Re: PAM implementation in PG 9.2.3

On Wed, May 8, 2013 at 4:55 PM, Amit Langote <amitlangote09(at)gmail(dot)com>wrote:

> Hello Raghavendra,
>
> I think probably psql is a problem here. WIthout -W (force password
> before connect) option psql has no way knowing if this user needs a
> password to connect to the given database. So, psql first attempts a
> connection to the database without a password (if -W is not
> specified), which fails since server responds with "password needed"
> kind of message back to psql (this is because we have set 'pam' as the
> authentication method). This makes psql know that a password is needed
> for this user/database combination and it prompts for the password and
> subsequently connects successfully if correct password is specified.
> But this first unsuccessful attempt is indeed logged by the server as
> authentication failure just as what you see. So, this logged failure
> is just the kind of dummy connection attempt (indeed withoutn
> password) made by the psql.
>
>
Firstly, Thank you for your insight explanation.

> However, if you specify -W option, psql won't connect before it
> accepts password. You can try this (and see that no authentication
> failure is logged)
>

Affirmative, I have tried with -W option and it worked as expected and
authentication passed as per PAM setup.

However, PG documentation doesn't highlight about this in psql or PAM
section, because log entries written are slightly confusing.
http://www.postgresql.org/docs/9.2/static/auth-methods.html
http://www.postgresql.org/docs/9.2/static/app-psql.html

I think log entries just mean the authentication has failed with
> PAM-specific error message.
>
> Yep... understood.

---
Regards,
Raghavendra
Blog: http://raghavt.blogspot.com/

> --
>
> Amit Langote
>