Thread

  1. Two round for Client Authentication

    Yinjie Lin <exialin37@gmail.com> — 2018-06-14T04:12:16Z

    Hello everyone.
    
    I am a newcomer to PostgreSQL, and I don't know if it is proper to post my
    question here, but I really need some help.
    
    Currently I am reading and testing code about Client Authentication, but I
    find that there are two progresses forked if I login using psql, while only
    one progress is forked if using pgAdmin.
    
    My pg_hba.conf is as follows:
    local  all  all                               md5
    host  all  all  192.168.64.56/32  md5
    
    If I login with psql, the following stack is called twice:
        ServerLoop
        BackendStartup
        BackendRun
        PostgresMain
        InitPostgres
        PerformAuthentication
        ClientAuthentication
    
    In the first round, the variable `status` in function
    ClientAuthentication() is always STATUS_EOF (at least in my test). In the
    second round, `status` seems to be what should be expected: STATUS_OK for
    correct password, STATUS_ERROR for wrong password, and STATUS_EOF for empty
    password.
    
    Why are there two such progresses forked? I think one round should be
    enough, like when using pgAdmin.
    
    Besides, I find it hard to debug the ServerLoop() stack, compared with the
    backend progress for query, because there are two many subprogresses and
    signals. It would be of great help if anyone could give me some
    instructions on how to learn to debug postmaster using gdb.
    
    Thanks in advance!
    
    Best Regards
    
  2. Re: Two round for Client Authentication

    Marko Tiikkaja <marko@joh.to> — 2018-06-14T04:54:22Z

    On Thu, Jun 14, 2018 at 7:12 AM, Yinjie Lin <exialin37@gmail.com> wrote:
    
    > Currently I am reading and testing code about Client Authentication, but I
    > find that there are two progresses forked if I login using psql, while only
    > one progress is forked if using pgAdmin.
    >
    
    If psql finds the server asks for a password, it closes the first
    connection, displays a password prompt to the user, and then does another
    connection attempt with the password the user entered.  You can avoid the
    first attempt with the -W flag; though there's usually no reason to do that
    in practice.
    
    
    .m
    
  3. Re: Two round for Client Authentication

    David G. Johnston <david.g.johnston@gmail.com> — 2018-06-14T04:56:55Z

    On Wednesday, June 13, 2018, Yinjie Lin <exialin37@gmail.com> wrote:
    >
    > Why are there two such progresses forked? I think one round should be
    > enough, like when using pgAdmin.
    >
    
    You can use the --password option to prevent it.
    
    """
    This option is never essential, since psql will automatically prompt for a
    password if the server demands password authentication. However, psql will
    waste a connection attempt finding out that the server wants a password. In
    some cases it is worth typing -W to avoid the extra connection attempt.
    """
    
    In pgAdmin you've saved a password to the profile so the initial attempt
    uses it.  psql doesn't have a similar capability.  Though I am unsure
    whether the use of .pgpass would make any difference here...
    
    David J.
    
  4. Re: Two round for Client Authentication

    Yinjie Lin <exialin37@gmail.com> — 2018-06-15T06:02:50Z

    Many thanks to Marko and David for your reply. It really helped.
    
    Now I am playing with extension auth_delay, which uses
    ClientAuthentication_hook. But I find it not easy to distinguish the first
    connection of psql from the second one with empty password, since the
    variable 'status' are both STATUS_EOF. Maybe I should dive into the code
    deeper.
    
    Regards,