From: | Markus Wanner <markus(at)bluegap(dot)ch> |
---|---|
To: | Marko Tiikkaja <marko(at)joh(dot)to> |
Cc: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Change authentication error message (patch) |
Date: | 2013-06-20 11:14:32 |
Message-ID: | 51C2E418.8030109@bluegap.ch |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 06/20/2013 12:27 PM, Marko Tiikkaja wrote:
> My understanding is that the attacker would already have that
> information since the server would have sent an
> AuthenticationMD5Password message to get to the error in the first
> place. And we still reveal the authentication method to the frontend in
> all other cases ("peer authentication failed", for example).
Oh, right, I wasn't aware of that. Never mind, then.
+1 for keeping it mention "password authentication" explicitly.
However, thinking about this a bit more: Other authentication methods
may also provide password (or even account) expiration times. And may
fail to authenticate a user for entirely different reasons.
Given that, I wonder if "password expired" is such a special case worth
mentioning in case of the "password auth" method. If we go down that
path, don't we also have to include "auth server unreachable" as a
possible cause for authentication failure for methods that use an
external server?
Regards
Markus Wanner
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2013-06-20 11:15:09 | Re: Config reload/restart preview |
Previous Message | Cédric Villemain | 2013-06-20 11:12:32 | Re: Bugfix and new feature for PGXS |