From 5e0b5dcab685fe2a342385450a29a825cf40cddf Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 7 Jan 2016 11:19:33 -0500 Subject: [PATCH] Provide more detail in postmaster log for password authentication failures. We tell people to examine the postmaster log if they're unsure why they are getting auth failures, but actually only a few relatively-uncommon failure cases were given their own log detail messages in commit 64e43c59b817a78d. Expand on that so that every failure case detected within md5_crypt_verify gets a specific log detail message. This should cover pretty much every ordinary password auth failure cause. So far I've not noticed user demand for a similar level of auth detail for the other auth methods, but sooner or later somebody might want to work on them. This is not that patch, though. --- src/backend/libpq/crypt.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index 825e6510b4..f3c59e5303 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, /* Get role info from pg_authid */ roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); if (!HeapTupleIsValid(roleTup)) + { + *logdetail = psprintf(_("Role \"%s\" does not exist."), + role); return STATUS_ERROR; /* no such user */ + } datum = SysCacheGetAttr(AUTHNAME, roleTup, Anum_pg_authid_rolpassword, &isnull); @@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, ReleaseSysCache(roleTup); if (*shadow_pass == '\0') + { + *logdetail = psprintf(_("User \"%s\" has an empty password."), + role); return STATUS_ERROR; /* empty password */ + } CHECK_FOR_INTERRUPTS(); /* * Compare with the encrypted or plain password depending on the - * authentication method being used for this connection. + * authentication method being used for this connection. (We do not + * bother setting logdetail for pg_md5_encrypt failure: the only possible + * error is out-of-memory, which is unlikely, and if it did happen adding + * a psprintf call would only make things worse.) */ switch (port->hba->auth_method) { @@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, else retval = STATUS_OK; } + else + *logdetail = psprintf(_("Password does not match for user \"%s\"."), + role); if (port->hba->auth_method == uaMD5) pfree(crypt_pwd); -- 2.40.0