git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff

Avoid logging complaints about abandoned connections when using PAM.

Tue, 5 Nov 2019 19:27:37 +0000 (14:27 -0500)

For a long time (since commit aed378e8d) we have had a policy to log
nothing about a connection if the client disconnects when challenged
for a password. This is because libpq-using clients will typically
do that, and then come back for a new connection attempt once they've
collected a password from their user, so that logging the abandoned
connection attempt will just result in log spam. However, this did
not work well for PAM authentication: the bottom-level function
pam_passwd_conv_proc() was on board with it, but we logged messages
at higher levels anyway, for lack of any reporting mechanism.
Add a flag and tweak the logic so that the case is silent, as it is
for other password-using auth mechanisms.

Per complaint from Yoann La Cancellera. It's been like this for awhile,
so back-patch to all supported branches.

Discussion: https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com

src/backend/libpq/auth.c patch | blob | blame | history

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c

index ff0832dba8b260294b2c7b94950102dd97c3b413..852571bad6a5c962945bfdd4b2575529fc21c990 100644 (file)

--- a/src/backend/libpq/auth.c

+++ b/src/backend/libpq/auth.c

@@ -105,6 +105,7 @@ static const char *pam_passwd = NULL; /* Workaround for Solaris 2.6

* brokenness */

static Port *pam_port_cludge; /* Workaround for passing "Port *port" into

* pam_passwd_conv_proc */

+static bool pam_no_password; /* For detecting no-password-given */

#endif /* USE_PAM */

@@ -2110,8 +2111,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,

{

* Client didn't want to send password. We

- * intentionally do not log anything about this.

+ * intentionally do not log anything about this,

+ * either here or at higher levels.

+ pam_no_password = true;

goto fail;

}

@@ -2170,6 +2173,7 @@ CheckPAMAuth(Port *port, const char *user, const char *password)

pam_passwd = password;

pam_port_cludge = port;

+ pam_no_password = false;

* Set the application data portion of the conversation struct. This is

@@ -2255,22 +2259,26 @@ CheckPAMAuth(Port *port, const char *user, const char *password)

if (retval != PAM_SUCCESS)

{

- ereport(LOG,

- (errmsg("pam_authenticate failed: %s",

- pam_strerror(pamh, retval))));

+ /* If pam_passwd_conv_proc saw EOF, don't log anything */

+ if (!pam_no_password)

+ ereport(LOG,

+ (errmsg("pam_authenticate failed: %s",

+ pam_strerror(pamh, retval))));

pam_passwd = NULL; /* Unset pam_passwd */

- return STATUS_ERROR;

+ return pam_no_password ? STATUS_EOF : STATUS_ERROR;

}

retval = pam_acct_mgmt(pamh, 0);

if (retval != PAM_SUCCESS)

{

- ereport(LOG,

- (errmsg("pam_acct_mgmt failed: %s",

- pam_strerror(pamh, retval))));

+ /* If pam_passwd_conv_proc saw EOF, don't log anything */

+ if (!pam_no_password)

+ ereport(LOG,

+ (errmsg("pam_acct_mgmt failed: %s",

+ pam_strerror(pamh, retval))));

pam_passwd = NULL; /* Unset pam_passwd */

- return STATUS_ERROR;

+ return pam_no_password ? STATUS_EOF : STATUS_ERROR;

}

retval = pam_end(pamh, retval);

This is the main PostgreSQL git repository.

RSS Atom