| From: | tgl(at)postgresql(dot)org (Tom Lane) |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming |
| Date: | 2009-10-16 22:08:36 |
| Message-ID: | 20091016220836.A0937753FB7@cvs.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Log Message:
-----------
Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the
pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message.
Instead, deal with however many messages there are, and don't throw error
for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from
openssh 5.2p1, which hopefully has seen more real-world PAM usage than we
have. Per bug #5121 from Ryan Douglas, which turned out to be caused by
the conv_proc being called with zero messages. Apparently that is normal
behavior given the combination of Linux pam_krb5 with MS Active Directory
as the domain controller.
Patch all the way back, since this code has been essentially untouched
since 7.4. (Surprising we've not heard complaints before.)
Modified Files:
--------------
pgsql/src/backend/libpq:
auth.c (r1.186 -> r1.187)
(http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/libpq/auth.c?r1=1.186&r2=1.187)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-10-16 22:08:42 | pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming |
| Previous Message | Heikki Linnakangas | 2009-10-16 10:38:55 | pgsql: FREEZE and VERBOSE options were in wrong order in the VACUUM |