From: | Amit Langote <amitlangote09(at)gmail(dot)com> |
---|---|
To: | Kyotaro HORIGUCHI <horiguchi(dot)kyotaro(at)lab(dot)ntt(dot)co(dot)jp> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Logging of PAM Authentication Failure |
Date: | 2013-05-13 11:28:26 |
Message-ID: | CA+HiwqG5QQgJ8WtV78FjuiGog8DjKd=dhFVT92d=-+54PTReKw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> This code seems to me expecting for psql to send password without
> closing current connnection.On the other hand psql does as
> follows.
>
> bin/psql/startup.c: 227
>> pset.db = PQconnectdbParams(keywords, values, true);
>> free(keywords);
>> free(values);
>>
>> if (PQstatus(pset.db) == CONNECTION_BAD &&
>> PQconnectionNeedsPassword(pset.db) &&
>> password == NULL &&
>> pset.getPassword != TRI_NO)
>> {
>> PQfinish(pset.db);
>> password = simple_prompt(password_prompt, 100, false);
>> new_pass = true;
>> }
>
> psql at once disconnects the current connection and reconnects
> with this new password, so pam_conv_err is observed in server.
>
> It seems to be a kind of protocol-mimatching. Client should'nt
> disconnect for password request or server should fit to what psql
> does. Is this wrong?
In fact, this is the behavior with all the authentication methods that
require a password. But, it is only in the case of PAM authentication
that auth_failed() logs error when first connection attempt is made
(without password), since the STATUS_EOF is not passed to it in that
case.
If we did not drop the connection (unlike what we do now) and
re-attempted connection with the password added to conn, would the
backend's authentication state still be waiting for the password? Can
we do away without having to create a second connection?
--
Amit Langote
From | Date | Subject | |
---|---|---|---|
Next Message | Mark Salter | 2013-05-13 12:39:18 | lock support for aarch64 |
Previous Message | Amit Kapila | 2013-05-13 09:41:34 | Re: Fast promotion failure |