Re: [I] [Bug] For security reasons, psql requires password verification before executing SQL after the session times out and disconnects [cloudberry]

Fri, 29 Nov 2024 17:36:11 -0800 


z17033 commented on issue #739:
URL: https://github.com/apache/cloudberry/issues/739#issuecomment-2508777303

   > hi @z17033 , thanks for submitting the bug. When the connection is closed 
by the server, psql will try to reset the connection by closing and creating a 
new connection using the old connection params. This is kind of a optimization 
of `psql`. Could you give more explanation about what security problems this 
can bring?
   
   @fanfuxiaoran Thank you for your reply. 
   First, while it is indeed possible to configure trust during user login, but 
it is generally disabled in our commercial environments. Consider the following 
scenario:
   
   Step 1: User gpadmin is a superuser with the password _Passw0rd@__ and must 
use a password to log in. To prevent long idle sessions, `idle_session_timeout` 
is set to 60 seconds.
   
   Step 2: On the first login (`psql -U gpadmin`), the user needs to enter the 
password to log in, which is expected behavior.
   
   Step 3: After logging in, if the user is idle for more than 1 minute and 
then tries to execute a query, **a new session connection is automatically 
created without requiring password input. I believe this is not expected 
behavior.**
   
   _postgres=# select 1;  
   FATAL:  terminating connection due to idle-session timeout  
   server closed the connection unexpectedly  
           This probably means the server terminated abnormally  
           before or while processing the request.  
   The connection to the server was lost. Attempting reset: Succeeded.  
   seasql=#_  
   
   **A password prompt should appear when a new connection is created 
correctly.**
   
   _postgres=# select 1;  
   FATAL:  terminating connection due to idle-session timeout  
   server closed the connection unexpectedly  
           This probably means the server terminated abnormally  
           before or while processing the request.  
   The connection to the server was lost. Attempting reset:  
   **Password for user gpadmin**:_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to