Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue

Thu, 17 Aug 2023 09:54:14 -0700 

On Thu, Aug 17, 2023 at 9:46 AM Stephen Frost <sfr...@snowman.net> wrote:
> Don't like 'skipped' but that feels closer.
>
> How about 'connection bypassed authentication'?

Works for me; see v2.

Thanks!
--Jacob

From 5404c28391d2faae8a306e4e21c2ddfe1b70b53e Mon Sep 17 00:00:00 2001
From: Jacob Champion <champio...@gmail.com>
Date: Wed, 16 Aug 2023 14:48:49 -0700
Subject: [PATCH v2] log_connections: add entries for "trust" connections

Allow DBAs to audit unexpected "trust" connections.  Previously, you had
to notice the absence of a "connection authenticated" line between the
"connection received" and "connection authorized" entries.  Now it's
called out explicitly.
---
 src/backend/libpq/auth.c                  | 15 +++++++++++++++
 src/test/authentication/t/001_password.pl |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index e7571aaddb..a68e1c9b52 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -645,6 +645,21 @@ ClientAuthentication(Port *port)
 #endif
 	}
 
+	if (Log_connections
+		&& (status == STATUS_OK) && !MyClientConnectionInfo.authn_id)
+	{
+		/*
+		 * No authentication was actually performed; this happens e.g. when the
+		 * trust method is in use.  For audit purposes, log a breadcrumb to
+		 * explain where in the HBA this happened.
+		 */
+		ereport(LOG,
+				errmsg("connection bypassed authentication: user=\"%s\" method=%s "
+					   "(%s:%d)",
+					   port->user_name, hba_authname(port->hba->auth_method),
+					   port->hba->sourcefile, port->hba->linenumber));
+	}
+
 	if (ClientAuthentication_hook)
 		(*ClientAuthentication_hook) (port, status);
 
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 12552837a8..3440afbaaa 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -140,8 +140,14 @@ $node->safe_psql('postgres', "CREATE database regex_testdb;");
 # considered to be authenticated.
 reset_pg_hba($node, 'all', 'all', 'trust');
 test_conn($node, 'user=scram_role', 'trust', 0,
+	log_like => [
+		qr/connection bypassed authentication: user="scram_role" method=trust/
+	],
 	log_unlike => [qr/connection authenticated:/]);
 test_conn($node, 'user=md5_role', 'trust', 0,
+	log_like => [
+		qr/connection bypassed authentication: user="md5_role" method=trust/
+	],
 	log_unlike => [qr/connection authenticated:/]);
 
 # SYSTEM_USER is null when not authenticated.
-- 
2.39.2

Reply via email to