diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index ff0832dba8b260294b2c7b94950102dd97c3b413..852571bad6a5c962945bfdd4b2575529fc21c990 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -105,6 +105,7 @@ static const char *pam_passwd = NULL; /* Workaround for Solaris 2.6
* brokenness */
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
* pam_passwd_conv_proc */
+static bool pam_no_password; /* For detecting no-password-given */
#endif /* USE_PAM */
@@ -2110,8 +2111,10 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
{
/*
* Client didn't want to send password. We
- * intentionally do not log anything about this.
+ * intentionally do not log anything about this,
+ * either here or at higher levels.
*/
+ pam_no_password = true;
goto fail;
}
}
@@ -2170,6 +2173,7 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
*/
pam_passwd = password;
pam_port_cludge = port;
+ pam_no_password = false;
/*
* Set the application data portion of the conversation struct. This is
@@ -2255,22 +2259,26 @@ CheckPAMAuth(Port *port, const char *user, const char *password)
if (retval != PAM_SUCCESS)
{
- ereport(LOG,
- (errmsg("pam_authenticate failed: %s",
- pam_strerror(pamh, retval))));
+ /* If pam_passwd_conv_proc saw EOF, don't log anything */
+ if (!pam_no_password)
+ ereport(LOG,
+ (errmsg("pam_authenticate failed: %s",
+ pam_strerror(pamh, retval))));
pam_passwd = NULL; /* Unset pam_passwd */
- return STATUS_ERROR;
+ return pam_no_password ? STATUS_EOF : STATUS_ERROR;
}
retval = pam_acct_mgmt(pamh, 0);
if (retval != PAM_SUCCESS)
{
- ereport(LOG,
- (errmsg("pam_acct_mgmt failed: %s",
- pam_strerror(pamh, retval))));
+ /* If pam_passwd_conv_proc saw EOF, don't log anything */
+ if (!pam_no_password)
+ ereport(LOG,
+ (errmsg("pam_acct_mgmt failed: %s",
+ pam_strerror(pamh, retval))));
pam_passwd = NULL; /* Unset pam_passwd */
- return STATUS_ERROR;
+ return pam_no_password ? STATUS_EOF : STATUS_ERROR;
}
retval = pam_end(pamh, retval);