From: | Ron Johnson <ronljohnsonjr(at)gmail(dot)com> |
---|---|
To: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: Credcheck- credcheck.max_auth_failure |
Date: | 2024-12-17 18:47:24 |
Message-ID: | CANzqJaA=7vZ-qud1zq8ascpRLtiaJaygp4ap_x64dVb4YcQuag@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Tue, Dec 17, 2024 at 1:39 PM Peter J. Holzer <hjp-pgsql(at)hjp(dot)at> wrote:
> On 2024-12-16 10:37:59 -0500, Ron Johnson wrote:
> > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <hjp-pgsql(at)hjp(dot)at>
> wrote:
> >
> > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
> > > Local (socket-based) connections are typically peer-authenticated
> > > (meaning that authentication is handled by Linux pam).
> > ^^^
> > Is it? I haven't checked the source code, but this doesn't seem
> > plausible. You can get the uid of a socket peer directly from the
> > kernel, which can be converted to a user name via getpwuid, and the
> > mapping to postgresql roles is done via pg_ident.conf. I see no role
> for
> > PAM in that path.
> >
> >
> > https://www.postgresql.org/docs/16/auth-peer.html
> >
> > "
> > The peer authentication method works by obtaining the client's operating
> system
> > user name from the kernel and using it as the allowed database user name
> (with
> > optional user name mapping). This method is only supported on local
> > connections.
> > [snip]
> > Peer authentication is only available on operating systems providing the
> > getpeereid() function, the SO_PEERCRED socket parameter, or similar
> mechanisms.
> > Currently that includes Linux, most flavors of BSD including macOS,
> and Solaris
> > .
> > "
> >
> > That means pam
>
> No, it doesn't. PAM is used to authenticate a user to the OS (plus to do
> a bit of setup and teardown at the beginning and end of each session).
> But here the user is already authenticated to the OS and postgresql is
> using that information to authenticate the user to itself. This will use
> the nsswitch mechanism on Linux (and probably something similar on the
> other OSs) to do the uid->username lookup, but it will not use PAM,
> since that simply isn't what PAM is for (or capable of to my knowledge).
>
pam is _indirectly_ used, since like you said, that's what authenticates
the OS user that "peer" authentication needs.
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
From | Date | Subject | |
---|---|---|---|
Next Message | Pawan Sharma | 2024-12-18 11:52:32 | PG16 ADMIN OPTION |
Previous Message | Peter J. Holzer | 2024-12-17 18:39:11 | Re: Credcheck- credcheck.max_auth_failure |