Quick Links

Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier

From:	Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To:	pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Cc:	Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
Subject:	Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier
Date:	2017-03-17 09:40:54
Message-ID:	bb5cf245-a05e-d50e-82c6-9f6fa2aa36a8@iki.fi
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On 03/14/2017 03:43 PM, Michael Paquier wrote:
> + /*
> + * The password looked like a SCRAM verifier, but could not be
> + * parsed.
> + */
> + elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
> This would be sent back to the client, no? I think that you should use
> *logdetail as well in scram_verify_plain_password.

No, LOG messages are never sent to the client. Well, unless you have
client_min_messages='log', but then all the LOG messages with details
would be sent to the clients anyway. (We don't process the GUCs from the
startup packet until after authentication, so an unauthenticated user
cannot set client_min_messages='log').

Committed, thanks.

- Heikki

In response to

Authentication tests, and plain 'password' authentication with a SCRAM verifier at 2017-03-14 12:36:51 from Heikki Linnakangas

Responses

Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier at 2017-03-17 11:42:46 from Michael Paquier

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	vinayak	2017-03-17 09:46:23	Re: ANALYZE command progress checker
Previous Message	Heikki Linnakangas	2017-03-17 09:37:03	pgsql: Add TAP tests for password-based authentication methods.