Thread: pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming
pgsql: Rewrite pam_passwd_conv_proc to be more robust: avoid assuming
From
tgl@postgresql.org (Tom Lane)
Date:
Log Message:
-----------
Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the
pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message.
Instead, deal with however many messages there are, and don't throw error
for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from
openssh 5.2p1, which hopefully has seen more real-world PAM usage than we
have. Per bug #5121 from Ryan Douglas, which turned out to be caused by
the conv_proc being called with zero messages. Apparently that is normal
behavior given the combination of Linux pam_krb5 with MS Active Directory
as the domain controller.
Patch all the way back, since this code has been essentially untouched
since 7.4. (Surprising we've not heard complaints before.)
Tags:
----
REL7_4_STABLE
Modified Files:
--------------
pgsql/src/backend/libpq:
auth.c (r1.112.2.1 -> r1.112.2.2)
(http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/libpq/auth.c?r1=1.112.2.1&r2=1.112.2.2)