diff options
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/Makefile | 1 | ||||
| -rw-r--r-- | contrib/README | 5 | ||||
| -rw-r--r-- | contrib/auth_delay/Makefile | 14 | ||||
| -rw-r--r-- | contrib/auth_delay/auth_delay.c | 70 |
4 files changed, 90 insertions, 0 deletions
diff --git a/contrib/Makefile b/contrib/Makefile index e1f2a84cde3..5747bcc6ad5 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -6,6 +6,7 @@ include $(top_builddir)/src/Makefile.global SUBDIRS = \ adminpack \ + auth_delay \ auto_explain \ btree_gin \ btree_gist \ diff --git a/contrib/README b/contrib/README index 6d29cfe2b31..9e223ef32d5 100644 --- a/contrib/README +++ b/contrib/README @@ -28,6 +28,11 @@ adminpack - File and log manipulation routines, used by pgAdmin by Dave Page <dpage@vale-housing.co.uk> +auth_delay + Add a short delay after a failed authentication attempt, to make + make brute-force attacks on database passwords a bit harder. + by KaiGai Kohei <kaigai@ak.jp.nec.com> + auto_explain - Log EXPLAIN output for long-running queries by Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp> diff --git a/contrib/auth_delay/Makefile b/contrib/auth_delay/Makefile new file mode 100644 index 00000000000..09d2d5418c5 --- /dev/null +++ b/contrib/auth_delay/Makefile @@ -0,0 +1,14 @@ +# contrib/auth_delay/Makefile + +MODULES = auth_delay + +ifdef USE_PGXS +PG_CONFIG = pg_config +PGXS := $(shell $(PG_CONFIG) --pgxs) +include $(PGXS) +else +subdir = contrib/auth_delay +top_builddir = ../.. +include $(top_builddir)/src/Makefile.global +include $(top_srcdir)/contrib/contrib-global.mk +endif diff --git a/contrib/auth_delay/auth_delay.c b/contrib/auth_delay/auth_delay.c new file mode 100644 index 00000000000..09191bd250e --- /dev/null +++ b/contrib/auth_delay/auth_delay.c @@ -0,0 +1,70 @@ +/* ------------------------------------------------------------------------- + * + * auth_delay.c + * + * Copyright (C) 2010, PostgreSQL Global Development Group + * + * IDENTIFICATION + * contrib/auth_delay/auth_delay.c + * + * ------------------------------------------------------------------------- + */ +#include "postgres.h" + +#include "libpq/auth.h" +#include "port.h" +#include "utils/guc.h" +#include "utils/timestamp.h" + +PG_MODULE_MAGIC; + +void _PG_init(void); + +/* GUC Variables */ +static int auth_delay_milliseconds; + +/* Original Hook */ +static ClientAuthentication_hook_type original_client_auth_hook = NULL; + +/* + * Check authentication + */ +static void +auth_delay_checks(Port *port, int status) +{ + /* + * Any other plugins which use ClientAuthentication_hook. + */ + if (original_client_auth_hook) + original_client_auth_hook(port, status); + + /* + * Inject a short delay if authentication failed. + */ + if (status != STATUS_OK) + { + pg_usleep(1000L * auth_delay_milliseconds); + } +} + +/* + * Module Load Callback + */ +void +_PG_init(void) +{ + /* Define custome GUC variables */ + DefineCustomIntVariable("auth_delay.milliseconds", + "Milliseconds to delay before reporting authentication failure", + NULL, + &auth_delay_milliseconds, + 0, + 0, INT_MAX, + PGC_SIGHUP, + GUC_UNIT_MS, + NULL, + NULL); + /* Install Hooks */ + original_client_auth_hook = ClientAuthentication_hook; + ClientAuthentication_hook = auth_delay_checks; +} |