Tom Lane wrote:
> With the attached patch to not drop nologin roles from the flat password
> file, it acts more sanely:
>
> postgres=# create user foo nologin;
> CREATE ROLE
> postgres=# \c - foo
> Password for user "foo":
> FATAL: password authentication failed for user "foo"
> Previous connection kept
> postgres=# alter user foo password 'foo';
> ALTER ROLE
> postgres=# \c - foo
> Password for user "foo": << correct password entered here
> FATAL: role "foo" is not permitted to log in
> Previous connection kept
>
> Should we just do this, or is it worth working harder?
IMHO this is exactly what we want. It does only offer more information when
you already got authentication right and therefore doesn't open an
information leak.
Not sure about the warning when creating a role with a password but
nologin. Could be useful.
Best Regards
Michael Paesold