pgsql-v9.1-auth-delay.1.patch
application/octect-stream
Filename: pgsql-v9.1-auth-delay.1.patch
Type: application/octect-stream
Part: 0
Message:
contrib: auth_delay module
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: context
Series: patch v9
| File | + | − |
|---|---|---|
| contrib/auth_delay/auth_delay.c | 135 | 0 |
| contrib/auth_delay/Makefile | 14 | 0 |
| contrib/Makefile | 1 | 0 |
| contrib/README | 5 | 0 |
*** a/contrib/Makefile
--- b/contrib/Makefile
***************
*** 6,11 **** include $(top_builddir)/src/Makefile.global
--- 6,12 ----
SUBDIRS = \
adminpack \
+ auth_delay \
auto_explain \
btree_gin \
btree_gist \
*** a/contrib/README
--- b/contrib/README
***************
*** 28,33 **** adminpack -
--- 28,38 ----
File and log manipulation routines, used by pgAdmin
by Dave Page <dpage@vale-housing.co.uk>
+ auth_delay
+ Add a few second's delay on authentication failed. It enables to make
+ difficult brute-force attacks on database passwords.
+ by KaiGai Kohei <kaigai@ak.jp.nec.com>
+
auto_explain -
Log EXPLAIN output for long-running queries
by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
*** /dev/null
--- b/contrib/auth_delay/Makefile
***************
*** 0 ****
--- 1,14 ----
+ # contrib/auth_delay/Makefile
+
+ MODULES = auth_delay
+
+ ifdef USE_PGXS
+ PG_CONFIG = pg_config
+ PGXS := $(shell $(PG_CONFIG) --pgxs)
+ include $(PGXS)
+ else
+ subdir = contrib/auth_delay
+ top_builddir = ../..
+ include $(top_builddir)/src/Makefile.global
+ include $(top_srcdir)/contrib/contrib-global.mk
+ endif
*** /dev/null
--- b/contrib/auth_delay/auth_delay.c
***************
*** 0 ****
--- 1,135 ----
+ /* -------------------------------------------------------------------------
+ *
+ * auth_delay.c
+ *
+ * Copyright (C) 2010, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ * contrib/auth_delay/auth_delay.c
+ *
+ * -------------------------------------------------------------------------
+ */
+ #include "postgres.h"
+
+ #include "catalog/pg_authid.h"
+ #include "libpq/auth.h"
+ #include "utils/guc.h"
+ #include "utils/syscache.h"
+ #include "utils/timestamp.h"
+
+ #include <unistd.h>
+
+ PG_MODULE_MAGIC;
+
+ void _PG_init(void);
+
+ /* GUC Variables */
+ static int auth_delay_seconds;
+ static bool auth_delay_log_on_failed;
+ static bool auth_delay_log_on_super;
+
+ /* Original Hook */
+ static ClientAuthentication_hook_type original_client_auth_hook = NULL;
+
+ /*
+ * Check authentication
+ */
+ static void
+ auth_delay_checks(Port *port, int status)
+ {
+ /*
+ * Any other plugins which use the ClientAuthentication_hook.
+ */
+ if (original_client_auth_hook)
+ original_client_auth_hook(port, status);
+
+ if (status == STATUS_OK)
+ {
+ /*
+ * Logs this superuser's login event, if needed.
+ */
+ if (auth_delay_log_on_super)
+ {
+ Form_pg_authid authForm;
+ HeapTuple tuple;
+
+ tuple = SearchSysCache1(AUTHNAME,
+ PointerGetDatum(port->user_name));
+ if (!HeapTupleIsValid(tuple))
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("role \"%s\" does not exist", port->user_name)));
+
+ authForm = (Form_pg_authid) GETSTRUCT(tuple);
+ if (authForm->rolsuper)
+ ereport(LOG,
+ (errmsg("Supperuser login (%s) role=\"%s\" "
+ "database=\"%s\" host=\"%s\"",
+ timestamptz_to_str(GetCurrentTimestamp()),
+ port->user_name,
+ port->database_name,
+ port->remote_host)));
+ ReleaseSysCache(tuple);
+ }
+ }
+ else
+ {
+ /*
+ * Logs this authentication failed event, if needed.
+ */
+ if (auth_delay_log_on_failed)
+ ereport(LOG,
+ (errmsg("Authentication failed (%s) role=\"%s\" "
+ "database=\"%s\" host=\"%s\"",
+ timestamptz_to_str(GetCurrentTimestamp()),
+ port->user_name,
+ port->database_name,
+ port->remote_host)));
+
+ /*
+ * Delays a few seconds on authentication failed.
+ */
+ sleep(auth_delay_seconds);
+ }
+ }
+
+ /*
+ * Module Load Callback
+ */
+ void
+ _PG_init(void)
+ {
+ /* Define custome GUC variables */
+ DefineCustomIntVariable("auth_delay.seconds",
+ "The seconds to be delayed on authentication failed",
+ NULL,
+ &auth_delay_seconds,
+ 2,
+ 0, INT_MAX,
+ PGC_POSTMASTER,
+ GUC_UNIT_S,
+ NULL,
+ NULL);
+ DefineCustomBoolVariable("auth_delay.log_on_failed",
+ "Logs an event of authentication failed",
+ NULL,
+ &auth_delay_log_on_failed,
+ true,
+ PGC_POSTMASTER,
+ 0,
+ NULL,
+ NULL);
+ DefineCustomBoolVariable("auth_delay.log_on_super",
+ "Logs an event of superuser logged on",
+ NULL,
+ &auth_delay_log_on_super,
+ true,
+ PGC_POSTMASTER,
+ 0,
+ NULL,
+ NULL);
+
+ /* Install Hooks */
+ original_client_auth_hook = ClientAuthentication_hook;
+ ClientAuthentication_hook = auth_delay_checks;
+ }