From 5c1b71eb4b45718dc42ffa2568d4d542e34616b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alfonso=20Subiotto=20Marqu=C3=A9s?=
 <alfonso@cockroachlabs.com>
Date: Wed, 21 Dec 2016 13:46:59 -0500
Subject: [PATCH] security: make error message clearer

https://github.com/cockroachdb/docs/issues/930 brought to attention that
the error message returned when attempting to use password
authentication as the root user was confusing because it was not clear
that certificate authentication must be used instead.
---
 pkg/cli/interactive_tests/test_secure.tcl | 2 +-
 pkg/security/auth.go                      | 2 +-
 pkg/sql/pgwire_test.go                    | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/cli/interactive_tests/test_secure.tcl b/pkg/cli/interactive_tests/test_secure.tcl
index 7d991bbbed2d..c18a67308bc7 100644
--- a/pkg/cli/interactive_tests/test_secure.tcl
+++ b/pkg/cli/interactive_tests/test_secure.tcl
@@ -49,7 +49,7 @@ eexpect $prompt
 
 # Root can only authenticate using certificate authentication.
 send "$argv sql --ca-cert=$ca_crt\r"
-eexpect "user root must authenticate using a client certificate"
+eexpect "user root must use certificate authentication instead of password authentication"
 
 eexpect $prompt
 
diff --git a/pkg/security/auth.go b/pkg/security/auth.go
index 693d39a969e4..2bbef291b13d 100644
--- a/pkg/security/auth.go
+++ b/pkg/security/auth.go
@@ -136,7 +136,7 @@ func UserAuthPasswordHook(insecureMode bool, password string, hashedPassword []b
 		}
 
 		if requestedUser == RootUser {
-			return errors.Errorf("user %s must authenticate using a client certificate ", RootUser)
+			return errors.Errorf("user %s must use certificate authentication instead of password authentication", RootUser)
 		}
 
 		// If the requested user has an empty password, disallow authentication.
diff --git a/pkg/sql/pgwire_test.go b/pkg/sql/pgwire_test.go
index 1d341cefaf1f..1d7b2ae9f427 100644
--- a/pkg/sql/pgwire_test.go
+++ b/pkg/sql/pgwire_test.go
@@ -105,7 +105,7 @@ func TestPGWire(t *testing.T) {
 			} else {
 				// No certificates provided in secure mode defaults to password
 				// authentication. This is disallowed for security.RootUser.
-				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must authenticate using a client certificate", security.RootUser)) {
+				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must use certificate authentication instead of password authentication", security.RootUser)) {
 					t.Errorf("unexpected error: %v", err)
 				}
 			}
@@ -135,7 +135,7 @@ func TestPGWire(t *testing.T) {
 					t.Error(err)
 				}
 			} else {
-				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must authenticate using a client certificate", security.RootUser)) {
+				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must use certificate authentication instead of password authentication", security.RootUser)) {
 					t.Errorf("unexpected error: %v", err)
 				}
 			}