))));
2262+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2263+
if (!pam_no_password)
2264+
ereport(LOG,
2265+
(errmsg("pam_authenticate failed: %s",
2266+
pam_strerror(pamh,retval))));
22612267
pam_passwd=NULL;/* Unset pam_passwd */
2262-
returnSTATUS_ERROR;
2268+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22632269
}
22642270

22652271
retval=pam_acct_mgmt(pamh,0);
22662272

22672273
if (retval!=PAM_SUCCESS)
22682274
{
2269-
ereport(LOG,
2270-
(errmsg("pam_acct_mgmt failed: %s",
2271-
pam_strerror(pamh,retval))));
2275+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2276+
if (!pam_no_password)
2277+
ereport(LOG,
2278+
(errmsg("pam_acct_mgmt failed: %s",
2279+
pam_strerror(pamh,retval))));
22722280
pam_passwd=NULL;/* Unset pam_passwd */
2273-
returnSTATUS_ERROR;
2281+
returnpam_no_password ?STATUS_EOF :STATUS_ERROR;
22742282
}
22752283

22762284
retval=pam_end(pamh,retval);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp