Обсуждение: Issues with PAM : log that it failed, whether it actually failed or not
Issues with PAM : log that it failed, whether it actually failed or not
Hi,
I am having issues with PAM auth :
it works, password are correctly checked, unknown users cannot access, known user can, everything looks good
But, it always log an error by default even if auth is succesful:
2019-10-10 15:00:46.481 CEST [6109] LOG: pam_authenticate failed: Authentication failure
2019-10-10 15:00:46.481 CEST [6109] FATAL: PAM authentication failed for user "ylacancellera"
2019-10-10 15:00:46.481 CEST [6109] DETAIL: Connection matched pg_hba.conf line 5: "local all all pam"
2019-10-10 15:00:46.481 CEST [6109] LOG: could not send data to client: Broken pipe
And if auth is unsuccessful, it will log that very same message twice
My pg_hba is basically :
local all postgres peer
local all all pam
Any idea about this ? I suspect something is wrong
Thank you,
La Cancellera Yoann <lacancellera.yoann@gmail.com> writes:
> I am having issues with PAM auth :
> it works, password are correctly checked, unknown users cannot access,
> known user can, everything looks good
> But, it always log an error by default even if auth is succesful:
> And if auth is unsuccessful, it will log that very same message twice
Those aren't errors, they're just log events.
If you're using psql to connect, the extra messages aren't surprising,
because psql will first try to connect without a password, and only
if it gets a failure that indicates that a password is needed will
it prompt the user for a password (so two connection attempts occur,
even if the second one is successful). You can override that default
behavior with the -W switch, and I bet that will make the extra
log messages go away.
Having said that, using LOG level for unsurprising auth failures
seems excessively chatty. More-commonly-used auth methods aren't
that noisy.
regards, tom lane