From fe7a32fc87e68edf014ee7e575f92cb027437ff4 Mon Sep 17 00:00:00 2001 From: Robert Haas Date: Sat, 27 Nov 2010 07:22:25 -0500 Subject: [PATCH] New contrib module, auth_delay. KaiGai Kohei, with a few changes by me. --- contrib/Makefile | 1 + contrib/README | 5 +++ contrib/auth_delay/Makefile | 14 +++++++ contrib/auth_delay/auth_delay.c | 70 +++++++++++++++++++++++++++++++++ doc/src/sgml/auth-delay.sgml | 67 +++++++++++++++++++++++++++++++ doc/src/sgml/contrib.sgml | 1 + doc/src/sgml/filelist.sgml | 1 + 7 files changed, 159 insertions(+) create mode 100644 contrib/auth_delay/Makefile create mode 100644 contrib/auth_delay/auth_delay.c create mode 100644 doc/src/sgml/auth-delay.sgml diff --git a/contrib/Makefile b/contrib/Makefile index e1f2a84cde3..5747bcc6ad5 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -6,6 +6,7 @@ include $(top_builddir)/src/Makefile.global SUBDIRS = \ adminpack \ + auth_delay \ auto_explain \ btree_gin \ btree_gist \ diff --git a/contrib/README b/contrib/README index 6d29cfe2b31..9e223ef32d5 100644 --- a/contrib/README +++ b/contrib/README @@ -28,6 +28,11 @@ adminpack - File and log manipulation routines, used by pgAdmin by Dave Page +auth_delay + Add a short delay after a failed authentication attempt, to make + make brute-force attacks on database passwords a bit harder. + by KaiGai Kohei + auto_explain - Log EXPLAIN output for long-running queries by Takahiro Itagaki diff --git a/contrib/auth_delay/Makefile b/contrib/auth_delay/Makefile new file mode 100644 index 00000000000..09d2d5418c5 --- /dev/null +++ b/contrib/auth_delay/Makefile @@ -0,0 +1,14 @@ +# contrib/auth_delay/Makefile + +MODULES = auth_delay + +ifdef USE_PGXS +PG_CONFIG = pg_config +PGXS := $(shell $(PG_CONFIG) --pgxs) +include $(PGXS) +else +subdir = contrib/auth_delay +top_builddir = ../.. +include $(top_builddir)/src/Makefile.global +include $(top_srcdir)/contrib/contrib-global.mk +endif diff --git a/contrib/auth_delay/auth_delay.c b/contrib/auth_delay/auth_delay.c new file mode 100644 index 00000000000..09191bd250e --- /dev/null +++ b/contrib/auth_delay/auth_delay.c @@ -0,0 +1,70 @@ +/* ------------------------------------------------------------------------- + * + * auth_delay.c + * + * Copyright (C) 2010, PostgreSQL Global Development Group + * + * IDENTIFICATION + * contrib/auth_delay/auth_delay.c + * + * ------------------------------------------------------------------------- + */ +#include "postgres.h" + +#include "libpq/auth.h" +#include "port.h" +#include "utils/guc.h" +#include "utils/timestamp.h" + +PG_MODULE_MAGIC; + +void _PG_init(void); + +/* GUC Variables */ +static int auth_delay_milliseconds; + +/* Original Hook */ +static ClientAuthentication_hook_type original_client_auth_hook = NULL; + +/* + * Check authentication + */ +static void +auth_delay_checks(Port *port, int status) +{ + /* + * Any other plugins which use ClientAuthentication_hook. + */ + if (original_client_auth_hook) + original_client_auth_hook(port, status); + + /* + * Inject a short delay if authentication failed. + */ + if (status != STATUS_OK) + { + pg_usleep(1000L * auth_delay_milliseconds); + } +} + +/* + * Module Load Callback + */ +void +_PG_init(void) +{ + /* Define custome GUC variables */ + DefineCustomIntVariable("auth_delay.milliseconds", + "Milliseconds to delay before reporting authentication failure", + NULL, + &auth_delay_milliseconds, + 0, + 0, INT_MAX, + PGC_SIGHUP, + GUC_UNIT_MS, + NULL, + NULL); + /* Install Hooks */ + original_client_auth_hook = ClientAuthentication_hook; + ClientAuthentication_hook = auth_delay_checks; +} diff --git a/doc/src/sgml/auth-delay.sgml b/doc/src/sgml/auth-delay.sgml new file mode 100644 index 00000000000..683fa494ee7 --- /dev/null +++ b/doc/src/sgml/auth-delay.sgml @@ -0,0 +1,67 @@ + + + + auth_delay + + + auth_delay + + + + auth_delay causes the server to pause briefly before + reporting authentication failure, to make brute-force attacks on database + passwords more difficult. Note that it does nothing to prevent + denial-of-service attacks, and may even exacerbate them, since processes + that are waiting before reporting authentication failure will still consume + connection slots. + + + + In order to function, this module must be loaded via + in postgresql.conf. + + + + Configuration parameters + + + + + auth_delay.milliseconds (int) + + + auth_delay.milliseconds configuration parameter + + + + The number of milliseconds to wait before reporting an authentication + failure. The default is 0. + + + + + + + In order to set these parameters in your postgresql.conf file, + you will need to add auth_delay to + . Typical usage might be: + + + +# postgresql.conf +shared_preload_libraries = 'auth_delay' + +custom_variable_classes = 'auth_delay' +auth_delay.milliseconds = '500' + + + + + Author + + + KaiGai Kohei kaigai@ak.jp.nec.com + + + + diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml index a7c2a1d43eb..d78847395e5 100644 --- a/doc/src/sgml/contrib.sgml +++ b/doc/src/sgml/contrib.sgml @@ -81,6 +81,7 @@ psql -d dbname -f SHAREDIR/contrib/module.sql &adminpack; + &auth-delay; &auto-explain; &btree-gin; &btree-gist; diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml index 4361991ea99..aa2d801deb7 100644 --- a/doc/src/sgml/filelist.sgml +++ b/doc/src/sgml/filelist.sgml @@ -93,6 +93,7 @@ +