Обсуждение: Two round for Client Authentication
Hello everyone.
I am a newcomer to PostgreSQL, and I don't know if it is proper to post my question here, but I really need some help.
Currently I am reading and testing code about Client Authentication, but I find that there are two progresses forked if I login using psql, while only one progress is forked if using pgAdmin.
My pg_hba.conf is as follows:
local all all md5
host all all 192.168.64.56/32 md5
If I login with psql, the following stack is called twice:
ServerLoop
BackendStartup
BackendRun
PostgresMain
InitPostgres
PerformAuthentication
ClientAuthentication
In the first round, the variable `status` in function ClientAuthentication() is always STATUS_EOF (at least in my test). In the second round, `status` seems to be what should be expected: STATUS_OK for correct password, STATUS_ERROR for wrong password, and STATUS_EOF for empty password.
Why are there two such progresses forked? I think one round should be enough, like when using pgAdmin.
Besides, I find it hard to debug the ServerLoop() stack, compared with the backend progress for query, because there are two many subprogresses and signals. It would be of great help if anyone could give me some instructions on how to learn to debug postmaster using gdb.
Thanks in advance!
Best Regards
On Thu, Jun 14, 2018 at 7:12 AM, Yinjie Lin <exialin37@gmail.com> wrote:
Currently I am reading and testing code about Client Authentication, but I find that there are two progresses forked if I login using psql, while only one progress is forked if using pgAdmin.
If psql finds the server asks for a password, it closes the first connection, displays a password prompt to the user, and then does another connection attempt with the password the user entered. You can avoid the first attempt with the -W flag; though there's usually no reason to do that in practice.
.m
On Wednesday, June 13, 2018, Yinjie Lin <exialin37@gmail.com> wrote:
Why are there two such progresses forked? I think one round should be enough, like when using pgAdmin.
You can use the --password option to prevent it.
"""
This option is never essential, since psql will automatically prompt for a password if the server demands password authentication. However, psql will waste a connection attempt finding out that the server wants a password. In some cases it is worth typing
-W to avoid the extra connection attempt."""
In pgAdmin you've saved a password to the profile so the initial attempt uses it. psql doesn't have a similar capability. Though I am unsure whether the use of .pgpass would make any difference here...
David J.
Many thanks to Marko and David for your reply. It really helped.
Now I am playing with extension auth_delay, which uses ClientAuthentication_hook. But I find it not easy to distinguish the first connection of psql from the second one with empty password, since the variable 'status' are both STATUS_EOF. Maybe I should dive into the code deeper.
Regards,