diff options
| author | Tom Lane | 2016-01-07 16:19:33 +0000 |
|---|---|---|
| committer | Tom Lane | 2016-01-07 16:19:33 +0000 |
| commit | 5e0b5dcab685fe2a342385450a29a825cf40cddf (patch) | |
| tree | 8d33859039f9edeb829f78ffb5413b3ea70e1cdc | |
| parent | a967613911f7ef7b6387b9e8718f0ab8f0c4d9c8 (diff) | |
Provide more detail in postmaster log for password authentication failures.
We tell people to examine the postmaster log if they're unsure why they are
getting auth failures, but actually only a few relatively-uncommon failure
cases were given their own log detail messages in commit 64e43c59b817a78d.
Expand on that so that every failure case detected within md5_crypt_verify
gets a specific log detail message. This should cover pretty much every
ordinary password auth failure cause.
So far I've not noticed user demand for a similar level of auth detail
for the other auth methods, but sooner or later somebody might want to
work on them. This is not that patch, though.
| -rw-r--r-- | src/backend/libpq/crypt.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index 825e6510b4..f3c59e5303 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, /* Get role info from pg_authid */ roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); if (!HeapTupleIsValid(roleTup)) + { + *logdetail = psprintf(_("Role \"%s\" does not exist."), + role); return STATUS_ERROR; /* no such user */ + } datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_rolpassword, &isnull); @@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, ReleaseSysCache(roleTup); if (*shadow_pass == '\0') + { + *logdetail = psprintf(_("User \"%s\" has an empty password."), + role); return STATUS_ERROR; /* empty password */ + } CHECK_FOR_INTERRUPTS(); /* * Compare with the encrypted or plain password depending on the - * authentication method being used for this connection. + * authentication method being used for this connection. (We do not + * bother setting logdetail for pg_md5_encrypt failure: the only possible + * error is out-of-memory, which is unlikely, and if it did happen adding + * a psprintf call would only make things worse.) */ switch (port->hba->auth_method) { @@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, else retval = STATUS_OK; } + else + *logdetail = psprintf(_("Password does not match for user \"%s\"."), + role); if (port->hba->auth_method == uaMD5) pfree(crypt_pwd); |