> In fact, this is the behavior with all the authentication methods that
> require a password. But, it is only in the case of PAM authentication
> that auth_failed() logs error when first connection attempt is made
> (without password), since the STATUS_EOF is not passed to it in that
> case.
Well, if we are allowed to use a bit ugry way, the attached patch
seems to cope with this issue. As far as I can see there's no
problem since pg_fe_sendauth() refueses to send empty password.
Any suggestions?
> If we did not drop the connection (unlike what we do now) and
> re-attempted connection with the password added to conn, would the
> backend's authentication state still be waiting for the password? Can
> we do away without having to create a second connection?
Sorry, I've read there incorrectly. I had understood the code
after sendAuthRequest in pam_passwd_conv_proc but it is used
indeed.
regards,
--
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3a041d9..304df03 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1816,6 +1816,7 @@ auth_peer(hbaPort *port) * PAM conversation function */
+static int pam_auth_eof = false;static intpam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
struct pam_response ** resp, void *appdata_ptr)
@@ -1824,6 +1825,8 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg, struct pam_response *reply;
int i;
+ pam_auth_eof = false;
+ if (appdata_ptr) passwd = (char *) appdata_ptr; else
@@ -1872,6 +1875,7 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg, *
Clientdidn't want to send password. We * intentionally do not log anything about this.
*/
+ pam_auth_eof = true; goto fail; }
if(strlen(passwd) == 0)
@@ -1986,6 +1990,16 @@ CheckPAMAuth(Port *port, char *user, char *password) retval = pam_authenticate(pamh, 0);
+ /*
+ * pam_auth_eof is true when the client disconnected for password request
+ * in pam_passw_conv().
+ */
+ if (pam_auth_eof)
+ {
+ pam_passwd = NULL; /* Unset pam_passwd */
+ return STATUS_EOF;
+ }
+ if (retval != PAM_SUCCESS) { ereport(LOG,