(2010/11/19 16:57), KaiGai Kohei wrote:
(2010/11/18 2:17), Robert Haas wrote:
On Wed, Nov 17, 2010 at 10:32 AM, Ross J. Reedstrom<reeds...@rice.edu> wrote:
On Tue, Nov 16, 2010 at 09:41:37PM -0500, Robert Haas wrote:
On Tue, Nov 16, 2010 at 8:15 PM, KaiGai Kohei<kai...@ak.jp.nec.com> wrote:
If we don't need a PoC module for each new hooks, I'm not strongly
motivated to push it into contrib tree.
How about your opinion?
I'd say let it go, unless someone else feels strongly about it.
I would use this module (rate limit new connection attempts) as soon as
I could. Putting a cap on potential CPU usage on a production DB by either
a blackhat or mistake by a developer caused by a mistake in
configuration (leaving the port accessible) is definitely useful, even
in the face of max_connections. My production apps already have
their connections and seldom need new ones. They all use CPU though.
If KaiGai updates the code per previous discussion, would you be
willing to take a crack at adding documentation?
P.S. Your email client seems to be setting the Reply-To address to a
ridiculous value.
OK, I'll revise my patch according to the previous discussion.
The attached patch is revised version.
- Logging part within auth_delay was removed. This module now focuses on
injection of a few seconds delay on authentication failed.
- Documentation parts were added like any other contrib modules.
Thanks,
--
KaiGai Kohei <kai...@ak.jp.nec.com>
contrib/Makefile | 1 +
contrib/README | 5 +++
contrib/auth_delay/Makefile | 14 +++++++
contrib/auth_delay/auth_delay.c | 71 ++++++++++++++++++++++++++++++++++++
doc/src/sgml/auth-delay.sgml | 76 +++++++++++++++++++++++++++++++++++++++
doc/src/sgml/contrib.sgml | 1 +
doc/src/sgml/filelist.sgml | 1 +
7 files changed, 169 insertions(+), 0 deletions(-)
diff --git a/contrib/Makefile b/contrib/Makefile
index e1f2a84..5747bcc 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -6,6 +6,7 @@ include $(top_builddir)/src/Makefile.global
SUBDIRS = \
adminpack \
+ auth_delay \
auto_explain \
btree_gin \
btree_gist \
diff --git a/contrib/README b/contrib/README
index 6d29cfe..a6abd94 100644
--- a/contrib/README
+++ b/contrib/README
@@ -28,6 +28,11 @@ adminpack -
File and log manipulation routines, used by pgAdmin
by Dave Page <dp...@vale-housing.co.uk>
+auth_delay
+ Add a few second's delay on authentication failed. It enables to make
+ difficult brute-force attacks on database passwords.
+ by KaiGai Kohei <kai...@ak.jp.nec.com>
+
auto_explain -
Log EXPLAIN output for long-running queries
by Takahiro Itagaki <itagaki.takah...@oss.ntt.co.jp>
diff --git a/contrib/auth_delay/Makefile b/contrib/auth_delay/Makefile
new file mode 100644
index 0000000..09d2d54
--- /dev/null
+++ b/contrib/auth_delay/Makefile
@@ -0,0 +1,14 @@
+# contrib/auth_delay/Makefile
+
+MODULES = auth_delay
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/auth_delay
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/auth_delay/auth_delay.c b/contrib/auth_delay/auth_delay.c
new file mode 100644
index 0000000..746ac4b
--- /dev/null
+++ b/contrib/auth_delay/auth_delay.c
@@ -0,0 +1,71 @@
+/* -------------------------------------------------------------------------
+ *
+ * auth_delay.c
+ *
+ * Copyright (C) 2010, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ * contrib/auth_delay/auth_delay.c
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "libpq/auth.h"
+#include "utils/guc.h"
+#include "utils/timestamp.h"
+
+#include <unistd.h>
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+/* GUC Variables */
+static int auth_delay_seconds;
+
+/* Original Hook */
+static ClientAuthentication_hook_type original_client_auth_hook = NULL;
+
+/*
+ * Check authentication
+ */
+static void
+auth_delay_checks(Port *port, int status)
+{
+ /*
+ * Any other plugins which use the ClientAuthentication_hook.
+ */
+ if (original_client_auth_hook)
+ original_client_auth_hook(port, status);
+
+ /*
+ * Inject a few seconds delay on authentication failed.
+ */
+ if (status != STATUS_OK)
+ {
+ sleep(auth_delay_seconds);
+ }
+}
+
+/*
+ * Module Load Callback
+ */
+void
+_PG_init(void)
+{
+ /* Define custome GUC variables */
+ DefineCustomIntVariable("auth_delay.seconds",
+ "Seconds to be delayed on authentication failed",
+ NULL,
+ &auth_delay_seconds,
+ 2,
+ 0, INT_MAX,
+ PGC_POSTMASTER,
+ GUC_UNIT_S,
+ NULL,
+ NULL);
+ /* Install Hooks */
+ original_client_auth_hook = ClientAuthentication_hook;
+ ClientAuthentication_hook = auth_delay_checks;
+}
diff --git a/doc/src/sgml/auth-delay.sgml b/doc/src/sgml/auth-delay.sgml
new file mode 100644
index 0000000..372702d
--- /dev/null
+++ b/doc/src/sgml/auth-delay.sgml
@@ -0,0 +1,76 @@
+<!-- doc/src/sgml/auth-delay.sgml -->
+
+<sect1 id="auth-delay">
+ <title>auth_delay</title>
+
+ <indexterm zone="auth-delay">
+ <primary>auth_delay</primary>
+ </indexterm>
+
+ <para>
+ The <filename>auth_delay</filename> module provides a few seconds
+ delay on authentication failed, without immediate disconnection.
+ This simple feature prevents brute-force type attacks on database
+ passwords, because malicious attacker cannot know whether the supplied
+ password is valid, or not, immediately.
+ </para>
+
+ <para>
+ This module performs just after authentication stage, so it is
+ nonsense to load <filename>auth_delay</filename> module using
+ <command>LOAD</command> or <xref linkend="guc-local-preload-libraries">.
+ We recommend you to put this module on
+ <xref linkend="guc-shared-preload-libraries"> in <filename>postgresql.conf</>.
+ </para>
+
+ <sect2>
+ <title>Configuration parameters</title>
+
+ <para>
+ There is a configuration parameter that control the behavior of
+ <filename>auth_delay</filename>.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <varname>auth_delay.seconds</varname> (<type>int</type>)
+ </term>
+ <indexterm>
+ <primary><varname>auth_delay.seconds</> configuration parameter</primary>
+ </indexterm>
+ <listitem>
+ <para>
+ <varname>auth_delay.seconds</varname> specified the seconds
+ to be injected on authentication failed.
+
+ The default is <literal>2</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ In order to set these parameters in your <filename>postgresql.conf</> file,
+ you will need to add <literal>auth_delay</> to
+ <xref linkend="guc-custom-variable-classes">. Typical usage might be:
+ </para>
+
+<programlisting>
+# postgresql.conf
+shared_preload_libraries = 'auth_delay'
+
+custom_variable_classes = 'auth_delay'
+auth_delay.seconds = '5'
+</programlisting>
+ </sect2>
+
+ <sect2>
+ <title>Author</title>
+
+ <para>
+ KaiGai Kohei <email>kai...@ak.jp.nec.com</email>
+ </para>
+ </sect2>
+
+</sect1>
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
index a7c2a1d..d788473 100644
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -81,6 +81,7 @@ psql -d dbname -f <replaceable>SHAREDIR</>/contrib/<replaceable>module</>.sql
</para>
&adminpack;
+ &auth-delay;
&auto-explain;
&btree-gin;
&btree-gist;
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index 4361991..aa2d801 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -93,6 +93,7 @@
<!-- contrib information -->
<!entity contrib SYSTEM "contrib.sgml">
<!entity adminpack SYSTEM "adminpack.sgml">
+<!entity auth-delay SYSTEM "auth-delay.sgml">
<!entity auto-explain SYSTEM "auto-explain.sgml">
<!entity btree-gin SYSTEM "btree-gin.sgml">
<!entity btree-gist SYSTEM "btree-gist.sgml">
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
