From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
---|---|
To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | DETAIL for wrong scram password |
Date: | 2021-02-27 22:02:23 |
Message-ID: | CAMkU=1y6rO9bKZkrNp1v==jn5H7mCKyemgJ6B+TL8nEABJsZsA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
When md5 password authentication fails, the server log file has a helpful
detail to say why, usually one of:
DETAIL: Role "none" does not exist.
DETAIL: User "jjanes" has no password assigned.
DETAIL: User "jjanes" has an expired password.
DETAIL: Password does not match for user "jjanes".
But for scram authentication, only the first three of these will be
reported when applicable. If the password is simply incorrect, then you do
get a DETAIL line reporting which line of pg_hba was used, but you don't
get a DETAIL line reporting the reason for the failure. It is pretty
unfriendly to make the admin guess what the absence of a DETAIL is supposed
to mean. And as far as I can tell, this is not intentional.
Note that in one case you do get the "does not match" line. That is if the
user has a scram password assigned and the hba specifies plain-text
'password' as the method. So if the absence of the DETAIL is intentional,
it is not internally consistent.
The attached patch fixes the issue. I don't know if this is the correct
location to be installing the message, maybe verify_client_proof should be
doing it instead. I am also not happy to be testing 'doomed' here, but it
was already checked a few lines up so I didn't want to go to lengths to
avoid doing it here too.
Cheers,
Jeff
Attachment | Content-Type | Size |
---|---|---|
scram_password_mismatch.patch | application/octet-stream | 729 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2021-02-27 23:06:09 | Re: [PATCH] pgbench: Remove ecnt, a member variable of CState |
Previous Message | Hamid Akhtar | 2021-02-27 21:25:00 | Re: Bug in error reporting for multi-line JSON |