Re: Credcheck- credcheck.max_auth_failure

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Peter J. Holzer <[email protected]>
To: [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: Mon, 16 Dec 2024 16:18:53 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <CANzqJaCww31LJXPQhPaHDDedJ+RAHp4U99bLs4wBHMU4SPZQLg@mail.gmail.com>
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
	<CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
	<CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
	<[email protected]>
	<CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
	<CANzqJaCww31LJXPQhPaHDDedJ+RAHp4U99bLs4wBHMU4SPZQLg@mail.gmail.com>

On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
> Local (socket-based) connections are typically peer-authenticated
> (meaning that authentication is handled by Linux pam).
                                     ^^^
Is it? I haven't checked the source code, but this doesn't seem
plausible. You can get the uid of a socket peer directly from the
kernel, which can be converted to a user name via getpwuid, and the
mapping to postgresql roles is done via pg_ident.conf. I see no role for
PAM in that path.

> Thus, if someone enters too many wrong passwords for a superuser
> account, you should still be able to locally connect to PG.

True. But the client may not be on the same machine.

        hp

-- 
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | [email protected]         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"


Attachments:

  [application/pgp-signature] signature.asc (833B, 2-signature.asc)
  download

view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Credcheck- credcheck.max_auth_failure
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox