Re: [HACKERS] Logging of PAM Authentication Failure

Mon, 13 May 2013 18:39:08 -0700 

> In fact, this is the behavior with all the authentication methods that
> require a password. But, it is only in the case of PAM authentication
> that auth_failed() logs error when first connection attempt is made
> (without password), since the STATUS_EOF is not passed to it in that
> case.

Well, if we are allowed to use a bit ugry way, the attached patch
seems to cope with this issue. As far as I can see there's no
problem since pg_fe_sendauth() refueses to send empty password.

Any suggestions?

> If we did not drop the connection (unlike what we do now) and
> re-attempted connection with the password added to conn, would the
> backend's authentication state still be waiting for the password? Can
> we do away without having to create a second connection?

Sorry, I've read there incorrectly. I had understood the code
after sendAuthRequest in pam_passwd_conv_proc but it is used
indeed.

regards,

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3a041d9..304df03 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1816,6 +1816,7 @@ auth_peer(hbaPort *port)
  * PAM conversation function
  */
 
+static int pam_auth_eof = false;
 static int
 pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
                                         struct pam_response ** resp, void 
*appdata_ptr)
@@ -1824,6 +1825,8 @@ pam_passwd_conv_proc(int num_msg, const struct 
pam_message ** msg,
        struct pam_response *reply;
        int                     i;
 
+       pam_auth_eof = false;
+
        if (appdata_ptr)
                passwd = (char *) appdata_ptr;
        else
@@ -1872,6 +1875,7 @@ pam_passwd_conv_proc(int num_msg, const struct 
pam_message ** msg,
                                                 * Client didn't want to send 
password.  We
                                                 * intentionally do not log 
anything about this.
                                                 */
+                                               pam_auth_eof = true;
                                                goto fail;
                                        }
                                        if (strlen(passwd) == 0)
@@ -1986,6 +1990,16 @@ CheckPAMAuth(Port *port, char *user, char *password)
 
        retval = pam_authenticate(pamh, 0);
 
+       /*
+        * pam_auth_eof is true when the client disconnected for password 
request
+        * in pam_passw_conv().
+        */
+       if (pam_auth_eof)
+       {
+               pam_passwd = NULL;              /* Unset pam_passwd */
+               return STATUS_EOF;
+       }
+
        if (retval != PAM_SUCCESS)
        {
                ereport(LOG,

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to