Re: PAM implementation in PG 9.2.3

From: Amit Langote <amitlangote09(at)gmail(dot)com>
To: Raghavendra <raghavendra(dot)rao(at)enterprisedb(dot)com>
Cc: Postgres General <pgsql-general(at)postgresql(dot)org>
Subject: Re: PAM implementation in PG 9.2.3
Date: 2013-05-08 11:25:53
Message-ID: CA+HiwqEC6wTqMD6DHi8hxmmTKVm5F0vn2AYyRwjdy42GoUpNrg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hello Raghavendra,

I think probably psql is a problem here. WIthout -W (force password
before connect) option psql has no way knowing if this user needs a
password to connect to the given database. So, psql first attempts a
connection to the database without a password (if -W is not
specified), which fails since server responds with "password needed"
kind of message back to psql (this is because we have set 'pam' as the
authentication method). This makes psql know that a password is needed
for this user/database combination and it prompts for the password and
subsequently connects successfully if correct password is specified.
But this first unsuccessful attempt is indeed logged by the server as
authentication failure just as what you see. So, this logged failure
is just the kind of dummy connection attempt (indeed withoutn
password) made by the psql.

However, if you specify -W option, psql won't connect before it
accepts password. You can try this (and see that no authentication
failure is logged)

I think log entries just mean the authentication has failed with
PAM-specific error message.

--

Amit Langote

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Seref Arikan 2013-05-08 13:40:49 Does it make sense to break a large query into separate functions?
Previous Message Johann Spies 2013-05-08 11:21:30 Design advice requested