Skip to content

Commit 0238a50

Browse files
tglsfdctglsfdc
committed
Avoid logging complaints about abandoned connections when using PAM.
For a long time (since commit aed378e) we have had a policy to log nothing about a connection if the client disconnects when challenged for a password. This is because libpq-using clients will typically do that, and then come back for a new connection attempt once they've collected a password from their user, so that logging the abandoned connection attempt will just result in log spam. However, this did not work well for PAM authentication: the bottom-level function pam_passwd_conv_proc() was on board with it, but we logged messages at higher levels anyway, for lack of any reporting mechanism. Add a flag and tweak the logic so that the case is silent, as it is for other password-using auth mechanisms. Per complaint from Yoann La Cancellera. It's been like this for awhile, so back-patch to all supported branches. Discussion: https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com
1 parent 5ee8f0f commit 0238a50

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

src/backend/libpq/auth.c

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ static struct pam_conv pam_passw_conv = {
103103
static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
104104
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
105105
* pam_passwd_conv_proc */
106+
static bool pam_no_password; /* For detecting no-password-given */
106107
#endif /* USE_PAM */
107108

108109

@@ -2106,8 +2107,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
21062107
{
21072108
/*
21082109
* Client didn't want to send password. We
2109-
* intentionally do not log anything about this.
2110+
* intentionally do not log anything about this,
2111+
* either here or at higher levels.
21102112
*/
2113+
pam_no_password = true;
21112114
goto fail;
21122115
}
21132116
}
@@ -2166,6 +2169,7 @@ CheckPAMAuth(Port *port, char *user, char *password)
21662169
*/
21672170
pam_passwd = password;
21682171
pam_port_cludge = port;
2172+
pam_no_password = false;
21692173

21702174
/*
21712175
* Set the application data portion of the conversation struct. This is
@@ -2251,22 +2255,26 @@ CheckPAMAuth(Port *port, char *user, char *password)
22512255

22522256
if (retval != PAM_SUCCESS)
22532257
{
2254-
ereport(LOG,
2255-
(errmsg("pam_authenticate failed: %s",
2256-
pam_strerror(pamh, retval))));
2258+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2259+
if (!pam_no_password)
2260+
ereport(LOG,
2261+
(errmsg("pam_authenticate failed: %s",
2262+
pam_strerror(pamh, retval))));
22572263
pam_passwd = NULL; /* Unset pam_passwd */
2258-
return STATUS_ERROR;
2264+
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
22592265
}
22602266

22612267
retval = pam_acct_mgmt(pamh, 0);
22622268

22632269
if (retval != PAM_SUCCESS)
22642270
{
2265-
ereport(LOG,
2266-
(errmsg("pam_acct_mgmt failed: %s",
2267-
pam_strerror(pamh, retval))));
2271+
/* If pam_passwd_conv_proc saw EOF, don't log anything */
2272+
if (!pam_no_password)
2273+
ereport(LOG,
2274+
(errmsg("pam_acct_mgmt failed: %s",
2275+
pam_strerror(pamh, retval))));
22682276
pam_passwd = NULL; /* Unset pam_passwd */
2269-
return STATUS_ERROR;
2277+
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
22702278
}
22712279

22722280
retval = pam_end(pamh, retval);

0 commit comments

Comments
 (0)