Avoid logging complaints about abandoned connections when using PAM.
authorTom Lane <[email protected]>
Tue, 5 Nov 2019 19:27:38 +0000 (14:27 -0500)
committerTom Lane <[email protected]>
Tue, 5 Nov 2019 19:27:38 +0000 (14:27 -0500)
For a long time (since commit aed378e8d) we have had a policy to log
nothing about a connection if the client disconnects when challenged
for a password.  This is because libpq-using clients will typically
do that, and then come back for a new connection attempt once they've
collected a password from their user, so that logging the abandoned
connection attempt will just result in log spam.  However, this did
not work well for PAM authentication: the bottom-level function
pam_passwd_conv_proc() was on board with it, but we logged messages
at higher levels anyway, for lack of any reporting mechanism.
Add a flag and tweak the logic so that the case is silent, as it is
for other password-using auth mechanisms.

Per complaint from Yoann La Cancellera.  It's been like this for awhile,
so back-patch to all supported branches.

Discussion: https://postgr.es/m/CACP=ajbrFFYUrLyJBLV8=q+eNCapa1xDEyvXhMoYrNphs-xqPw@mail.gmail.com

src/backend/libpq/auth.c

index eb695a901d320cee9ef62936888cd03b012b18b0..395dc2f2974401db566edef59e5e947d0f5a44b2 100644 (file)
@@ -88,6 +88,7 @@ static struct pam_conv pam_passw_conv = {
 static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
 static Port *pam_port_cludge;  /* Workaround for passing "Port *port" into
                                 * pam_passwd_conv_proc */
+static bool pam_no_password;   /* For detecting no-password-given */
 #endif   /* USE_PAM */
 
 
@@ -1704,8 +1705,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
                    {
                        /*
                         * Client didn't want to send password.  We
-                        * intentionally do not log anything about this.
+                        * intentionally do not log anything about this,
+                        * either here or at higher levels.
                         */
+                       pam_no_password = true;
                        goto fail;
                    }
                }
@@ -1764,6 +1767,7 @@ CheckPAMAuth(Port *port, char *user, char *password)
     */
    pam_passwd = password;
    pam_port_cludge = port;
+   pam_no_password = false;
 
    /*
     * Set the application data portion of the conversation struct.  This is
@@ -1816,22 +1820,26 @@ CheckPAMAuth(Port *port, char *user, char *password)
 
    if (retval != PAM_SUCCESS)
    {
-       ereport(LOG,
-               (errmsg("pam_authenticate failed: %s",
-                       pam_strerror(pamh, retval))));
+       /* If pam_passwd_conv_proc saw EOF, don't log anything */
+       if (!pam_no_password)
+           ereport(LOG,
+                   (errmsg("pam_authenticate failed: %s",
+                           pam_strerror(pamh, retval))));
        pam_passwd = NULL;      /* Unset pam_passwd */
-       return STATUS_ERROR;
+       return pam_no_password ? STATUS_EOF : STATUS_ERROR;
    }
 
    retval = pam_acct_mgmt(pamh, 0);
 
    if (retval != PAM_SUCCESS)
    {
-       ereport(LOG,
-               (errmsg("pam_acct_mgmt failed: %s",
-                       pam_strerror(pamh, retval))));
+       /* If pam_passwd_conv_proc saw EOF, don't log anything */
+       if (!pam_no_password)
+           ereport(LOG,
+                   (errmsg("pam_acct_mgmt failed: %s",
+                           pam_strerror(pamh, retval))));
        pam_passwd = NULL;      /* Unset pam_passwd */
-       return STATUS_ERROR;
+       return pam_no_password ? STATUS_EOF : STATUS_ERROR;
    }
 
    retval = pam_end(pamh, retval);