Many thanks to Marko and David for your reply. It really helped. Now I am playing with extension auth_delay, which uses ClientAuthentication_hook. But I find it not easy to distinguish the first connection of psql from the second one with empty password, since the variable 'status' are both STATUS_EOF. Maybe I should dive into the code deeper.
Regards,