On Fri, Jan 24, 2014 at 10:10:00AM -0500, Tom Lane wrote:
> Bruce Momjian writes:
> > On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
> >> I'm not convinced that this improves anything. The problem might not in
> >> fact be either of the things you mention, in which case the new message
I wrote:
> I agree with doing *something*, but this particular thing seems to violate
> our very long-standing policy on how to deal with authentication failures,
> as well as being too vague to be really useful.
> What would be well within that policy is to log additional information
> into the p
Bruce Momjian writes:
> On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
>> I'm not convinced that this improves anything. The problem might not in
>> fact be either of the things you mention, in which case the new message
>> is outright misleading. Also, what of the policy stated in t
On Thu, Jan 23, 2014 at 10:39:34PM -0500, Tom Lane wrote:
> Bruce Momjian writes:
> > I have developed the attached patch to fix this problem. Do I need to
> > say "invalid user or invalid or expired password"?
>
> I'm not convinced that this improves anything. The problem might not in
> fact b
Bruce Momjian writes:
> I have developed the attached patch to fix this problem. Do I need to
> say "invalid user or invalid or expired password"?
I'm not convinced that this improves anything. The problem might not in
fact be either of the things you mention, in which case the new message
is
On Wed, Jun 19, 2013 at 01:27:39PM -0700, Joshua D. Drake wrote:
>
> On 06/19/2013 01:18 PM, Markus Wanner wrote:
>
> >>"Authentication failed or password has expired for user \"%s\""
> >>
> >>Authentication failed covers any combination of a username/password
> >>being wrong and obviously passwo
On 06/20/2013 12:27 PM, Marko Tiikkaja wrote:
> My understanding is that the attacker would already have that
> information since the server would have sent an
> AuthenticationMD5Password message to get to the error in the first
> place. And we still reveal the authentication method to the fronten
On 20/06/2013 08:47, Markus Wanner wrote:
On 06/20/2013 12:51 AM, Jeff Janes wrote:
I think we need to keep the first "password". "Password authentication"
is a single thing, it is the authentication method attempted. It is the
password method (which includes MD5) which failed, as opposed to t
On 06/20/2013 12:51 AM, Jeff Janes wrote:
> I think we need to keep the first "password". "Password authentication"
> is a single thing, it is the authentication method attempted. It is the
> password method (which includes MD5) which failed, as opposed to the
> LDAP method or the Peer method or
On Wed, Jun 19, 2013 at 11:55 AM, Joshua D. Drake wrote:
>
> On 06/18/2013 02:25 AM, Markus Wanner wrote:
>
>>
>> On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
>>
>>>
>>>
>> How about:
>> "password authentication failed or account expired for user \"%s\""
>>
>> It's a bit longer, but sounds more
On 06/19/2013 01:18 PM, Markus Wanner wrote:
"Authentication failed or password has expired for user \"%s\""
Authentication failed covers any combination of a username/password
being wrong and obviously password expired covers the other.
Works for me. Considering the password to be the thing
This probably is nit-picking, but it interests me in terms of how the
language is used and understood.
On 06/19/2013 08:55 PM, Joshua D. Drake wrote:
> I believe it actually can. The error message that is returned for a bad
> password, bad user or expired password is all the same. Which is why I
>
On 06/18/2013 02:25 AM, Markus Wanner wrote:
On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
Instead of pushing extra info to the logs I decided that we could
without giving away extra details per policy. I wrote the error message
in a way that tells the most obvious problems, without admitting
On 06/16/2013 06:02 PM, Joshua D. Drake wrote:
> Instead of pushing extra info to the logs I decided that we could
> without giving away extra details per policy. I wrote the error message
> in a way that tells the most obvious problems, without admitting to any
> of them. Please see attached:
+1
Hello,
Instead of pushing extra info to the logs I decided that we could
without giving away extra details per policy. I wrote the error message
in a way that tells the most obvious problems, without admitting to any
of them. Please see attached:
diff --git a/src/backend/libpq/auth.c b/src/
15 matches
Mail list logo
