Re: Bad error message on valuntil

On 06/07/2013 12:31 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On 06/07/2013 11:57 AM, Tom Lane wrote:
>>> I think it's intentional that we don't tell the *client* that level of
>>> detail.
>
>> Why? That seems rather silly.
>
> The general policy on authentication failure reports is that we don't
> tell the client anything it doesn't know already about what the auth
> method is.  We can log additional info into the postmaster log if it
> seems useful to do so, but the more you tell a client, the more you
> risk undesirable info leakage to a bad guy.  As an example here,
> reporting the valuntil condition would be acking to an attacker that
> he had the right password.

So security by obscurity? Alright, without getting into that argument 
how about we change the error message to:

FATAL: Authentication failed: Check server log for specifics

And then we make sure we log proper info?

Sincerely,

Joshua D. Drake

>
>             regards, tom lane
>


-- 
Command Prompt, Inc. - http://www.commandprompt.com/  509-416-6579
PostgreSQL Support, Training, Professional Services and Development
High Availability, Oracle Conversion, Postgres-XC, @cmdpromptinc
For my dreams of your image that blossoms   a rose in the deeps of my heart. - W.B. Yeats