Skip to content

Commit 762b256

Browse files
tglsfdctglsfdc
committed
Avoid logging complaints about abandoned connections when using PAM.
For a long time (since commit aed378e) we have had a policy to log nothing about a connection if the client disconnects when challenged for a password. This is because libpq-using clients will typically do that, and then come back for a new connection attempt once they've collected a password from their user, so that logging the abandoned connection attempt will just result in log spam. However, this did not work well for PAM authentication: the bottom-level function pam_passwd_conv_proc() was on board with it, but we logged messages at higher levels anyway, for lack of any reporting mechanism. Add a flag and tweak the logic so that the case is silent, as it is for other password-using auth mechanisms. Per complaint from Yoann La Cancellera. It's been like this for awhile, so back-patch to all supported branches. Discussion: https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com
1 parent 9fb25fd commit 762b256

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

src/backend/libpq/auth.c

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,7 @@ static struct pam_conv pam_passw_conv = {
8888
static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
8989
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
9090
* pam_passwd_conv_proc */
91+
static bool pam_no_password; /* For detecting no-password-given */
9192
#endif /* USE_PAM */
9293

9394

@@ -1704,8 +1705,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
17041705
{
17051706
/*
17061707
* Client didn't want to send password. We
1707-
* intentionally do not log anything about this.
1708+
* intentionally do not log anything about this,
1709+
* either here or at higher levels.
17081710
*/
1711+
pam_no_password = true;
17091712
goto fail;
17101713
}
17111714
}
@@ -1764,6 +1767,7 @@ CheckPAMAuth(Port *port, char *user, char *password)
17641767
*/
17651768
pam_passwd = password;
17661769
pam_port_cludge = port;
1770+
pam_no_password = false;
17671771

17681772
/*
17691773
* Set the application data portion of the conversation struct. This is
@@ -1816,22 +1820,26 @@ CheckPAMAuth(Port *port, char *user, char *password)
18161820

18171821
if (retval != PAM_SUCCESS)
18181822
{
1819-
ereport(LOG,
1820-
(errmsg("pam_authenticate failed: %s",
1821-
pam_strerror(pamh, retval))));
1823+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
1824+
if (!pam_no_password)
1825+
ereport(LOG,
1826+
(errmsg("pam_authenticate failed: %s",
1827+
pam_strerror(pamh, retval))));
18221828
pam_passwd = NULL; /* Unset pam_passwd */
1823-
return STATUS_ERROR;
1829+
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
18241830
}
18251831

18261832
retval = pam_acct_mgmt(pamh, 0);
18271833

18281834
if (retval != PAM_SUCCESS)
18291835
{
1830-
ereport(LOG,
1831-
(errmsg("pam_acct_mgmt failed: %s",
1832-
pam_strerror(pamh, retval))));
1836+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
1837+
if (!pam_no_password)
1838+
ereport(LOG,
1839+
(errmsg("pam_acct_mgmt failed: %s",
1840+
pam_strerror(pamh, retval))));
18331841
pam_passwd = NULL; /* Unset pam_passwd */
1834-
return STATUS_ERROR;
1842+
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
18351843
}
18361844

18371845
retval = pam_end(pamh, retval);

0 commit comments

Comments
 (0)