Re: Credcheck- credcheck.max_auth_failure

From: "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at>
To: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: 2024-12-16 15:18:53
Message-ID: 20241216151853.ecl37fqyhwmcdi7i@hjp.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
> Local (socket-based) connections are typically peer-authenticated
> (meaning that authentication is handled by Linux pam).
^^^
Is it? I haven't checked the source code, but this doesn't seem
plausible. You can get the uid of a socket peer directly from the
kernel, which can be converted to a user name via getpwuid, and the
mapping to postgresql roles is done via pg_ident.conf. I see no role for
PAM in that path.

> Thus, if someone enters too many wrong passwords for a superuser
> account, you should still be able to locally connect to PG.

True. But the client may not be on the same machine.

hp

--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp(at)hjp(dot)at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Ron Johnson 2024-12-16 15:37:59 Re: Credcheck- credcheck.max_auth_failure
Previous Message Ron Johnson 2024-12-16 14:17:25 Re: Credcheck- credcheck.max_auth_failure