Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
elog(FATAL)ing non-existent roles during client authentication
- From: Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>
- To: pgsql-hackers(at)postgresql(dot)org
- Subject: elog(FATAL)ing non-existent roles during client authentication
- Date: Thu, 30 Nov 2006 14:33:26 +1100 (EST)
Hi all, I noticed that during client authentication by HBA, some times we will necessarily determine whether or not a role exists. For example, password, crypt and md5 auth methods call get_role_line() which tells the caller whether the role exists. If it doesn't (or if the authentication fails due to a password mismatch) we error out. I wonder if we should check if the role exists for the other authentication methods too? get_role_line() should be very cheap and it would prevent unnecessary authentication work if we did it before contacting, for example, the client ident server. Even with trust, it would save work because otherwise we do not check if the user exists until InitializeSessionUserId(), at which time we're set up our proc entry etc. This might seem overly pessimistic, I know, but it seemed to me that a malicious user on a local network might be able to tie up a system in interesting ways by launching lots of connections without necessarily knowing any usernames/passwords. Thanks, Gavin
- Follow-Ups:
- Prev by Date: Re: Regarding PQputline and PQendcopy
- Next by Date: SSL and cert chains
- Previous by thread: Re: [PATCHES] this patch correct upper and lower case for translated month's and day's names
- Next by thread: Re: elog(FATAL)ing non-existent roles during client authentication
- Indexes: