Bruce Momjian br...@momjian.us writes:
On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
I'm not convinced that this improves anything. The problem might not in
fact be either of the things you mention, in which case the new message
is outright misleading. Also, what of the policy
I wrote:
I agree with doing *something*, but this particular thing seems to violate
our very long-standing policy on how to deal with authentication failures,
as well as being too vague to be really useful.
What would be well within that policy is to log additional information
into the
On Fri, Jan 24, 2014 at 10:10:00AM -0500, Tom Lane wrote:
Bruce Momjian br...@momjian.us writes:
On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
I'm not convinced that this improves anything. The problem might not in
fact be either of the things you mention, in which case the new
On Wed, Jun 19, 2013 at 01:27:39PM -0700, Joshua D. Drake wrote:
On 06/19/2013 01:18 PM, Markus Wanner wrote:
Authentication failed or password has expired for user \%s\
Authentication failed covers any combination of a username/password
being wrong and obviously password expired covers
Bruce Momjian br...@momjian.us writes:
I have developed the attached patch to fix this problem. Do I need to
say invalid user or invalid or expired password?
I'm not convinced that this improves anything. The problem might not in
fact be either of the things you mention, in which case the new
On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
Bruce Momjian br...@momjian.us writes:
I have developed the attached patch to fix this problem. Do I need to
say invalid user or invalid or expired password?
I'm not convinced that this improves anything. The problem might not in
On 06/20/2013 12:51 AM, Jeff Janes wrote:
I think we need to keep the first password. Password authentication
is a single thing, it is the authentication method attempted. It is the
password method (which includes MD5) which failed, as opposed to the
LDAP method or the Peer method or one of
On 20/06/2013 08:47, Markus Wanner wrote:
On 06/20/2013 12:51 AM, Jeff Janes wrote:
I think we need to keep the first password. Password authentication
is a single thing, it is the authentication method attempted. It is the
password method (which includes MD5) which failed, as opposed to the
On 06/20/2013 12:27 PM, Marko Tiikkaja wrote:
My understanding is that the attacker would already have that
information since the server would have sent an
AuthenticationMD5Password message to get to the error in the first
place. And we still reveal the authentication method to the frontend
On 06/18/2013 02:25 AM, Markus Wanner wrote:
On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
Instead of pushing extra info to the logs I decided that we could
without giving away extra details per policy. I wrote the error message
in a way that tells the most obvious problems, without
This probably is nit-picking, but it interests me in terms of how the
language is used and understood.
On 06/19/2013 08:55 PM, Joshua D. Drake wrote:
I believe it actually can. The error message that is returned for a bad
password, bad user or expired password is all the same. Which is why I
On 06/19/2013 01:18 PM, Markus Wanner wrote:
Authentication failed or password has expired for user \%s\
Authentication failed covers any combination of a username/password
being wrong and obviously password expired covers the other.
Works for me. Considering the password to be the thing
On Wed, Jun 19, 2013 at 11:55 AM, Joshua D. Drake j...@commandprompt.comwrote:
On 06/18/2013 02:25 AM, Markus Wanner wrote:
On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
How about:
password authentication failed or account expired for user \%s\
It's a bit longer, but sounds more like
On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
Instead of pushing extra info to the logs I decided that we could
without giving away extra details per policy. I wrote the error message
in a way that tells the most obvious problems, without admitting to any
of them. Please see attached:
+1 for
Hello,
Instead of pushing extra info to the logs I decided that we could
without giving away extra details per policy. I wrote the error message
in a way that tells the most obvious problems, without admitting to any
of them. Please see attached:
diff --git a/src/backend/libpq/auth.c
15 matches
Mail list logo
