Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNcTU-0011tb-QZ
	for pgsql-general@arkaria.postgresql.org; Tue, 17 Dec 2024 18:39:17 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tNcTT-004qy8-Uy
	for pgsql-general@arkaria.postgresql.org; Tue, 17 Dec 2024 18:39:15 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tNcTT-004qxz-Jm
	for pgsql-general@lists.postgresql.org; Tue, 17 Dec 2024 18:39:15 +0000
Received: from mail.hjp.at ([212.17.106.138] helo=rorschach.hjp.at)
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <hjp-pgsql@hjp.at>)
	id 1tNcTP-000GqA-PW
	for pgsql-general@lists.postgresql.org; Tue, 17 Dec 2024 18:39:14 +0000
Received: by rorschach.hjp.at (Postfix, from userid 1000)
	id 23C88672CF; Tue, 17 Dec 2024 19:39:11 +0100 (CET)
Date: Tue, 17 Dec 2024 19:39:11 +0100
From: "Peter J. Holzer" <hjp-pgsql@hjp.at>
To: pgsql-general@lists.postgresql.org
Subject: Re: Credcheck- credcheck.max_auth_failure
Message-ID: <20241217183911.semgtdmuhxp2ajv7@hjp.at>
Mail-Followup-To: pgsql-general@lists.postgresql.org
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
 <CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
 <CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
 <20241213202348.jtchbb2lezbx2re6@hjp.at>
 <CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
 <CANzqJaCww31LJXPQhPaHDDedJ+RAHp4U99bLs4wBHMU4SPZQLg@mail.gmail.com>
 <20241216151853.ecl37fqyhwmcdi7i@hjp.at>
 <CANzqJaBenxrGQRb8muLHPs81aZqmaju+S_1ThNYV0Uf-rov84w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="62utvlvdrvo4gngk"
Content-Disposition: inline
In-Reply-To: <CANzqJaBenxrGQRb8muLHPs81aZqmaju+S_1ThNYV0Uf-rov84w@mail.gmail.com>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/20241217183911.semgtdmuhxp2ajv7%40hjp.at>
Precedence: bulk


--62utvlvdrvo4gngk
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2024-12-16 10:37:59 -0500, Ron Johnson wrote:
> On Mon, Dec 16, 2024 at 10:19=E2=80=AFAM Peter J. Holzer <hjp-pgsql@hjp.a=
t> wrote:
>=20
>     On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
>     > Local (socket-based) connections are typically peer-authenticated
>     > (meaning that authentication is handled by Linux pam).
>     =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^^^
>     Is it? I haven't checked the source code, but this doesn't seem
>     plausible. You can get the uid of a socket peer directly from the
>     kernel, which can be converted to a user name via getpwuid, and the
>     mapping to postgresql roles is done via pg_ident.conf. I see no role =
for
>     PAM in that path.
>=20
>=20
> https://www.postgresql.org/docs/16/auth-peer.html
>=20
> "
> The peer authentication method works by obtaining the client's operating =
system
> user name from the kernel and using it as the allowed database user name =
(with
> optional user name mapping). This method is only supported on local
> connections.
> [snip]
> Peer authentication is only available on operating systems providing the=
=C2=A0
> getpeereid()=C2=A0function, the=C2=A0SO_PEERCRED=C2=A0socket parameter, o=
r similar mechanisms.
> Currently that includes=C2=A0Linux, most flavors of=C2=A0BSD=C2=A0includi=
ng=C2=A0macOS, and=C2=A0Solaris
> .
> "
>=20
> That means pam

No, it doesn't. PAM is used to authenticate a user to the OS (plus to do
a bit of setup and teardown at the beginning and end of each session).
But here the user is already authenticated to the OS and postgresql is
using that information to authenticate the user to itself. This will use
the nsswitch mechanism on Linux (and probably something similar on the
other OSs) to do the uid->username lookup, but it will not use PAM,
since that simply isn't what PAM is for (or capable of to my knowledge).

        hp

--=20
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"

--62utvlvdrvo4gngk
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETtJbRjyPwVTYGJ5k8g5IURL+KF0FAmdhxUkACgkQ8g5IURL+
KF0c8Q//fSBfuiRVVnB48xmKjUe4/5EG4shH/pBHOt0+dIMCUR47vVON5sihRBfo
jLpc58d5yiG/7VjjUMyNrNNntMPwUJC4hgpPzjP3t1c5ES3NEC7cDm06IPk/0Ndt
qQ69NITrjD+i/rrbxwaEQWTPyINkahksPnHHlWebJHIt4qCBd5Z7uWYe6P21al82
6x3BP8WZKvL+/gMiYs9nJF/sMTTDx+2sTeGPoP2nnwHI9yRB1YbJ3fS2f9IH1+KZ
wyYG3RTyeRDm8FqDazAdJNOeU9eZ5a75hKBfIR2ydEXFYJuo9/pg1CmT12IARm0c
1yVcLyL8XLOMadBBTcSaInGPdJEZBHEz7OnyMnAQ2ZguY5gjrdR1e6zcaATqKiEp
4vnZLtqgrrtetqpp2/s5ma5HgTQMHVRBIpZrYbIrWt3PKBFeFwB0nTmeS/8rzVpV
Vwm8McX416Hky+Kw/wzbogoBe1eAUSBXBF/E2/vFXzTaxV5UYpOY3UDVns6CDVF5
SvWTShXbVYV3yQppyjQBQOloeHtvXrOexzKMn0R43WOAGx1hYyKfmfETvOkiU/b7
k07vCGsP68NZ7Ac5h0SLx+MqqoIsxbWKy3WbbWZBCVE7zSezF7GeOUE2ZYRNVBIf
ofgv/MWGNCFwtOIifOUKP3eu0gwtQangjgfXLbChh7uU0TljmQk=
=/+Wh
-----END PGP SIGNATURE-----

--62utvlvdrvo4gngk--