On 2024-12-16 09:17:25 -0500, Ron Johnson wrote: > Local (socket-based) connections are typically peer-authenticated > (meaning that authentication is handled by Linux pam). ^^^ Is it? I haven't checked the source code, but this doesn't seem plausible. You can get the uid of a socket peer directly from the kernel, which can be converted to a user name via getpwuid, and the mapping to postgresql roles is done via pg_ident.conf. I see no role for PAM in that path. > Thus, if someone enters too many wrong passwords for a superuser > account, you should still be able to locally connect to PG. True. But the client may not be on the same machine. hp -- _ | Peter J. Holzer | Story must make more sense than reality. |_|_) | | | | | hjp@xxxxxx | -- Charles Stross, "Creative writing __/ | http://www.hjp.at/ | challenge!"
Attachment:
signature.asc
Description: PGP signature