New contrib module, auth_delay.

robertmhaas · robertmhaas · commit fe7a32fc87e6 · 2010-11-27T07:22:25.000-05:00
KaiGai Kohei, with a few changes by me.
diff --git a/contrib/Makefile b/contrib/Makefile
@@ -6,6 +6,7 @@ include $(top_builddir)/src/Makefile.global
 
 SUBDIRS = \
 		adminpack	\
+		auth_delay	\
 		auto_explain	\
 		btree_gin	\
 		btree_gist	\
diff --git a/contrib/README b/contrib/README
@@ -28,6 +28,11 @@ adminpack -
 	File and log manipulation routines, used by pgAdmin
 	by Dave Page <dpage@vale-housing.co.uk>
 
+auth_delay
+	Add a short delay after a failed authentication attempt, to make
+    make brute-force attacks on database passwords a bit harder.
+	by KaiGai Kohei <kaigai@ak.jp.nec.com>
+
 auto_explain -
 	Log EXPLAIN output for long-running queries
 	by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
diff --git a/contrib/auth_delay/Makefile b/contrib/auth_delay/Makefile
@@ -0,0 +1,14 @@
+# contrib/auth_delay/Makefile
+
+MODULES = auth_delay
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = contrib/auth_delay
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/auth_delay/auth_delay.c b/contrib/auth_delay/auth_delay.c
@@ -0,0 +1,70 @@
+/* -------------------------------------------------------------------------
+ *
+ * auth_delay.c
+ *
+ * Copyright (C) 2010, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *		contrib/auth_delay/auth_delay.c
+ *
+ * -------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "libpq/auth.h"
+#include "port.h"
+#include "utils/guc.h"
+#include "utils/timestamp.h"
+
+PG_MODULE_MAGIC;
+
+void _PG_init(void);
+
+/* GUC Variables */
+static int	auth_delay_milliseconds;
+
+/* Original Hook */
+static ClientAuthentication_hook_type	original_client_auth_hook = NULL;
+
+/*
+ * Check authentication
+ */
+static void
+auth_delay_checks(Port *port, int status)
+{
+	/*
+	 * Any other plugins which use ClientAuthentication_hook.
+	 */
+	if (original_client_auth_hook)
+		original_client_auth_hook(port, status);
+
+	/*
+	 * Inject a short delay if authentication failed.
+	 */
+	if (status != STATUS_OK)
+	{
+		pg_usleep(1000L * auth_delay_milliseconds);
+	}
+}
+
+/*
+ * Module Load Callback
+ */
+void
+_PG_init(void)
+{
+	/* Define custome GUC variables */
+	DefineCustomIntVariable("auth_delay.milliseconds",
+							"Milliseconds to delay before reporting authentication failure",
+							NULL,
+							&auth_delay_milliseconds,
+							0,
+							0, INT_MAX,
+							PGC_SIGHUP,
+							GUC_UNIT_MS,
+							NULL,
+							NULL);
+	/* Install Hooks */
+	original_client_auth_hook = ClientAuthentication_hook;
+	ClientAuthentication_hook = auth_delay_checks;
+}
diff --git a/doc/src/sgml/auth-delay.sgml b/doc/src/sgml/auth-delay.sgml
@@ -0,0 +1,67 @@
+<!-- doc/src/sgml/auth-delay.sgml -->
+
+<sect1 id="auth-delay">
+ <title>auth_delay</title>
+
+ <indexterm zone="auth-delay">
+  <primary>auth_delay</primary>
+ </indexterm>
+
+ <para>
+  <filename>auth_delay</filename> causes the server to pause briefly before
+  reporting authentication failure, to make brute-force attacks on database
+  passwords more difficult.  Note that it does nothing to prevent
+  denial-of-service attacks, and may even exacerbate them, since processes
+  that are waiting before reporting authentication failure will still consume
+  connection slots.
+ </para>
+
+ <para>
+  In order to function, this module must be loaded via 
+  <xref linkend="guc-shared-preload-libraries"> in <filename>postgresql.conf</>.
+ </para>
+
+ <sect2>
+  <title>Configuration parameters</title>
+
+  <variablelist>
+   <varlistentry>
+    <term>
+     <varname>auth_delay.milliseconds</varname> (<type>int</type>)
+    </term>
+    <indexterm>
+     <primary><varname>auth_delay.milliseconds</> configuration parameter</primary>
+    </indexterm>
+    <listitem>
+     <para>
+      The number of milliseconds to wait before reporting an authentication
+      failure.  The default is 0.
+     </para>
+    </listitem>
+   </varlistentry>
+  </variablelist>
+
+  <para>
+   In order to set these parameters in your <filename>postgresql.conf</> file,
+   you will need to add <literal>auth_delay</> to
+   <xref linkend="guc-custom-variable-classes">.  Typical usage might be:
+  </para>
+
+<programlisting>
+# postgresql.conf
+shared_preload_libraries = 'auth_delay'
+
+custom_variable_classes = 'auth_delay'
+auth_delay.milliseconds = '500'
+</programlisting>
+ </sect2>
+
+ <sect2>
+  <title>Author</title>
+
+  <para>
+   KaiGai Kohei <email>kaigai@ak.jp.nec.com</email>
+  </para>
+ </sect2>
+
+</sect1>
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
@@ -81,6 +81,7 @@ psql -d dbname -f <replaceable>SHAREDIR</>/contrib/<replaceable>module</>.sql
  </para>
 
  &adminpack;
+ &auth-delay;
  &auto-explain;
  &btree-gin;
  &btree-gist;
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
@@ -93,6 +93,7 @@
 <!-- contrib information -->
 <!entity contrib         SYSTEM "contrib.sgml">
 <!entity adminpack       SYSTEM "adminpack.sgml">
+<!entity auth-delay      SYSTEM "auth-delay.sgml">
 <!entity auto-explain    SYSTEM "auto-explain.sgml">
 <!entity btree-gin       SYSTEM "btree-gin.sgml">
 <!entity btree-gist      SYSTEM "btree-gist.sgml">
