Provide more detail in postmaster log for password authentication failures.

We tell people to examine the postmaster log if they're unsure why they are getting auth failures, but actually only a few relatively-uncommon failure cases were given their own log detail messages in commit 64e43c59. Expand on that so that every failure case detected within md5_crypt_verify gets a specific log detail message. This should cover pretty much every ordinary password auth failure cause. So far I've not noticed user demand for a similar level of auth detail for the other auth methods, but sooner or later somebody might want to work on them. This is not that patch, though.

Provide more detail in postmaster log for password authentication failures.
We tell people to examine the postmaster log if they're unsure why they are getting auth failures, but actually only a few relatively-uncommon failure cases were given their own log detail messages in commit 64e43c59. Expand on that so that every failure case detected within md5_crypt_verify gets a specific log detail message. This should cover pretty much every ordinary password auth failure cause. So far I've not noticed user demand for a similar level of auth detail for the other auth methods, but sooner or later somebody might want to work on them. This is not that patch, though.
5e0b5dca · Tom Lane · a9676139 · 5e0b5dca
Commit 5e0b5dca authored Jan 07, 2016 by Tom Lane
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

src/backend/libpq/crypt.c src/backend/libpq/crypt.c +15 -1

No files found.
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -50,7 +50,11 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 	/* Get role info from pg_authid */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
 	if (!HeapTupleIsValid(roleTup))
+	{
+		*logdetail = psprintf(_("Role \"%s\" does not exist."),
+							  role);
 		return STATUS_ERROR;	/* no such user */
+	}

 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
 							Anum_pg_authid_rolpassword, &isnull);
@@ -71,13 +75,20 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 	ReleaseSysCache(roleTup);

 	if (*shadow_pass == '\0')
+	{
+		*logdetail = psprintf(_("User \"%s\" has an empty password."),
+							  role);
 		return STATUS_ERROR;	/* empty password */
+	}

 	CHECK_FOR_INTERRUPTS();

 	/*
 	 * Compare with the encrypted or plain password depending on the
-	 * authentication method being used for this connection.
+	 * authentication method being used for this connection.  (We do not
+	 * bother setting logdetail for pg_md5_encrypt failure: the only possible
+	 * error is out-of-memory, which is unlikely, and if it did happen adding
+	 * a psprintf call would only make things worse.)
 	 */
 	switch (port->hba->auth_method)
 	{
@@ -154,6 +165,9 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
 		else
 			retval = STATUS_OK;
 	}
+	else
+		*logdetail = psprintf(_("Password does not match for user \"%s\"."),
+							  role);

 	if (port->hba->auth_method == uaMD5)
 		pfree(crypt_pwd);