mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-09-28 08:11:50 +02:00
Fix authentication so that it doesn't record an extra 'Password
authentication failed' and a 'send() failed: Broken pipe' message on every connection from psql in password auth mode. Problem is that psql doesn't ask user for a password until it sees a password challenge failure, and libpq just closes the connection unceremoniously if it's challenged for a password when it hasn't got one to send. Accordingly, EOF from the client after asking for a password is normal behavior and should not result in postmaster log entries.
This commit is contained in:
parent
13e467f74f
commit
aed378e8d1
@ -8,7 +8,7 @@
|
|||||||
*
|
*
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.68 2001/09/26 19:54:12 momjian Exp $
|
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.69 2001/10/18 22:44:37 tgl Exp $
|
||||||
*
|
*
|
||||||
*-------------------------------------------------------------------------
|
*-------------------------------------------------------------------------
|
||||||
*/
|
*/
|
||||||
@ -37,7 +37,7 @@ static void sendAuthRequest(Port *port, AuthRequest areq);
|
|||||||
static int checkPassword(Port *port, char *user, char *password);
|
static int checkPassword(Port *port, char *user, char *password);
|
||||||
static int old_be_recvauth(Port *port);
|
static int old_be_recvauth(Port *port);
|
||||||
static int map_old_to_new(Port *port, UserAuth old, int status);
|
static int map_old_to_new(Port *port, UserAuth old, int status);
|
||||||
static void auth_failed(Port *port);
|
static void auth_failed(Port *port, int status);
|
||||||
static int recv_and_check_password_packet(Port *port);
|
static int recv_and_check_password_packet(Port *port);
|
||||||
static int recv_and_check_passwordv0(Port *port);
|
static int recv_and_check_passwordv0(Port *port);
|
||||||
|
|
||||||
@ -341,17 +341,23 @@ recv_and_check_passwordv0(Port *port)
|
|||||||
*password,
|
*password,
|
||||||
*cp,
|
*cp,
|
||||||
*start;
|
*start;
|
||||||
|
int status;
|
||||||
|
|
||||||
pq_getint(&len, 4);
|
if (pq_getint(&len, 4) == EOF)
|
||||||
|
return STATUS_EOF;
|
||||||
len -= 4;
|
len -= 4;
|
||||||
buf = palloc(len);
|
buf = palloc(len);
|
||||||
pq_getbytes(buf, len);
|
if (pq_getbytes(buf, len) == EOF)
|
||||||
|
{
|
||||||
|
pfree(buf);
|
||||||
|
return STATUS_EOF;
|
||||||
|
}
|
||||||
|
|
||||||
pp = (PasswordPacketV0 *) buf;
|
pp = (PasswordPacketV0 *) buf;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The packet is supposed to comprise the user name and the password
|
* The packet is supposed to comprise the user name and the password
|
||||||
* as C strings. Be careful the check that this is the case.
|
* as C strings. Be careful to check that this is the case.
|
||||||
*/
|
*/
|
||||||
user = password = NULL;
|
user = password = NULL;
|
||||||
|
|
||||||
@ -379,13 +385,10 @@ recv_and_check_passwordv0(Port *port)
|
|||||||
"pg_password_recvauth: badly formed password packet.\n");
|
"pg_password_recvauth: badly formed password packet.\n");
|
||||||
fputs(PQerrormsg, stderr);
|
fputs(PQerrormsg, stderr);
|
||||||
pqdebug("%s", PQerrormsg);
|
pqdebug("%s", PQerrormsg);
|
||||||
|
status = STATUS_ERROR;
|
||||||
pfree(buf);
|
|
||||||
auth_failed(port);
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
int status;
|
|
||||||
UserAuth saved;
|
UserAuth saved;
|
||||||
|
|
||||||
/* Check the password. */
|
/* Check the password. */
|
||||||
@ -395,15 +398,16 @@ recv_and_check_passwordv0(Port *port)
|
|||||||
|
|
||||||
status = checkPassword(port, user, password);
|
status = checkPassword(port, user, password);
|
||||||
|
|
||||||
pfree(buf);
|
|
||||||
port->auth_method = saved;
|
port->auth_method = saved;
|
||||||
|
|
||||||
/* Adjust the result if necessary. */
|
/* Adjust the result if necessary. */
|
||||||
if (map_old_to_new(port, uaPassword, status) != STATUS_OK)
|
if (map_old_to_new(port, uaPassword, status) != STATUS_OK)
|
||||||
auth_failed(port);
|
status = STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
return STATUS_OK;
|
pfree(buf);
|
||||||
|
|
||||||
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -420,10 +424,23 @@ recv_and_check_passwordv0(Port *port)
|
|||||||
* postmaster log, which we hope is only readable by good guys.
|
* postmaster log, which we hope is only readable by good guys.
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
auth_failed(Port *port)
|
auth_failed(Port *port, int status)
|
||||||
{
|
{
|
||||||
const char *authmethod = "Unknown auth method:";
|
const char *authmethod = "Unknown auth method:";
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If we failed due to EOF from client, just quit; there's no point
|
||||||
|
* in trying to send a message to the client, and not much point in
|
||||||
|
* logging the failure in the postmaster log. (Logging the failure
|
||||||
|
* might be desirable, were it not for the fact that libpq closes the
|
||||||
|
* connection unceremoniously if challenged for a password when it
|
||||||
|
* hasn't got one to send. We'll get a useless log entry for
|
||||||
|
* every psql connection under password auth, even if it's perfectly
|
||||||
|
* successful, if we log STATUS_EOF events.)
|
||||||
|
*/
|
||||||
|
if (status == STATUS_EOF)
|
||||||
|
proc_exit(0);
|
||||||
|
|
||||||
switch (port->auth_method)
|
switch (port->auth_method)
|
||||||
{
|
{
|
||||||
case uaReject:
|
case uaReject:
|
||||||
@ -455,6 +472,7 @@ auth_failed(Port *port)
|
|||||||
|
|
||||||
elog(FATAL, "%s authentication failed for user \"%s\"",
|
elog(FATAL, "%s authentication failed for user \"%s\"",
|
||||||
authmethod, port->user);
|
authmethod, port->user);
|
||||||
|
/* doesn't return */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -477,10 +495,11 @@ ClientAuthentication(Port *port)
|
|||||||
elog(FATAL, "Missing or erroneous pg_hba.conf file, see postmaster log for details");
|
elog(FATAL, "Missing or erroneous pg_hba.conf file, see postmaster log for details");
|
||||||
|
|
||||||
/* Handle old style authentication. */
|
/* Handle old style authentication. */
|
||||||
else if (PG_PROTOCOL_MAJOR(port->proto) == 0)
|
if (PG_PROTOCOL_MAJOR(port->proto) == 0)
|
||||||
{
|
{
|
||||||
if (old_be_recvauth(port) != STATUS_OK)
|
status = old_be_recvauth(port);
|
||||||
auth_failed(port);
|
if (status != STATUS_OK)
|
||||||
|
auth_failed(port, status);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -505,9 +524,8 @@ ClientAuthentication(Port *port)
|
|||||||
elog(FATAL,
|
elog(FATAL,
|
||||||
"No pg_hba.conf entry for host %s, user %s, database %s",
|
"No pg_hba.conf entry for host %s, user %s, database %s",
|
||||||
hostinfo, port->user, port->database);
|
hostinfo, port->user, port->database);
|
||||||
return;
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
case uaKrb4:
|
case uaKrb4:
|
||||||
sendAuthRequest(port, AUTH_REQ_KRB4);
|
sendAuthRequest(port, AUTH_REQ_KRB4);
|
||||||
@ -533,11 +551,8 @@ ClientAuthentication(Port *port)
|
|||||||
{
|
{
|
||||||
int on = 1;
|
int on = 1;
|
||||||
if (setsockopt(port->sock, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
|
if (setsockopt(port->sock, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
|
||||||
{
|
|
||||||
elog(FATAL,
|
elog(FATAL,
|
||||||
"pg_local_sendauth: can't do setsockopt: %s\n", strerror(errno));
|
"pg_local_sendauth: can't do setsockopt: %s\n", strerror(errno));
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (port->raddr.sa.sa_family == AF_UNIX)
|
if (port->raddr.sa.sa_family == AF_UNIX)
|
||||||
@ -560,6 +575,7 @@ ClientAuthentication(Port *port)
|
|||||||
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
||||||
status = recv_and_check_password_packet(port);
|
status = recv_and_check_password_packet(port);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
case uaPAM:
|
case uaPAM:
|
||||||
pam_port_cludge = port;
|
pam_port_cludge = port;
|
||||||
@ -575,7 +591,7 @@ ClientAuthentication(Port *port)
|
|||||||
if (status == STATUS_OK)
|
if (status == STATUS_OK)
|
||||||
sendAuthRequest(port, AUTH_REQ_OK);
|
sendAuthRequest(port, AUTH_REQ_OK);
|
||||||
else
|
else
|
||||||
auth_failed(port);
|
auth_failed(port, status);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -654,7 +670,7 @@ pam_passwd_conv_proc (int num_msg, const struct pam_message **msg, struct pam_re
|
|||||||
|
|
||||||
initStringInfo(&buf);
|
initStringInfo(&buf);
|
||||||
pq_getstr(&buf);
|
pq_getstr(&buf);
|
||||||
if (DebugLvl)
|
if (DebugLvl > 5)
|
||||||
fprintf(stderr, "received PAM packet with len=%d, pw=%s\n",
|
fprintf(stderr, "received PAM packet with len=%d, pw=%s\n",
|
||||||
len, buf.data);
|
len, buf.data);
|
||||||
|
|
||||||
@ -786,10 +802,9 @@ CheckPAMAuth(Port *port, char *user, char *password)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Called when we have received the password packet.
|
* Called when we have received the password packet.
|
||||||
*/
|
*/
|
||||||
@ -801,11 +816,16 @@ recv_and_check_password_packet(Port *port)
|
|||||||
int result;
|
int result;
|
||||||
|
|
||||||
if (pq_eof() == EOF || pq_getint(&len, 4) == EOF)
|
if (pq_eof() == EOF || pq_getint(&len, 4) == EOF)
|
||||||
return STATUS_ERROR; /* client didn't want to send password */
|
return STATUS_EOF; /* client didn't want to send password */
|
||||||
initStringInfo(&buf);
|
|
||||||
pq_getstr(&buf); /* receive password */
|
|
||||||
|
|
||||||
if (DebugLvl)
|
initStringInfo(&buf);
|
||||||
|
if (pq_getstr(&buf) == EOF) /* receive password */
|
||||||
|
{
|
||||||
|
pfree(buf.data);
|
||||||
|
return STATUS_EOF;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (DebugLvl > 5) /* this is probably a BAD idea... */
|
||||||
fprintf(stderr, "received password packet with len=%d, pw=%s\n",
|
fprintf(stderr, "received password packet with len=%d, pw=%s\n",
|
||||||
len, buf.data);
|
len, buf.data);
|
||||||
|
|
||||||
@ -861,7 +881,7 @@ old_be_recvauth(Port *port)
|
|||||||
default:
|
default:
|
||||||
fprintf(stderr, "Invalid startup message type: %u\n", msgtype);
|
fprintf(stderr, "Invalid startup message type: %u\n", msgtype);
|
||||||
|
|
||||||
return STATUS_OK;
|
return STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
@ -914,4 +934,3 @@ map_old_to_new(Port *port, UserAuth old, int status)
|
|||||||
|
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user