Re: Credcheck- credcheck.max_auth_failure

From: Ron Johnson <ronljohnsonjr(at)gmail(dot)com>
To: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: 2024-12-17 18:47:24
Message-ID: CANzqJaA=7vZ-qud1zq8ascpRLtiaJaygp4ap_x64dVb4YcQuag@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Tue, Dec 17, 2024 at 1:39 PM Peter J. Holzer <hjp-pgsql(at)hjp(dot)at> wrote:

> On 2024-12-16 10:37:59 -0500, Ron Johnson wrote:
> > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <hjp-pgsql(at)hjp(dot)at>
> wrote:
> >
> > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
> > > Local (socket-based) connections are typically peer-authenticated
> > > (meaning that authentication is handled by Linux pam).
> > ^^^
> > Is it? I haven't checked the source code, but this doesn't seem
> > plausible. You can get the uid of a socket peer directly from the
> > kernel, which can be converted to a user name via getpwuid, and the
> > mapping to postgresql roles is done via pg_ident.conf. I see no role
> for
> > PAM in that path.
> >
> >
> > https://www.postgresql.org/docs/16/auth-peer.html
> >
> > "
> > The peer authentication method works by obtaining the client's operating
> system
> > user name from the kernel and using it as the allowed database user name
> (with
> > optional user name mapping). This method is only supported on local
> > connections.
> > [snip]
> > Peer authentication is only available on operating systems providing the
> > getpeereid() function, the SO_PEERCRED socket parameter, or similar
> mechanisms.
> > Currently that includes Linux, most flavors of BSD including macOS,
> and Solaris
> > .
> > "
> >
> > That means pam
>
> No, it doesn't. PAM is used to authenticate a user to the OS (plus to do
> a bit of setup and teardown at the beginning and end of each session).
> But here the user is already authenticated to the OS and postgresql is
> using that information to authenticate the user to itself. This will use
> the nsswitch mechanism on Linux (and probably something similar on the
> other OSs) to do the uid->username lookup, but it will not use PAM,
> since that simply isn't what PAM is for (or capable of to my knowledge).
>

pam is _indirectly_ used, since like you said, that's what authenticates
the OS user that "peer" authentication needs.

--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Pawan Sharma 2024-12-18 11:52:32 PG16 ADMIN OPTION
Previous Message Peter J. Holzer 2024-12-17 18:39:11 Re: Credcheck- credcheck.max_auth_failure