Tom Lane wrote:
With the attached patch to not drop nologin roles from the flat password
file, it acts more sanely:

postgres=# create user foo nologin;
postgres=# \c - foo
Password for user "foo": FATAL: password authentication failed for user "foo"
Previous connection kept
postgres=# alter user foo password 'foo';
postgres=# \c - foo
Password for user "foo": << correct password entered here
FATAL:  role "foo" is not permitted to log in
Previous connection kept

Should we just do this, or is it worth working harder?

IMHO this is exactly what we want. It does only offer more information when you already got authentication right and therefore doesn't open an information leak.

Not sure about the warning when creating a role with a password but nologin. Could be useful.

Best Regards
Michael Paesold

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to