Re: Authentication tests, and plain 'password' authentication with a SCRAM verifier
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: pgsql-hackers <pgsql-hackers@postgresql.org>
Cc: Michael Paquier <michael.paquier@gmail.com>
Date: 2017-03-17T09:40:54Z
Lists: pgsql-hackers
On 03/14/2017 03:43 PM, Michael Paquier wrote: > + /* > + * The password looked like a SCRAM verifier, but could not be > + * parsed. > + */ > + elog(LOG, "invalid SCRAM verifier for user \"%s\"", username); > This would be sent back to the client, no? I think that you should use > *logdetail as well in scram_verify_plain_password. No, LOG messages are never sent to the client. Well, unless you have client_min_messages='log', but then all the LOG messages with details would be sent to the clients anyway. (We don't process the GUCs from the startup packet until after authentication, so an unauthenticated user cannot set client_min_messages='log'). Committed, thanks. - Heikki
Commits
-
Don't use SCRAM-specific "e=invalid-proof" on invalid password.
- 344a11307988 10.0 landed