public inbox for [email protected]
help / color / mirror / Atom feedFrom: Ron Johnson <[email protected]>
To: [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
Date: Tue, 17 Dec 2024 13:47:24 -0500
Message-ID: <CANzqJaA=7vZ-qud1zq8ascpRLtiaJaygp4ap_x64dVb4YcQuag@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAFsaSDgSPjLOmk51fZt_zYPEUnFOCQ+92g_g2OSMjNbMa4h2xg@mail.gmail.com>
<CAKAnmmLBf33oSKxxANDztHR455BhEdO=AROGvXZa1crh7VchHg@mail.gmail.com>
<CANzqJaDJ0_Aiih6X6AMfkRaWATFrHJMw_21oS-7im8JdN9SgrQ@mail.gmail.com>
<[email protected]>
<CAFsaSDgsJB9WpZSxspQ0CJAkT4OjGzdh+hLqnf=hinp-ywDU6g@mail.gmail.com>
<CANzqJaCww31LJXPQhPaHDDedJ+RAHp4U99bLs4wBHMU4SPZQLg@mail.gmail.com>
<[email protected]>
<CANzqJaBenxrGQRb8muLHPs81aZqmaju+S_1ThNYV0Uf-rov84w@mail.gmail.com>
<[email protected]>
On Tue, Dec 17, 2024 at 1:39 PM Peter J. Holzer <[email protected]> wrote:
> On 2024-12-16 10:37:59 -0500, Ron Johnson wrote:
> > On Mon, Dec 16, 2024 at 10:19 AM Peter J. Holzer <[email protected]>
> wrote:
> >
> > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote:
> > > Local (socket-based) connections are typically peer-authenticated
> > > (meaning that authentication is handled by Linux pam).
> > ^^^
> > Is it? I haven't checked the source code, but this doesn't seem
> > plausible. You can get the uid of a socket peer directly from the
> > kernel, which can be converted to a user name via getpwuid, and the
> > mapping to postgresql roles is done via pg_ident.conf. I see no role
> for
> > PAM in that path.
> >
> >
> > https://www.postgresql.org/docs/16/auth-peer.html
> >
> > "
> > The peer authentication method works by obtaining the client's operating
> system
> > user name from the kernel and using it as the allowed database user name
> (with
> > optional user name mapping). This method is only supported on local
> > connections.
> > [snip]
> > Peer authentication is only available on operating systems providing the
> > getpeereid() function, the SO_PEERCRED socket parameter, or similar
> mechanisms.
> > Currently that includes Linux, most flavors of BSD including macOS,
> and Solaris
> > .
> > "
> >
> > That means pam
>
> No, it doesn't. PAM is used to authenticate a user to the OS (plus to do
> a bit of setup and teardown at the beginning and end of each session).
> But here the user is already authenticated to the OS and postgresql is
> using that information to authenticate the user to itself. This will use
> the nsswitch mechanism on Linux (and probably something similar on the
> other OSs) to do the uid->username lookup, but it will not use PAM,
> since that simply isn't what PAM is for (or capable of to my knowledge).
>
pam is _indirectly_ used, since like you said, that's what authenticates
the OS user that "peer" authentication needs.
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
view thread (14+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Credcheck- credcheck.max_auth_failure
In-Reply-To: <CANzqJaA=7vZ-qud1zq8ascpRLtiaJaygp4ap_x64dVb4YcQuag@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox