diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index c61ba31db64..1530e082663 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -88,6 +88,7 @@ static struct pam_conv pam_passw_conv = { static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into * pam_passwd_conv_proc */ +static bool pam_no_password; /* For detecting no-password-given */ #endif /* USE_PAM */ @@ -1841,8 +1842,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg, { /* * Client didn't want to send password. We - * intentionally do not log anything about this. + * intentionally do not log anything about this, + * either here or at higher levels. */ + pam_no_password = true; goto fail; } } @@ -1901,6 +1904,7 @@ CheckPAMAuth(Port *port, char *user, char *password) */ pam_passwd = password; pam_port_cludge = port; + pam_no_password = false; /* * Set the application data portion of the conversation struct. This is @@ -1986,22 +1990,26 @@ CheckPAMAuth(Port *port, char *user, char *password) if (retval != PAM_SUCCESS) { - ereport(LOG, - (errmsg("pam_authenticate failed: %s", - pam_strerror(pamh, retval)))); + /* If pam_passwd_conv_proc saw EOF, don't log anything */ + if (!pam_no_password) + ereport(LOG, + (errmsg("pam_authenticate failed: %s", + pam_strerror(pamh, retval)))); pam_passwd = NULL; /* Unset pam_passwd */ - return STATUS_ERROR; + return pam_no_password ? STATUS_EOF : STATUS_ERROR; } retval = pam_acct_mgmt(pamh, 0); if (retval != PAM_SUCCESS) { - ereport(LOG, - (errmsg("pam_acct_mgmt failed: %s", - pam_strerror(pamh, retval)))); + /* If pam_passwd_conv_proc saw EOF, don't log anything */ + if (!pam_no_password) + ereport(LOG, + (errmsg("pam_acct_mgmt failed: %s", + pam_strerror(pamh, retval)))); pam_passwd = NULL; /* Unset pam_passwd */ - return STATUS_ERROR; + return pam_no_password ? STATUS_EOF : STATUS_ERROR; } retval = pam_end(pamh, retval);