diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2016-01-07 11:19:33 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2016-01-07 11:19:33 -0500 |
| commit | 5e0b5dcab685fe2a342385450a29a825cf40cddf (patch) | |
| tree | 8d33859039f9edeb829f78ffb5413b3ea70e1cdc /src/backend | |
| parent | a967613911f7ef7b6387b9e8718f0ab8f0c4d9c8 (diff) | |
| download | postgresql-5e0b5dcab685fe2a342385450a29a825cf40cddf.tar.gz postgresql-5e0b5dcab685fe2a342385450a29a825cf40cddf.zip | |
Provide more detail in postmaster log for password authentication failures.
We tell people to examine the postmaster log if they're unsure why they are
getting auth failures, but actually only a few relatively-uncommon failure
cases were given their own log detail messages in commit 64e43c59b817a78d.
Expand on that so that every failure case detected within md5_crypt_verify
gets a specific log detail message. This should cover pretty much every
ordinary password auth failure cause.
So far I've not noticed user demand for a similar level of auth detail
for the other auth methods, but sooner or later somebody might want to
work on them. This is not that patch, though.
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/libpq/crypt.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index 825e6510b49..f3c59e53036 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, /* Get role info from pg_authid */ roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); if (!HeapTupleIsValid(roleTup)) + { + *logdetail = psprintf(_("Role \"%s\" does not exist."), + role); return STATUS_ERROR; /* no such user */ + } datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_rolpassword, &isnull); @@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, ReleaseSysCache(roleTup); if (*shadow_pass == '\0') + { + *logdetail = psprintf(_("User \"%s\" has an empty password."), + role); return STATUS_ERROR; /* empty password */ + } CHECK_FOR_INTERRUPTS(); /* * Compare with the encrypted or plain password depending on the - * authentication method being used for this connection. + * authentication method being used for this connection. (We do not + * bother setting logdetail for pg_md5_encrypt failure: the only possible + * error is out-of-memory, which is unlikely, and if it did happen adding + * a psprintf call would only make things worse.) */ switch (port->hba->auth_method) { @@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, else retval = STATUS_OK; } + else + *logdetail = psprintf(_("Password does not match for user \"%s\"."), + role); if (port->hba->auth_method == uaMD5) pfree(crypt_pwd); |