KaiGai Kohei, with a few changes by me.
SUBDIRS = \
adminpack \
+ auth_delay \
auto_explain \
btree_gin \
btree_gist \
File and log manipulation routines, used by pgAdmin
by Dave Page <dpage@vale-housing.co.uk>
+auth_delay
+ Add a short delay after a failed authentication attempt, to make
+ make brute-force attacks on database passwords a bit harder.
+ by KaiGai Kohei <kaigai@ak.jp.nec.com>
+
auto_explain -
Log EXPLAIN output for long-running queries
by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
--- /dev/null
+# contrib/auth_delay/Makefile
+
+MODULES = auth_delay
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/auth_delay
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
--- /dev/null
+/* -------------------------------------------------------------------------
+ *
+ * auth_delay.c
+ *
+ * Copyright (C) 2010, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ * contrib/auth_delay/auth_delay.c
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "libpq/auth.h"
+#include "port.h"
+#include "utils/guc.h"
+#include "utils/timestamp.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+/* GUC Variables */
+static int auth_delay_milliseconds;
+
+/* Original Hook */
+static ClientAuthentication_hook_type original_client_auth_hook = NULL;
+
+/*
+ * Check authentication
+ */
+static void
+auth_delay_checks(Port *port, int status)
+{
+ /*
+ * Any other plugins which use ClientAuthentication_hook.
+ */
+ if (original_client_auth_hook)
+ original_client_auth_hook(port, status);
+
+ /*
+ * Inject a short delay if authentication failed.
+ */
+ if (status != STATUS_OK)
+ {
+ pg_usleep(1000L * auth_delay_milliseconds);
+ }
+}
+
+/*
+ * Module Load Callback
+ */
+void
+_PG_init(void)
+{
+ /* Define custome GUC variables */
+ DefineCustomIntVariable("auth_delay.milliseconds",
+ "Milliseconds to delay before reporting authentication failure",
+ NULL,
+ &auth_delay_milliseconds,
+ 0,
+ 0, INT_MAX,
+ PGC_SIGHUP,
+ GUC_UNIT_MS,
+ NULL,
+ NULL);
+ /* Install Hooks */
+ original_client_auth_hook = ClientAuthentication_hook;
+ ClientAuthentication_hook = auth_delay_checks;
+}
--- /dev/null
+<!-- doc/src/sgml/auth-delay.sgml -->
+
+<sect1 id="auth-delay">
+ <title>auth_delay</title>
+
+ <indexterm zone="auth-delay">
+ <primary>auth_delay</primary>
+ </indexterm>
+
+ <para>
+ <filename>auth_delay</filename> causes the server to pause briefly before
+ reporting authentication failure, to make brute-force attacks on database
+ passwords more difficult. Note that it does nothing to prevent
+ denial-of-service attacks, and may even exacerbate them, since processes
+ that are waiting before reporting authentication failure will still consume
+ connection slots.
+ </para>
+
+ <para>
+ In order to function, this module must be loaded via
+ <xref linkend="guc-shared-preload-libraries"> in <filename>postgresql.conf</>.
+ </para>
+
+ <sect2>
+ <title>Configuration parameters</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <varname>auth_delay.milliseconds</varname> (<type>int</type>)
+ </term>
+ <indexterm>
+ <primary><varname>auth_delay.milliseconds</> configuration parameter</primary>
+ </indexterm>
+ <listitem>
+ <para>
+ The number of milliseconds to wait before reporting an authentication
+ failure. The default is 0.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ In order to set these parameters in your <filename>postgresql.conf</> file,
+ you will need to add <literal>auth_delay</> to
+ <xref linkend="guc-custom-variable-classes">. Typical usage might be:
+ </para>
+
+<programlisting>
+# postgresql.conf
+shared_preload_libraries = 'auth_delay'
+
+custom_variable_classes = 'auth_delay'
+auth_delay.milliseconds = '500'
+</programlisting>
+ </sect2>
+
+ <sect2>
+ <title>Author</title>
+
+ <para>
+ KaiGai Kohei <email>kaigai@ak.jp.nec.com</email>
+ </para>
+ </sect2>
+
+</sect1>
</para>
&adminpack;
+ &auth-delay;
&auto-explain;
&btree-gin;
&btree-gist;
<!-- contrib information -->
<!entity contrib SYSTEM "contrib.sgml">
<!entity adminpack SYSTEM "adminpack.sgml">
+<!entity auth-delay SYSTEM "auth-delay.sgml">
<!entity auto-explain SYSTEM "auto-explain.sgml">
<!entity btree-gin SYSTEM "btree-gin.sgml">
<!entity btree-gist SYSTEM "btree-gist.sgml">
projects / postgresql / commitdiff