Tom Lane wrote:
With the attached patch to not drop nologin roles from the flat password
file, it acts more sanely:
postgres=# create user foo nologin;
CREATE ROLE
postgres=# \c - foo
Password for user "foo":
FATAL: password authentication failed for user "foo"
Previous connection kept
postgres=# alter user foo password 'foo';
ALTER ROLE
postgres=# \c - foo
Password for user "foo": << correct password entered here
FATAL: role "foo" is not permitted to log in
Previous connection kept
Should we just do this, or is it worth working harder?
IMHO this is exactly what we want. It does only offer more information when
you already got authentication right and therefore doesn't open an
information leak.
Not sure about the warning when creating a role with a password but
nologin. Could be useful.
Best Regards
Michael Paesold
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend