pgsql-v9.1-auth-delay.1.patch

application/octect-stream

Filename: pgsql-v9.1-auth-delay.1.patch
Type: application/octect-stream
Part: 0
Message: contrib: auth_delay module

Patch

Same data as JSON: GET /api/v1/attachments/:id/patch the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes. API reference →
Format: context
Series: patch v9
File+
contrib/auth_delay/auth_delay.c 135 0
contrib/auth_delay/Makefile 14 0
contrib/Makefile 1 0
contrib/README 5 0
*** a/contrib/Makefile
--- b/contrib/Makefile
***************
*** 6,11 **** include $(top_builddir)/src/Makefile.global
--- 6,12 ----
  
  SUBDIRS = \
  		adminpack	\
+ 		auth_delay	\
  		auto_explain	\
  		btree_gin	\
  		btree_gist	\
*** a/contrib/README
--- b/contrib/README
***************
*** 28,33 **** adminpack -
--- 28,38 ----
  	File and log manipulation routines, used by pgAdmin
  	by Dave Page <dpage@vale-housing.co.uk>
  
+ auth_delay
+ 	Add a few second's delay on authentication failed. It enables to make
+ 	difficult brute-force attacks on database passwords.
+ 	by KaiGai Kohei <kaigai@ak.jp.nec.com>
+ 
  auto_explain -
  	Log EXPLAIN output for long-running queries
  	by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
*** /dev/null
--- b/contrib/auth_delay/Makefile
***************
*** 0 ****
--- 1,14 ----
+ # contrib/auth_delay/Makefile
+ 
+ MODULES = auth_delay
+ 
+ ifdef USE_PGXS
+ PG_CONFIG = pg_config
+ PGXS := $(shell $(PG_CONFIG) --pgxs)
+ include $(PGXS)
+ else
+ subdir = contrib/auth_delay
+ top_builddir = ../..
+ include $(top_builddir)/src/Makefile.global
+ include $(top_srcdir)/contrib/contrib-global.mk
+ endif
*** /dev/null
--- b/contrib/auth_delay/auth_delay.c
***************
*** 0 ****
--- 1,135 ----
+ /* -------------------------------------------------------------------------
+  *
+  * auth_delay.c
+  *
+  * Copyright (C) 2010, PostgreSQL Global Development Group
+  *
+  * IDENTIFICATION
+  *		contrib/auth_delay/auth_delay.c
+  *
+  * -------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "catalog/pg_authid.h"
+ #include "libpq/auth.h"
+ #include "utils/guc.h"
+ #include "utils/syscache.h"
+ #include "utils/timestamp.h"
+ 
+ #include <unistd.h>
+ 
+ PG_MODULE_MAGIC;
+ 
+ void _PG_init(void);
+ 
+ /* GUC Variables */
+ static int	auth_delay_seconds;
+ static bool	auth_delay_log_on_failed;
+ static bool	auth_delay_log_on_super;
+ 
+ /* Original Hook */
+ static ClientAuthentication_hook_type	original_client_auth_hook = NULL;
+ 
+ /*
+  * Check authentication
+  */
+ static void
+ auth_delay_checks(Port *port, int status)
+ {
+ 	/*
+ 	 * Any other plugins which use the ClientAuthentication_hook.
+ 	 */
+ 	if (original_client_auth_hook)
+ 		original_client_auth_hook(port, status);
+ 
+ 	if (status == STATUS_OK)
+ 	{
+ 		/*
+ 		 * Logs this superuser's login event, if needed.
+ 		 */
+ 		if (auth_delay_log_on_super)
+ 		{
+ 			Form_pg_authid	authForm;
+ 			HeapTuple		tuple;
+ 
+ 			tuple = SearchSysCache1(AUTHNAME,
+ 									PointerGetDatum(port->user_name));
+ 			if (!HeapTupleIsValid(tuple))
+ 				ereport(FATAL,
+ 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ 						 errmsg("role \"%s\" does not exist", port->user_name)));
+ 
+ 			authForm = (Form_pg_authid) GETSTRUCT(tuple);
+ 			if (authForm->rolsuper)
+ 				ereport(LOG,
+ 						(errmsg("Supperuser login (%s) role=\"%s\" "
+ 								"database=\"%s\" host=\"%s\"",
+ 								timestamptz_to_str(GetCurrentTimestamp()),
+ 								port->user_name,
+ 								port->database_name,
+ 								port->remote_host)));
+ 			ReleaseSysCache(tuple);
+ 		}
+ 	}
+ 	else
+ 	{
+ 		/*
+ 		 * Logs this authentication failed event, if needed.
+ 		 */
+ 		if (auth_delay_log_on_failed)
+ 			ereport(LOG,
+ 					(errmsg("Authentication failed (%s) role=\"%s\" "
+ 							"database=\"%s\" host=\"%s\"",
+ 							timestamptz_to_str(GetCurrentTimestamp()),
+ 							port->user_name,
+ 							port->database_name,
+ 							port->remote_host)));
+ 
+ 		/*
+ 		 * Delays a few seconds on authentication failed.
+ 		 */
+ 		sleep(auth_delay_seconds);
+ 	}
+ }
+ 
+ /*
+  * Module Load Callback
+  */
+ void
+ _PG_init(void)
+ {
+ 	/* Define custome GUC variables */
+ 	DefineCustomIntVariable("auth_delay.seconds",
+ 							"The seconds to be delayed on authentication failed",
+ 							NULL,
+ 							&auth_delay_seconds,
+ 							2,
+ 							0, INT_MAX,
+ 							PGC_POSTMASTER,
+ 							GUC_UNIT_S,
+ 							NULL,
+ 							NULL);
+ 	DefineCustomBoolVariable("auth_delay.log_on_failed",
+ 							 "Logs an event of authentication failed",
+ 							 NULL,
+ 							 &auth_delay_log_on_failed,
+ 							 true,
+ 							 PGC_POSTMASTER,
+ 							 0,
+ 							 NULL,
+ 							 NULL);
+ 	DefineCustomBoolVariable("auth_delay.log_on_super",
+ 							 "Logs an event of superuser logged on",
+ 							 NULL,
+ 							 &auth_delay_log_on_super,
+ 							 true,
+ 							 PGC_POSTMASTER,
+ 							 0,
+ 							 NULL,
+ 							 NULL);
+ 
+ 	/* Install Hooks */
+ 	original_client_auth_hook = ClientAuthentication_hook;
+ 	ClientAuthentication_hook = auth_delay_checks;
+ }