On 03/14/2017 09:25 PM, Heikki Linnakangas wrote:
On 03/14/2017 09:02 PM, Jeff Janes wrote:
The message returned to the client for the wrong password differs between
pg_hba-set scram and pg_hba-set md5/password methods. Is that OK?
psql: error received from server in SASL exchange: invalid-proof
psql: FATAL: password authentication failed for user "test"
Ah yeah, I was on the fence on that one. Currently, the server returns
the invalid-proof error to the client, as defined in RFC5802. That
results in that error message from libpq. Alternatively, the server
could elog(FATAL), like the other authentication mechanisms do, with the
same message. The RFC allows that behavior too but returning the
invalid-proof error code is potentially more friendly to 3rd party SCRAM
implementations.
One option would be to recognize the "invalid-proof" message in libpq,
and construct a more informative error message in libpq. Could use the
same wording, "password authentication failed", but it would behave
differently wrt. translation, at least.
I went ahead and changed the backend code to not send the
"invalid-proof" error. That seemed like the easiest fix for this. You
now get the same "password authentication failed" error as with MD5 and
plain password authentication.
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
