public inbox for [email protected]help / color / mirror / Atom feed
Credcheck- credcheck.max_auth_failure 14+ messages / 5 participants [nested] [flat]
* Credcheck- credcheck.max_auth_failure @ 2024-12-11 10:46 張宸瑋 <[email protected]> 0 siblings, 2 replies; 14+ messages in thread From: 張宸瑋 @ 2024-12-11 10:46 UTC (permalink / raw) To: [email protected] In the use of the Credcheck suite, the parameter "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to limit users from entering incorrect passwords more than three times, after which their account will be locked. Due to certain requirements, I would like to ask if there is a way or feature to set this parameter differently for a specific user or role, so that it does not apply to them. I considered using "credcheck.whitelist" to exclude certain accounts, but this would cause all other parameters to apply as well, and the account would still require the other password complexity settings. I only wish to exclude the "credcheck.max_auth_failure" parameter. Thank you in advance for your response, and I would appreciate any assistance you can provide! ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-11 16:41 Adrian Klaver <[email protected]> parent: 張宸瑋 <[email protected]> 1 sibling, 0 replies; 14+ messages in thread From: Adrian Klaver @ 2024-12-11 16:41 UTC (permalink / raw) To: 張宸瑋 <[email protected]>; [email protected] On 12/11/24 02:46, 張宸瑋 wrote: > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to > limit users from entering incorrect passwords more than three times, > after which their account will be locked. Due to certain requirements, I > would like to ask if there is a way or feature to set this parameter > differently for a specific user or role, so that it does not apply to > them. I considered using "credcheck.whitelist" to exclude certain > accounts, but this would cause all other parameters to apply as well, > and the account would still require the other password complexity > settings. I only wish to exclude the "credcheck.max_auth_failure" > parameter. Thank you in advance for your response, and I would > appreciate any assistance you can provide! The issue you filed here: https://github.com/HexaCluster/credcheck/issues/43 is the way to go to get the necessary assistance. -- Adrian Klaver [email protected] ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-11 17:57 Greg Sabino Mullane <[email protected]> parent: 張宸瑋 <[email protected]> 1 sibling, 1 reply; 14+ messages in thread From: Greg Sabino Mullane @ 2024-12-11 17:57 UTC (permalink / raw) To: 張宸瑋 <[email protected]>; +Cc: [email protected] On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote: > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to > limit users from entering incorrect passwords more than three times, after > which their account will be locked. > Won't that allow absolutely anyone to lock out anyone else, including admins/superusers? Sounds like a bad idea to me. > Due to certain requirements, I would like to ask if there is a way or > feature to set this parameter differently for a specific user or role, so > that it does not apply to them. > There is not, but there is always the credcheck.reset_superuser setting as an emergency measure. I'd keep the password complexity settings and not enable max_auth_failure at all, myself. Three strikes and you're out feels pretty draconian. Is there a particular threat model that is driving that? Cheers, Greg ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-11 18:43 Ron Johnson <[email protected]> parent: Greg Sabino Mullane <[email protected]> 0 siblings, 1 reply; 14+ messages in thread From: Ron Johnson @ 2024-12-11 18:43 UTC (permalink / raw) To: pgsql-generallists.postgresql.org <[email protected]> On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane <[email protected]> wrote: > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote: > >> In the use of the Credcheck suite, the parameter >> "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file to >> limit users from entering incorrect passwords more than three times, after >> which their account will be locked. >> > > Won't that allow absolutely anyone to lock out anyone else, including > admins/superusers? Sounds like a bad idea to me. > Isn't this a pretty common password setting? I know that for at least 35 years, and going back to the VAX/VMS days I've been locked out for X hours if I typed an invalid password. Same on Windows and I think also Linux (though ssh public keys and clients remembering passwords mean that rarely happens to me). > > >> Due to certain requirements, I would like to ask if there is a way or >> feature to set this parameter differently for a specific user or role, so >> that it does not apply to them. >> > > There is not, but there is always the credcheck.reset_superuser setting as > an emergency measure. I'd keep the password complexity settings and not > enable max_auth_failure at all, myself. Three strikes and you're out feels > pretty draconian. Is there a particular threat model that is driving that? > -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster! ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-13 20:23 Peter J. Holzer <[email protected]> parent: Ron Johnson <[email protected]> 0 siblings, 1 reply; 14+ messages in thread From: Peter J. Holzer @ 2024-12-13 20:23 UTC (permalink / raw) To: [email protected] On 2024-12-11 13:43:38 -0500, Ron Johnson wrote: > On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane <[email protected]> > wrote: > > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote: > > In the use of the Credcheck suite, the parameter > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf file > to limit users from entering incorrect passwords more than three times, > after which their account will be locked. > > > Won't that allow absolutely anyone to lock out anyone else, including > admins/superusers? Sounds like a bad idea to me. > > > Isn't this a pretty common password setting? Yes, but that doesn't mean it's a good idea. Actually, let me tease that apart a bit. It is very common for the setting to exist (probably just about any OS and many applications, too), but much less common for it to be turned on. There are good reasons for that. Limiting the number of failed attempts makes a lot of sense for debit cards: The PINs are short enough that a person could bruteforce all combinations and that typos are uncommon. So multiple failed attempts probably mean that the card was stolen. There is also no way to DOS somebody, since you need the card before you can enter the PIN. It may have made a bit of sense in the 1980s, when most people had short and easily guessable passwords and hosts were typically only accessible from directly connected terminals and not from the internet. But it really doesn't make much sense now: Passwords should be so long that brute-forcing them via login attempts is completely futile. Either the attacker knows the password (then the limit doesn't help), or they won't guess it in a million attempts (so the limit doesn't help either). OTOH, the limit gives an attacker a very simple way to deny the service to the legitimate used: Just enter a bogus password three times and boom - account locked. (That threat can be mitigated by applying the limit per IP address - but the attacker may have a botnet with a million nodes, making the limit ineffective.) hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | [email protected] | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!" Attachments: [application/pgp-signature] signature.asc (833B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 10:32 張宸瑋 <[email protected]> parent: Peter J. Holzer <[email protected]> 0 siblings, 3 replies; 14+ messages in thread From: 張宸瑋 @ 2024-12-16 10:32 UTC (permalink / raw) To: [email protected] We have both regular accounts and system accounts. For regular accounts, we still require password complexity and the lockout functionality after multiple failed login attempts. However, for system accounts, due to information security regulations, password complexity is also required. The issue is that system accounts are used for system integration, and if the account gets locked, it may affect system services, which could lead to problems. To prevent this, we would like to exclude system accounts from being affected by the credcheck.max_auth_failure parameter. Peter J. Holzer <[email protected]>於 2024年12月14日 週六,上午4:24寫道: > On 2024-12-11 13:43:38 -0500, Ron Johnson wrote: > > On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane <[email protected] > > > > wrote: > > > > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote: > > > > In the use of the Credcheck suite, the parameter > > "credcheck.max_auth_failure = '3'" is set in the postgresql.conf > file > > to limit users from entering incorrect passwords more than three > times, > > after which their account will be locked. > > > > > > Won't that allow absolutely anyone to lock out anyone else, including > > admins/superusers? Sounds like a bad idea to me. > > > > > > Isn't this a pretty common password setting? > > Yes, but that doesn't mean it's a good idea. > > Actually, let me tease that apart a bit. > > It is very common for the setting to exist (probably just about any OS > and many applications, too), but much less common for it to be turned on. > > There are good reasons for that. > > Limiting the number of failed attempts makes a lot of sense for debit > cards: The PINs are short enough that a person could bruteforce all > combinations and that typos are uncommon. So multiple failed attempts > probably mean that the card was stolen. There is also no way to DOS > somebody, since you need the card before you can enter the PIN. > > It may have made a bit of sense in the 1980s, when most people had short > and easily guessable passwords and hosts were typically only accessible > from directly connected terminals and not from the internet. > > But it really doesn't make much sense now: Passwords should be so long > that brute-forcing them via login attempts is completely futile. Either > the attacker knows the password (then the limit doesn't help), or they > won't guess it in a million attempts (so the limit doesn't help either). > OTOH, the limit gives an attacker a very simple way to deny the service to > the legitimate used: Just enter a bogus password three times and boom - > account locked. (That threat can be mitigated by applying the limit per > IP address - but the attacker may have a botnet with a million nodes, > making the limit ineffective.) > > hp > > -- > _ | Peter J. Holzer | Story must make more sense than reality. > |_|_) | | > | | | [email protected] | -- Charles Stross, "Creative writing > __/ | http://www.hjp.at/ | challenge!" > ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 11:34 Peter J. Holzer <[email protected]> parent: 張宸瑋 <[email protected]> 2 siblings, 0 replies; 14+ messages in thread From: Peter J. Holzer @ 2024-12-16 11:34 UTC (permalink / raw) To: [email protected] On 2024-12-16 18:32:34 +0800, 張宸瑋 wrote: > We have both regular accounts and system accounts. For regular accounts, we > still require password complexity and the lockout functionality after multiple > failed login attempts. However, for system accounts, due to information > security regulations, password complexity is also required. The issue is that > system accounts are used for system integration, and if the account gets > locked, it may affect system services, which could lead to problems. To prevent > this, we would like to exclude system accounts from being affected by the > credcheck.max_auth_failure parameter. Just in case it wasn't clear: My recommendation is to NOT use the credcheck.max_auth_failure parameter for ANY account. It just causes problems and doesn't really help. If you can't trust your users to chooses sufficiently strong passwords, use a second factor. Or maybe replace passwords with some other method (public keys, FIDO, ...) altogether (in fact, I'd do that for system accounts). hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | [email protected] | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!" Attachments: [application/pgp-signature] signature.asc (833B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 13:09 Greg Sabino Mullane <[email protected]> parent: 張宸瑋 <[email protected]> 2 siblings, 1 reply; 14+ messages in thread From: Greg Sabino Mullane @ 2024-12-16 13:09 UTC (permalink / raw) To: 張宸瑋 <[email protected]>; +Cc: [email protected] On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <[email protected]> wrote: > We have both regular accounts and system accounts. For regular accounts, > we still require password complexity and the lockout functionality after > multiple failed login attempts. > Again, what is the threat model here? Most people have their password in a .pgpass file or similar, so it seems this only adds complexity and annoyance without any real benefit. However, for system accounts, due to information security regulations, > password complexity is also required. > Yes, this makes sense. > The issue is that system accounts are used for system integration, and if > the account gets locked, it may affect system services, which could lead to > problems. To prevent this, we would like to exclude system accounts from > being affected by the credcheck.max_auth_failure parameter. > I think we all understand that, but the extension as it exists now cannot do that. And the obvious and easiest solution is to stop using the denial of service feature, which I am hoping is NOT mandated by security regulations. Cheers, Greg ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 14:13 Ron Johnson <[email protected]> parent: Greg Sabino Mullane <[email protected]> 0 siblings, 0 replies; 14+ messages in thread From: Ron Johnson @ 2024-12-16 14:13 UTC (permalink / raw) To: Greg Sabino Mullane <[email protected]>; +Cc: 張宸瑋 <[email protected]>; [email protected] On Mon, Dec 16, 2024 at 8:10 AM Greg Sabino Mullane <[email protected]> wrote: > On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <[email protected]> wrote: > >> We have both regular accounts and system accounts. For regular accounts, >> we still require password complexity and the lockout functionality after >> multiple failed login attempts. >> > > Again, what is the threat model here? > I would not be surprised if the "threat model" is security auditors. > Most people have their password in a .pgpass file or similar, so it seems > this only adds complexity and annoyance without any real benefit. > Mostly, people *do not* log into our PG instances. 99% of connections are from application service accounts via JDBC. -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster! ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 14:17 Ron Johnson <[email protected]> parent: 張宸瑋 <[email protected]> 2 siblings, 1 reply; 14+ messages in thread From: Ron Johnson @ 2024-12-16 14:17 UTC (permalink / raw) To: pgsql-general Local (socket-based) connections are typically peer-authenticated (meaning that authentication is handled by Linux pam). Thus, if someone enters too many wrong passwords for a superuser account, you *should* still be able to locally connect to PG. Better test it, though. On Mon, Dec 16, 2024 at 5:32 AM 張宸瑋 <[email protected]> wrote: > We have both regular accounts and system accounts. For regular accounts, > we still require password complexity and the lockout functionality after > multiple failed login attempts. However, for system accounts, due to > information security regulations, password complexity is also required. The > issue is that system accounts are used for system integration, and if the > account gets locked, it may affect system services, which could lead to > problems. To prevent this, we would like to exclude system accounts from > being affected by the credcheck.max_auth_failure parameter. > > > Peter J. Holzer <[email protected]>於 2024年12月14日 週六,上午4:24寫道: > >> On 2024-12-11 13:43:38 -0500, Ron Johnson wrote: >> > On Wed, Dec 11, 2024 at 12:57 PM Greg Sabino Mullane < >> [email protected]> >> > wrote: >> > >> > On Wed, Dec 11, 2024 at 5:46 AM 張宸瑋 <[email protected]> wrote: >> > >> > In the use of the Credcheck suite, the parameter >> > "credcheck.max_auth_failure = '3'" is set in the >> postgresql.conf file >> > to limit users from entering incorrect passwords more than >> three times, >> > after which their account will be locked. >> > >> > >> > Won't that allow absolutely anyone to lock out anyone else, >> including >> > admins/superusers? Sounds like a bad idea to me. >> > >> > >> > Isn't this a pretty common password setting? >> >> Yes, but that doesn't mean it's a good idea. >> >> Actually, let me tease that apart a bit. >> >> It is very common for the setting to exist (probably just about any OS >> and many applications, too), but much less common for it to be turned on. >> >> There are good reasons for that. >> >> Limiting the number of failed attempts makes a lot of sense for debit >> cards: The PINs are short enough that a person could bruteforce all >> combinations and that typos are uncommon. So multiple failed attempts >> probably mean that the card was stolen. There is also no way to DOS >> somebody, since you need the card before you can enter the PIN. >> >> It may have made a bit of sense in the 1980s, when most people had short >> and easily guessable passwords and hosts were typically only accessible >> from directly connected terminals and not from the internet. >> >> But it really doesn't make much sense now: Passwords should be so long >> that brute-forcing them via login attempts is completely futile. Either >> the attacker knows the password (then the limit doesn't help), or they >> won't guess it in a million attempts (so the limit doesn't help either). >> OTOH, the limit gives an attacker a very simple way to deny the service to >> the legitimate used: Just enter a bogus password three times and boom - >> account locked. (That threat can be mitigated by applying the limit per >> IP address - but the attacker may have a botnet with a million nodes, >> making the limit ineffective.) >> >> hp >> >> -- >> _ | Peter J. Holzer | Story must make more sense than reality. >> |_|_) | | >> | | | [email protected] | -- Charles Stross, "Creative writing >> __/ | http://www.hjp.at/ | challenge!" >> > -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster! ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 15:18 Peter J. Holzer <[email protected]> parent: Ron Johnson <[email protected]> 0 siblings, 1 reply; 14+ messages in thread From: Peter J. Holzer @ 2024-12-16 15:18 UTC (permalink / raw) To: [email protected] On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > Local (socket-based) connections are typically peer-authenticated > (meaning that authentication is handled by Linux pam). ^^^ Is it? I haven't checked the source code, but this doesn't seem plausible. You can get the uid of a socket peer directly from the kernel, which can be converted to a user name via getpwuid, and the mapping to postgresql roles is done via pg_ident.conf. I see no role for PAM in that path. > Thus, if someone enters too many wrong passwords for a superuser > account, you should still be able to locally connect to PG. True. But the client may not be on the same machine. hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | [email protected] | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!" Attachments: [application/pgp-signature] signature.asc (833B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-16 15:37 Ron Johnson <[email protected]> parent: Peter J. Holzer <[email protected]> 0 siblings, 1 reply; 14+ messages in thread From: Ron Johnson @ 2024-12-16 15:37 UTC (permalink / raw) To: [email protected] On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <[email protected]> wrote: > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > Local (socket-based) connections are typically peer-authenticated > > (meaning that authentication is handled by Linux pam). > ^^^ > Is it? I haven't checked the source code, but this doesn't seem > plausible. You can get the uid of a socket peer directly from the > kernel, which can be converted to a user name via getpwuid, and the > mapping to postgresql roles is done via pg_ident.conf. I see no role for > PAM in that path. > https://www.postgresql.org/docs/16/auth-peer.html " The peer authentication method works by obtaining the client's operating system user name from the kernel and using it as the allowed database user name (with optional user name mapping). This method is only supported on local connections. [snip] Peer authentication is only available on operating systems providing the getpeereid() function, the SO_PEERCRED socket parameter, or similar mechanisms. Currently that includes Linux, most flavors of BSD including macOS, and Solaris. " That means pam (and presumably also ldap and sssd), since there must be an OS user with the same name, and OS authentication is handled by pam, ldap and sssd. $ grep peer '$PGDATA'/pg_hba.conf local all all peer > > > Thus, if someone enters too many wrong passwords for a superuser > > account, you should still be able to locally connect to PG. > > True. But the client may not be on the same machine. > > hp > > -- > _ | Peter J. Holzer | Story must make more sense than reality. > |_|_) | | > | | | [email protected] | -- Charles Stross, "Creative writing > __/ | http://www.hjp.at/ | challenge!" > -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster! ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-17 18:39 Peter J. Holzer <[email protected]> parent: Ron Johnson <[email protected]> 0 siblings, 1 reply; 14+ messages in thread From: Peter J. Holzer @ 2024-12-17 18:39 UTC (permalink / raw) To: [email protected] On 2024-12-16 10:37:59 -0500, Ron Johnson wrote: > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <[email protected]> wrote: > > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > Local (socket-based) connections are typically peer-authenticated > > (meaning that authentication is handled by Linux pam). > ^^^ > Is it? I haven't checked the source code, but this doesn't seem > plausible. You can get the uid of a socket peer directly from the > kernel, which can be converted to a user name via getpwuid, and the > mapping to postgresql roles is done via pg_ident.conf. I see no role for > PAM in that path. > > > https://www.postgresql.org/docs/16/auth-peer.html > > " > The peer authentication method works by obtaining the client's operating system > user name from the kernel and using it as the allowed database user name (with > optional user name mapping). This method is only supported on local > connections. > [snip] > Peer authentication is only available on operating systems providing the > getpeereid() function, the SO_PEERCRED socket parameter, or similar mechanisms. > Currently that includes Linux, most flavors of BSD including macOS, and Solaris > . > " > > That means pam No, it doesn't. PAM is used to authenticate a user to the OS (plus to do a bit of setup and teardown at the beginning and end of each session). But here the user is already authenticated to the OS and postgresql is using that information to authenticate the user to itself. This will use the nsswitch mechanism on Linux (and probably something similar on the other OSs) to do the uid->username lookup, but it will not use PAM, since that simply isn't what PAM is for (or capable of to my knowledge). hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | [email protected] | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!" Attachments: [application/pgp-signature] signature.asc (833B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 14+ messages in thread
* Re: Credcheck- credcheck.max_auth_failure @ 2024-12-17 18:47 Ron Johnson <[email protected]> parent: Peter J. Holzer <[email protected]> 0 siblings, 0 replies; 14+ messages in thread From: Ron Johnson @ 2024-12-17 18:47 UTC (permalink / raw) To: [email protected] On Tue, Dec 17, 2024 at 1:39 PM Peter J. Holzer <[email protected]> wrote: > On 2024-12-16 10:37:59 -0500, Ron Johnson wrote: > > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <[email protected]> > wrote: > > > > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > > Local (socket-based) connections are typically peer-authenticated > > > (meaning that authentication is handled by Linux pam). > > ^^^ > > Is it? I haven't checked the source code, but this doesn't seem > > plausible. You can get the uid of a socket peer directly from the > > kernel, which can be converted to a user name via getpwuid, and the > > mapping to postgresql roles is done via pg_ident.conf. I see no role > for > > PAM in that path. > > > > > > https://www.postgresql.org/docs/16/auth-peer.html > > > > " > > The peer authentication method works by obtaining the client's operating > system > > user name from the kernel and using it as the allowed database user name > (with > > optional user name mapping). This method is only supported on local > > connections. > > [snip] > > Peer authentication is only available on operating systems providing the > > getpeereid() function, the SO_PEERCRED socket parameter, or similar > mechanisms. > > Currently that includes Linux, most flavors of BSD including macOS, > and Solaris > > . > > " > > > > That means pam > > No, it doesn't. PAM is used to authenticate a user to the OS (plus to do > a bit of setup and teardown at the beginning and end of each session). > But here the user is already authenticated to the OS and postgresql is > using that information to authenticate the user to itself. This will use > the nsswitch mechanism on Linux (and probably something similar on the > other OSs) to do the uid->username lookup, but it will not use PAM, > since that simply isn't what PAM is for (or capable of to my knowledge). > pam is _indirectly_ used, since like you said, that's what authenticates the OS user that "peer" authentication needs. -- Death to <Redacted>, and butter sauce. Don't boil me, I'm still alive. <Redacted> lobster! ^ permalink raw reply [nested|flat] 14+ messages in thread
end of thread, other threads:[~2024-12-17 18:47 UTC | newest] Thread overview: 14+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2024-12-11 10:46 Credcheck- credcheck.max_auth_failure 張宸瑋 <[email protected]> 2024-12-11 16:41 ` Adrian Klaver <[email protected]> 2024-12-11 17:57 ` Greg Sabino Mullane <[email protected]> 2024-12-11 18:43 ` Ron Johnson <[email protected]> 2024-12-13 20:23 ` Peter J. Holzer <[email protected]> 2024-12-16 10:32 ` 張宸瑋 <[email protected]> 2024-12-16 11:34 ` Peter J. Holzer <[email protected]> 2024-12-16 13:09 ` Greg Sabino Mullane <[email protected]> 2024-12-16 14:13 ` Ron Johnson <[email protected]> 2024-12-16 14:17 ` Ron Johnson <[email protected]> 2024-12-16 15:18 ` Peter J. Holzer <[email protected]> 2024-12-16 15:37 ` Ron Johnson <[email protected]> 2024-12-17 18:39 ` Peter J. Holzer <[email protected]> 2024-12-17 18:47 ` Ron Johnson <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox