Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tNcbd-0012iP-4D for pgsql-general@arkaria.postgresql.org; Tue, 17 Dec 2024 18:47:41 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tNcbc-0052SN-D1 for pgsql-general@arkaria.postgresql.org; Tue, 17 Dec 2024 18:47:40 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tNcbb-0052Pp-UP for pgsql-general@lists.postgresql.org; Tue, 17 Dec 2024 18:47:39 +0000 Received: from mail-ot1-x32c.google.com ([2607:f8b0:4864:20::32c]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tNcbY-0004uY-Sb for pgsql-general@lists.postgresql.org; Tue, 17 Dec 2024 18:47:38 +0000 Received: by mail-ot1-x32c.google.com with SMTP id 46e09a7af769-71deb3745easo1158291a34.3 for ; Tue, 17 Dec 2024 10:47:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734461255; x=1735066055; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=800bePyZ4/5J+e3SRUEZDPQzQz1MkhBemnUYaXpDhYQ=; b=AWru53bG3+XSUuZsjlzzmFo4yommXRWu5rXrw9Q5a5HqS1lA7B0D4eU0u907sXaZxe TWmOFDVGT5FQbxVoHWJ9d03j/tvtrC6IUzYBvVCFrRY3d8Wnio6fTRuCaLj4eTPULfgM RDjJvRck0oGLZwskN20+tz+Fgbkz9yGKhZnHam41/axpgJlkZj6dfgYvB4Jenl5pXXnE XrNetxqEHLvrrc+DLOFFIxDBLGnhvmGnhBEkxDYqiwZ2GB8MLVTKAn80QrJ80xsE3Hsr VlFE3puyGS+azXhUgKKrIvaRMXplFpsGvi1rHuFvmIbp5PRg6bck8PQ2Jwbqv0OScEMa y18w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734461255; x=1735066055; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=800bePyZ4/5J+e3SRUEZDPQzQz1MkhBemnUYaXpDhYQ=; b=dUklRUPOkkLYj376kNkZ84L3C6/TK0Ul+oJcIw0J2m8zi+Y2wcFpo0NmBrg+XXI939 HUKFumbtfTRh8DlP5oyXaPx0KOgipJ8aqbtOGpCQYN7PjOAqgs2j4UspDIcOSUTk3o8q 9dGNp9cEWATUb/MpyeSIt6pWnAfMoEOow4uDzj5FdLYXT6fllH8ZErfOFDWprutilgxi HWBxTlbXqT9TNp+UHIKvnh9+32Rxn8q9DdxMhHk5cVU4wZE6Wm84nJ5ustItVBwg2e4H 5W+qWzQVLNyDKIAxwmVf05asDXEiyMttPRqMQ6hJca9O366MvmUAwoacv4IkCsmIkUla Ky5A== X-Gm-Message-State: AOJu0YyTT/R0jIrRG25IKCtoZuac+yFm96r5arWx8ImJOmd3GdCfuO4v zBBWd+oiTW0BnnxUn+awdLJFzZ0Ryy3x+JMMIwofhUIkQ1jhTJwaa2Nc6OhAPCKhOHoitK0TfJc bu+pa18qGPDVPG4Jnea8nNhuIX/y0iw== X-Gm-Gg: ASbGncsVNEtDDfo+PxmSXjZI7GPCZg/27IgL2zJ4/WExbwxZcbEcLF89VK3QFiqc6cc 7ypMtQ1q48xoJkXROla1AhkXhOqGLEbm+b9yNdTdhXUXaaycS8CBTJvFFnqP55gLrhWVnz3dV X-Google-Smtp-Source: AGHT+IH72ePX8yDUJjxO3CbwmKIp7IdZzaXztp10tGL9+HApb86AuPDokh4oI5bH9JONlXQFXhphvMB8T88Rg4ZUuNI= X-Received: by 2002:a05:6871:4b84:b0:288:c045:6e4e with SMTP id 586e51a60fabf-2a7ac3111bfmr504610fac.14.1734461255572; Tue, 17 Dec 2024 10:47:35 -0800 (PST) MIME-Version: 1.0 References: <20241213202348.jtchbb2lezbx2re6@hjp.at> <20241216151853.ecl37fqyhwmcdi7i@hjp.at> <20241217183911.semgtdmuhxp2ajv7@hjp.at> In-Reply-To: <20241217183911.semgtdmuhxp2ajv7@hjp.at> From: Ron Johnson Date: Tue, 17 Dec 2024 13:47:24 -0500 Message-ID: Subject: Re: Credcheck- credcheck.max_auth_failure To: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="00000000000003e4ee06297bbb17" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000003e4ee06297bbb17 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Dec 17, 2024 at 1:39=E2=80=AFPM Peter J. Holzer = wrote: > On 2024-12-16 10:37:59 -0500, Ron Johnson wrote: > > On Mon, Dec 16, 2024 at 10:19=E2=80=AFAM Peter J. Holzer > wrote: > > > > On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > > > Local (socket-based) connections are typically peer-authenticated > > > (meaning that authentication is handled by Linux pam). > > ^^^ > > Is it? I haven't checked the source code, but this doesn't seem > > plausible. You can get the uid of a socket peer directly from the > > kernel, which can be converted to a user name via getpwuid, and the > > mapping to postgresql roles is done via pg_ident.conf. I see no rol= e > for > > PAM in that path. > > > > > > https://www.postgresql.org/docs/16/auth-peer.html > > > > " > > The peer authentication method works by obtaining the client's operatin= g > system > > user name from the kernel and using it as the allowed database user nam= e > (with > > optional user name mapping). This method is only supported on local > > connections. > > [snip] > > Peer authentication is only available on operating systems providing th= e > > getpeereid() function, the SO_PEERCRED socket parameter, or similar > mechanisms. > > Currently that includes Linux, most flavors of BSD including macOS, > and Solaris > > . > > " > > > > That means pam > > No, it doesn't. PAM is used to authenticate a user to the OS (plus to do > a bit of setup and teardown at the beginning and end of each session). > But here the user is already authenticated to the OS and postgresql is > using that information to authenticate the user to itself. This will use > the nsswitch mechanism on Linux (and probably something similar on the > other OSs) to do the uid->username lookup, but it will not use PAM, > since that simply isn't what PAM is for (or capable of to my knowledge). > pam is _indirectly_ used, since like you said, that's what authenticates the OS user that "peer" authentication needs. --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --00000000000003e4ee06297bbb17 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Dec 17, 2024 at 1:39=E2=80=AFPM P= eter J. Holzer <hjp-pgsql@hjp.at= > wrote:
On 2024-12-16 10:37:59 -0500, Ron = Johnson wrote:
> On Mon, Dec 16, 2024 at 10:19=E2=80=AFAM Peter J. Holzer <hjp-pgsql@hjp.at> wro= te:
>
>=C2=A0 =C2=A0 =C2=A0On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: >=C2=A0 =C2=A0 =C2=A0> Local (socket-based) connections are typically= peer-authenticated
>=C2=A0 =C2=A0 =C2=A0> (meaning that authentication is handled by Lin= ux pam).
>=C2=A0 =C2=A0 =C2=A0=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0^^^
>=C2=A0 =C2=A0 =C2=A0Is it? I haven't checked the source code, but t= his doesn't seem
>=C2=A0 =C2=A0 =C2=A0plausible. You can get the uid of a socket peer dir= ectly from the
>=C2=A0 =C2=A0 =C2=A0kernel, which can be converted to a user name via g= etpwuid, and the
>=C2=A0 =C2=A0 =C2=A0mapping to postgresql roles is done via pg_ident.co= nf. I see no role for
>=C2=A0 =C2=A0 =C2=A0PAM in that path.
>
>
> https://www.postgresql.org/docs/16/auth-peer.h= tml
>
> "
> The peer authentication method works by obtaining the client's ope= rating system
> user name from the kernel and using it as the allowed database user na= me (with
> optional user name mapping). This method is only supported on local > connections.
> [snip]
> Peer authentication is only available on operating systems providing t= he=C2=A0
> getpeereid()=C2=A0function, the=C2=A0SO_PEERCRED=C2=A0socket parameter= , or similar mechanisms.
> Currently that includes=C2=A0Linux, most flavors of=C2=A0BSD=C2=A0incl= uding=C2=A0macOS, and=C2=A0Solaris
> .
> "
>
> That means pam

No, it doesn't. PAM is used to authenticate a user to the OS (plus to d= o
a bit of setup and teardown at the beginning and end of each session).
But here the user is already authenticated to the OS and postgresql is
using that information to authenticate the user to itself. This will use the nsswitch mechanism on Linux (and probably something similar on the
other OSs) to do the uid->username lookup, but it will not use PAM,
since that simply isn't what PAM is for (or capable of to my knowledge)= .

pam is _indirectly_ used, since like = you said, that's what authenticates the OS user that "peer" a= uthentication needs.=C2=A0

--
Death to <Redacted>, and= butter sauce.
Don't boil me, I'm still alive.
<= ;Redacted> lobster!
--00000000000003e4ee06297bbb17--