Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tNCs7-009Il9-0B for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 15:18:59 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tNCs4-007pE9-AP for pgsql-general@arkaria.postgresql.org; Mon, 16 Dec 2024 15:18:57 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tNCs3-007pE1-VZ for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 15:18:57 +0000 Received: from mail.hjp.at ([212.17.106.138] helo=rorschach.hjp.at) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tNCs2-003ACf-GV for pgsql-general@lists.postgresql.org; Mon, 16 Dec 2024 15:18:56 +0000 Received: by rorschach.hjp.at (Postfix, from userid 1000) id 7F3BC65473; Mon, 16 Dec 2024 16:18:53 +0100 (CET) Date: Mon, 16 Dec 2024 16:18:53 +0100 From: "Peter J. Holzer" To: pgsql-general@lists.postgresql.org Subject: Re: Credcheck- credcheck.max_auth_failure Message-ID: <20241216151853.ecl37fqyhwmcdi7i@hjp.at> Mail-Followup-To: pgsql-general@lists.postgresql.org References: <20241213202348.jtchbb2lezbx2re6@hjp.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="bnazcyzb5titl4km" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --bnazcyzb5titl4km Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > Local (socket-based) connections are typically peer-authenticated > (meaning that authentication is handled by Linux pam). ^^^ Is it? I haven't checked the source code, but this doesn't seem plausible. You can get the uid of a socket peer directly from the kernel, which can be converted to a user name via getpwuid, and the mapping to postgresql roles is done via pg_ident.conf. I see no role for PAM in that path. > Thus, if someone enters too many wrong passwords for a superuser > account, you should=A0still be able to locally connect to PG. True. But the client may not be on the same machine. hp --=20 _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | hjp@hjp.at | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!" --bnazcyzb5titl4km Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmdgRNUACgkQ8g5IURL+ KF2Ddw//crt+G5ikq9WJL/uMc7Q5TBy6DkpO5YoC7be8iSR89el3+Ao09Zd2R+9j 9K405Ur756XaTyBHLiqNe4kTuYrVl2hQU2CvAk89gp7f1rGsIPktyHHvwm5YwwQK rD+yLCsqk5tbIGi7VUQqmH4pP8U0DaiRl1scnhYsz+Fwd04cCNOWEfHRHoDARDq6 7a84rmDJt5B1SWTTFYVPoEk53lRtGBJwbgXERREvQO8BODayRbEBU3D2BPDo9jV5 ZHM7U49NQeZsnnRFBwl5cnGh3DenhrHHpmNpyv7Jtkj3TxFtmXCbphw363Tm9a/W bgmf1qayuaaNfiQaalf4fwsoNwm0kliynZiZO7ujwMtSKHPwbSYjldfN6HW/6A/t qwdUJu8U9MwVXS15SNkAY89GovVfWE8kdbZ9ooMiU7jEY08t+OJInT4wBCnkGg3F 5ZHTouZ39eJ50u57B0V3VVUCp49/t64NPp+rFTmkuhafcpdbPUkOi74huvvCDY5t YgFfRDfRCqje8WveFkBFtwo+YFSHtw5ogRtU+DfP9A4kiP3KbPalKSE3O5ww7nKX tRHWY55vjUmlYl9DCxVedONaxlLFxvcIrDhiAA+9fA2Uzrd4f4Y4LZVKJY5D+v7M MBcwlvh1JujeQrA/zigWWM0572dABtkp3tL4GNrLGh1xP2upzZ8= =Sl9w -----END PGP SIGNATURE----- --bnazcyzb5titl4km--