From: Tom Lane Date: Thu, 7 Jan 2016 16:19:33 +0000 (-0500) Subject: Provide more detail in postmaster log for password authentication failures. X-Git-Tag: REL9_6_BETA1~891 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5e0b5dcab685fe2a342385450a29a825cf40cddf;p=postgresql Provide more detail in postmaster log for password authentication failures. We tell people to examine the postmaster log if they're unsure why they are getting auth failures, but actually only a few relatively-uncommon failure cases were given their own log detail messages in commit 64e43c59b817a78d. Expand on that so that every failure case detected within md5_crypt_verify gets a specific log detail message. This should cover pretty much every ordinary password auth failure cause. So far I've not noticed user demand for a similar level of auth detail for the other auth methods, but sooner or later somebody might want to work on them. This is not that patch, though. --- diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index 825e6510b4..f3c59e5303 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, /* Get role info from pg_authid */ roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); if (!HeapTupleIsValid(roleTup)) + { + *logdetail = psprintf(_("Role \"%s\" does not exist."), + role); return STATUS_ERROR; /* no such user */ + } datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_rolpassword, &isnull); @@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, ReleaseSysCache(roleTup); if (*shadow_pass == '\0') + { + *logdetail = psprintf(_("User \"%s\" has an empty password."), + role); return STATUS_ERROR; /* empty password */ + } CHECK_FOR_INTERRUPTS(); /* * Compare with the encrypted or plain password depending on the - * authentication method being used for this connection. + * authentication method being used for this connection. (We do not + * bother setting logdetail for pg_md5_encrypt failure: the only possible + * error is out-of-memory, which is unlikely, and if it did happen adding + * a psprintf call would only make things worse.) */ switch (port->hba->auth_method) { @@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, else retval = STATUS_OK; } + else + *logdetail = psprintf(_("Password does not match for user \"%s\"."), + role); if (port->hba->auth_method == uaMD5) pfree(crypt_pwd);