Re: Logging of PAM Authentication Failure

On Wed, May 8, 2013 at 10:40 PM, Amit Langote <amitlangote09@gmail.com> wrote:
> When client authentication method is set to "pam" in pg_hba.conf,
> connecting using psql results in logging of authentication failure
> even before a password prompt is provided, nonetheless user is
> subsequently able to connect by providing a password. Following is
> what is logged:
>
> Password: LOG:  pam_authenticate failed: Conversation error
> FATAL:  PAM authentication failed for user "amit"
>
> To see what's going on I debugged psql and found that without a -W
> option, this is bound to happen, since psql first attempts to connect
> and without a password (which it doesn't know is required for the
> first time), it fails and subsequently prompts for password. Correct
> password then leads to successful connection.
>
> I tried to observe the behavior with md5 method (without -W) and
> observed that no authentication failure is logged, since server
> probably behaves differently in response to the psql's first
> connection request in that case. But, pam method leads to it being
> logged.
>
> Is this a problem?

Not really.  We could potentially fix it by extending the wire
protocol to allow the server to respond to the client's startup packet
with a further challenge, and extend libpq to report that challenge
back to the user and allow sending a response.  But that would break
on-the-wire compatibility, which we haven't done in a good 10 years,
and certainly wouldn't be worthwhile just for this.

We'd also need to be careful not to create information leaks.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company