| Lists: | pgsql-hackers |
|---|
| From: | Bill Moran <wmoran(at)potentialtech(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Can we improve this error message? |
| Date: | 2016-04-17 19:28:30 |
| Message-ID: | 20160417152830.10294c7125b551267ff73fd7@potentialtech.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Here's an interesting scenario I happened across recently.
If you have a single line in the pg_hba.conf:
hostssl all all 0.0.0.0/0 md5
Attempting to log in with an incorrect password results in an
error message about there not being a pg_hba.conf entry for the
user.
Reading carefully, the error message states that there's no
pg_hba.conf for the user with **ssl off**.
What I believe is happening, is that the pg connection libs
first try to connect via ssl and get a password failed error,
then fallback to trying to connect without ssl, and get a "no
pg_hba.conf entry" error. The problem is that the second error
masks the first one, hiding the real cause of the connection
failure, and causing a lot of confusion.
If we could keep both errors and report them both, I feel like
it would be an improvement to our client library behavior.
--
Bill Moran
| From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
|---|---|
| To: | Bill Moran <wmoran(at)potentialtech(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Can we improve this error message? |
| Date: | 2016-04-26 01:01:05 |
| Message-ID: | 571EBDD1.4000800@proxel.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On 04/17/2016 09:28 PM, Bill Moran wrote:
> If you have a single line in the pg_hba.conf:
>
> hostssl all all 0.0.0.0/0 md5
>
> Attempting to log in with an incorrect password results in an
> error message about there not being a pg_hba.conf entry for the
> user.
>
> Reading carefully, the error message states that there's no
> pg_hba.conf for the user with **ssl off**.
>
> What I believe is happening, is that the pg connection libs
> first try to connect via ssl and get a password failed error,
> then fallback to trying to connect without ssl, and get a "no
> pg_hba.conf entry" error. The problem is that the second error
> masks the first one, hiding the real cause of the connection
> failure, and causing a lot of confusion.
>
> If we could keep both errors and report them both, I feel like
> it would be an improvement to our client library behavior.
I got both the messages when I tried this with psql. What did you do
when you only got the second message?
Output:
psql: FATAL: password authentication failed for user "andreas"
FATAL: no pg_hba.conf entry for host "127.0.0.1", user "andreas",
database "postgres", SSL off
Andreas
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andreas Karlsson <andreas(at)proxel(dot)se> |
| Cc: | Bill Moran <wmoran(at)potentialtech(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Can we improve this error message? |
| Date: | 2016-04-26 02:40:52 |
| Message-ID: | 6644.1461638452@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Andreas Karlsson <andreas(at)proxel(dot)se> writes:
> On 04/17/2016 09:28 PM, Bill Moran wrote:
>> What I believe is happening, is that the pg connection libs
>> first try to connect via ssl and get a password failed error,
>> then fallback to trying to connect without ssl, and get a "no
>> pg_hba.conf entry" error. The problem is that the second error
>> masks the first one, hiding the real cause of the connection
>> failure, and causing a lot of confusion.
> I got both the messages when I tried this with psql. What did you do
> when you only got the second message?
Maybe Bill tried it with a rather old libpq? This rings a bell
as being something we fixed awhile back.
regards, tom lane
| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bill Moran <wmoran(at)potentialtech(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Andreas Karlsson <andreas(at)proxel(dot)se> |
| Subject: | Re: Can we improve this error message? |
| Date: | 2016-04-26 07:00:55 |
| Message-ID: | CABUevEw1m6=FBq+ywbKhB+_x4aroVvzPmCzJmdAJRhnErfq+4Q@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On Apr 26, 2016 4:41 AM, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Andreas Karlsson <andreas(at)proxel(dot)se> writes:
> > On 04/17/2016 09:28 PM, Bill Moran wrote:
> >> What I believe is happening, is that the pg connection libs
> >> first try to connect via ssl and get a password failed error,
> >> then fallback to trying to connect without ssl, and get a "no
> >> pg_hba.conf entry" error. The problem is that the second error
> >> masks the first one, hiding the real cause of the connection
> >> failure, and causing a lot of confusion.
>
> > I got both the messages when I tried this with psql. What did you do
> > when you only got the second message?
>
> Maybe Bill tried it with a rather old libpq? This rings a bell
> as being something we fixed awhile back.
>
Yeah, libpq used to keep just one error message. Iirc, this was changed
quite long ago though, but I guess if it's a really old libpq..
/Magnus