Re: Logging of PAM Authentication Failure

On Tue, May 28, 2013 at 5:04 PM, Amit Langote <amitlangote09(at)gmail(dot)com> wrote:
> On Tue, May 28, 2013 at 2:32 PM, Craig Ringer <craig(at)2ndquadrant(dot)com> wrote:
>> On 05/11/2013 03:25 AM, Robert Haas wrote:
>>> Not really. We could potentially fix it by extending the wire
>>> protocol to allow the server to respond to the client's startup packet
>>> with a further challenge, and extend libpq to report that challenge
>>> back to the user and allow sending a response. But that would break
>>> on-the-wire compatibility, which we haven't done in a good 10 years,
>>> and certainly wouldn't be worthwhile just for this.
>> We were just talking about "things we'd like to do in wire protocol 4".
>>
>> Allowing multi-stage authentication has come up repeatedly and should
>> perhaps go on that list. The most obvious case being "ident auth failed,
>> demand md5".
>>
>
> I wonder what you think about continuing to use the already
> established connection to the server while you move onto perform
> authentication using next method in the list. Earlier in this thread,
> I had proposed to make changes to PGconnectPoll() to introduce an
> additional connection state which is kind of an intermediate state in
> the authentication sequence. For example, server might ask for a
> password (md5, password methods) and client might want to send the
> password over the existing connection by leveraging this new
> connection state. This is unlike what we do, for example, in psql,
> where we drop the connection (upon CONNECTION_BAD due to password
> required), get password using a prompt and then create a new
> connection with password included in the request.
>
> --
> Amit Langote

Sorry, *PQconnectPoll()

--
Amit Langote