pgwire/auth: password auth leaks information

[knz]

The following error cases are reported to the client directly or indirectly, in a way that lets an attacker guess whether a user exists or not, or whether they have a password at all, etc:

• the user does not exist
• there was an error retrieving the password
• the password is empty (password auth cannot continue)
• the password is expired
• the password check has failed

All these cases must be replaced by a single error sent to the client "password auth has failed" - all these situations should be indistinguishable from each other from an attacker's perspective. (However, they must still be distinguished in the authentication logs.)

cc @aaron-crl

Jira issue: CRDB-4397

[ajstorm]

@knz Is this a Quick Win eligible for our BW bug bash? If so, would we need additional info added here as to how to test all of these modes?

[ajstorm]

@knz Does it make sense to remove the multi-tenant label here?

[knz]

this is not multitenant :) removing label.

[rafiss]

One possible exception might be the "there was an error retrieving the password" (specifically the login_timeout error). In that case the problem is most likely server-side and it's useful and important for the user to see that.

[github-actions]

We have marked this issue as stale because it has been inactive for
18 months. If this issue is still relevant, removing the stale label
or adding a comment will keep it active. Otherwise, we'll close it in
10 days to keep the issue queue tidy. Thank you for your contribution
to CockroachDB!