Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitfe7a32f

Browse files
committed
New contrib module, auth_delay.
KaiGai Kohei, with a few changes by me.
1 parentd53c125 commitfe7a32f

File tree

7 files changed

+159
-0
lines changed

7 files changed

+159
-0
lines changed

‎contrib/Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ include $(top_builddir)/src/Makefile.global
66

77
SUBDIRS =\
88
adminpack\
9+
auth_delay\
910
auto_explain\
1011
btree_gin\
1112
btree_gist\

‎contrib/README

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,11 @@ adminpack -
2828
File and log manipulation routines, used by pgAdmin
2929
by Dave Page <dpage@vale-housing.co.uk>
3030

31+
auth_delay
32+
Add a short delay after a failed authentication attempt, to make
33+
make brute-force attacks on database passwords a bit harder.
34+
by KaiGai Kohei <kaigai@ak.jp.nec.com>
35+
3136
auto_explain -
3237
Log EXPLAIN output for long-running queries
3338
by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>

‎contrib/auth_delay/Makefile

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# contrib/auth_delay/Makefile
2+
3+
MODULES = auth_delay
4+
5+
ifdefUSE_PGXS
6+
PG_CONFIG = pg_config
7+
PGXS :=$(shell$(PG_CONFIG) --pgxs)
8+
include$(PGXS)
9+
else
10+
subdir = contrib/auth_delay
11+
top_builddir = ../..
12+
include$(top_builddir)/src/Makefile.global
13+
include$(top_srcdir)/contrib/contrib-global.mk
14+
endif

‎contrib/auth_delay/auth_delay.c

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
/* -------------------------------------------------------------------------
2+
*
3+
* auth_delay.c
4+
*
5+
* Copyright (C) 2010, PostgreSQL Global Development Group
6+
*
7+
* IDENTIFICATION
8+
*contrib/auth_delay/auth_delay.c
9+
*
10+
* -------------------------------------------------------------------------
11+
*/
12+
#include"postgres.h"
13+
14+
#include"libpq/auth.h"
15+
#include"port.h"
16+
#include"utils/guc.h"
17+
#include"utils/timestamp.h"
18+
19+
PG_MODULE_MAGIC;
20+
21+
void_PG_init(void);
22+
23+
/* GUC Variables */
24+
staticintauth_delay_milliseconds;
25+
26+
/* Original Hook */
27+
staticClientAuthentication_hook_typeoriginal_client_auth_hook=NULL;
28+
29+
/*
30+
* Check authentication
31+
*/
32+
staticvoid
33+
auth_delay_checks(Port*port,intstatus)
34+
{
35+
/*
36+
* Any other plugins which use ClientAuthentication_hook.
37+
*/
38+
if (original_client_auth_hook)
39+
original_client_auth_hook(port,status);
40+
41+
/*
42+
* Inject a short delay if authentication failed.
43+
*/
44+
if (status!=STATUS_OK)
45+
{
46+
pg_usleep(1000L*auth_delay_milliseconds);
47+
}
48+
}
49+
50+
/*
51+
* Module Load Callback
52+
*/
53+
void
54+
_PG_init(void)
55+
{
56+
/* Define custome GUC variables */
57+
DefineCustomIntVariable("auth_delay.milliseconds",
58+
"Milliseconds to delay before reporting authentication failure",
59+
NULL,
60+
&auth_delay_milliseconds,
61+
0,
62+
0,INT_MAX,
63+
PGC_SIGHUP,
64+
GUC_UNIT_MS,
65+
NULL,
66+
NULL);
67+
/* Install Hooks */
68+
original_client_auth_hook=ClientAuthentication_hook;
69+
ClientAuthentication_hook=auth_delay_checks;
70+
}

‎doc/src/sgml/auth-delay.sgml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
<!-- doc/src/sgml/auth-delay.sgml -->
2+
3+
<sect1 id="auth-delay">
4+
<title>auth_delay</title>
5+
6+
<indexterm zone="auth-delay">
7+
<primary>auth_delay</primary>
8+
</indexterm>
9+
10+
<para>
11+
<filename>auth_delay</filename> causes the server to pause briefly before
12+
reporting authentication failure, to make brute-force attacks on database
13+
passwords more difficult. Note that it does nothing to prevent
14+
denial-of-service attacks, and may even exacerbate them, since processes
15+
that are waiting before reporting authentication failure will still consume
16+
connection slots.
17+
</para>
18+
19+
<para>
20+
In order to function, this module must be loaded via
21+
<xref linkend="guc-shared-preload-libraries"> in <filename>postgresql.conf</>.
22+
</para>
23+
24+
<sect2>
25+
<title>Configuration parameters</title>
26+
27+
<variablelist>
28+
<varlistentry>
29+
<term>
30+
<varname>auth_delay.milliseconds</varname> (<type>int</type>)
31+
</term>
32+
<indexterm>
33+
<primary><varname>auth_delay.milliseconds</> configuration parameter</primary>
34+
</indexterm>
35+
<listitem>
36+
<para>
37+
The number of milliseconds to wait before reporting an authentication
38+
failure. The default is 0.
39+
</para>
40+
</listitem>
41+
</varlistentry>
42+
</variablelist>
43+
44+
<para>
45+
In order to set these parameters in your <filename>postgresql.conf</> file,
46+
you will need to add <literal>auth_delay</> to
47+
<xref linkend="guc-custom-variable-classes">. Typical usage might be:
48+
</para>
49+
50+
<programlisting>
51+
# postgresql.conf
52+
shared_preload_libraries = 'auth_delay'
53+
54+
custom_variable_classes = 'auth_delay'
55+
auth_delay.milliseconds = '500'
56+
</programlisting>
57+
</sect2>
58+
59+
<sect2>
60+
<title>Author</title>
61+
62+
<para>
63+
KaiGai Kohei <email>kaigai@ak.jp.nec.com</email>
64+
</para>
65+
</sect2>
66+
67+
</sect1>

‎doc/src/sgml/contrib.sgml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ psql -d dbname -f <replaceable>SHAREDIR</>/contrib/<replaceable>module</>.sql
8181
</para>
8282

8383
&adminpack;
84+
&auth-delay;
8485
&auto-explain;
8586
&btree-gin;
8687
&btree-gist;

‎doc/src/sgml/filelist.sgml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@
9393
<!-- contrib information -->
9494
<!entity contrib SYSTEM "contrib.sgml">
9595
<!entity adminpack SYSTEM "adminpack.sgml">
96+
<!entity auth-delay SYSTEM "auth-delay.sgml">
9697
<!entity auto-explain SYSTEM "auto-explain.sgml">
9798
<!entity btree-gin SYSTEM "btree-gin.sgml">
9899
<!entity btree-gist SYSTEM "btree-gist.sgml">

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp