| From: | tgl(at)postgresql(dot)org (Tom Lane) |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming |
| Date: | 2009-10-16 22:08:48 |
| Message-ID: | 20091016220848.99BC2753FB7@cvs.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Log Message:
-----------
Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the
pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message.
Instead, deal with however many messages there are, and don't throw error
for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from
openssh 5.2p1, which hopefully has seen more real-world PAM usage than we
have. Per bug #5121 from Ryan Douglas, which turned out to be caused by
the conv_proc being called with zero messages. Apparently that is normal
behavior given the combination of Linux pam_krb5 with MS Active Directory
as the domain controller.
Patch all the way back, since this code has been essentially untouched
since 7.4. (Surprising we've not heard complaints before.)
Tags:
----
REL8_3_STABLE
Modified Files:
--------------
pgsql/src/backend/libpq:
auth.c (r1.164.2.4 -> r1.164.2.5)
(http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/libpq/auth.c?r1=1.164.2.4&r2=1.164.2.5)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-10-16 22:08:55 | pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming |
| Previous Message | Tom Lane | 2009-10-16 22:08:42 | pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming |