| From: | Markus Wanner <markus(at)bluegap(dot)ch> |
|---|---|
| To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
| Cc: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Change authentication error message (patch) |
| Date: | 2013-06-20 06:47:16 |
| Message-ID: | 51C2A574.9060904@bluegap.ch |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 06/20/2013 12:51 AM, Jeff Janes wrote:
> I think we need to keep the first "password". "Password authentication"
> is a single thing, it is the authentication method attempted. It is the
> password method (which includes MD5) which failed, as opposed to the
> LDAP method or the Peer method or one of the other methods.
That's against the rule of not revealing any more knowledge than a
potential attacker already has, no? For that reason, I'd rather go with
just "authentication failed".
> Without this level of explicitness, it might be hard to figure out which
> row in pg_hba.conf was the one that PostgreSQL glommed onto to use for
> authentication.
As argued before, that should go into the logs for diagnosis by the
sysadmin, but should not be revealed to an attacker.
Regards
Markus Wanner
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Munro | 2013-06-20 07:05:27 | Re: Re: Adding IEEE 754:2008 decimal floating point and hardware support for it |
| Previous Message | Simon Riggs | 2013-06-20 06:43:50 | Re: Re: Adding IEEE 754:2008 decimal floating point and hardware support for it |