Re: [HACKERS] Authentication tests, and plain 'password'authentication with a SCRAM verifier

On 03/14/2017 09:25 PM, Heikki Linnakangas wrote:
> On 03/14/2017 09:02 PM, Jeff Janes wrote:
>> The message returned to the client for the wrong password differs between
>> pg_hba-set scram and pg_hba-set md5/password methods.  Is that OK?
>>
>> psql: error received from server in SASL exchange: invalid-proof
>>
>> psql: FATAL:  password authentication failed for user "test"
>
> Ah yeah, I was on the fence on that one. Currently, the server returns
> the invalid-proof error to the client, as defined in RFC5802. That
> results in that error message from libpq. Alternatively, the server
> could elog(FATAL), like the other authentication mechanisms do, with the
> same message. The RFC allows that behavior too but returning the
> invalid-proof error code is potentially more friendly to 3rd party SCRAM
> implementations.
>
> One option would be to recognize the "invalid-proof" message in libpq,
> and construct a more informative error message in libpq. Could use the
> same wording, "password authentication failed", but it would behave
> differently wrt. translation, at least.

I went ahead and changed the backend code to not send the 
"invalid-proof" error. That seemed like the easiest fix for this. You 
now get the same "password authentication failed" error as with MD5 and 
plain password authentication.

- Heikki