On Tue, Jan 16, 2001 at 08:48 -0800, Jeremiah Johnson wrote:

nono. What he means is a database of username's passwords. On freebsd it would be /etc/pwd.db and /etc/spwd.db. When you have *tons* of users it speeds things up. Looking on my SuSE box I dont see the util needed to make the database (pwd_mkdb) but then again, it may be different under linux.

Yes, it is. PAM should give you the knobs to authenticate against some DB storage instead of text files. Easily. Recently there's been a feature article at securityportal (no doubt Kurt Seifried will invite you to visit http://securityportal.com/). [ Did you ever consider to wrap your lines and answer below the cite? It would make your messages easier to read and answer to. ] virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.

On Tue, 16 Jan 2001 20:45:41 +0100, Grzegorz Prokopski wrote:

http://www.kernel.org/pub/linux/libs/pam/modules.html You can find there pam_mysql, pam_pwdb and other modules, keeping Your servers happy even with 10000's of users.

The link on that page to pwdb is broken. :-( But at least now I realize I did not install the SuSE pwdb package, that's why I did not see anything on my system. I'm getting ready to install it now. Last night however, somewhere I read that pwdb was slow. I'll have to try and find that again. Anyone have actual experience with pwdb and 10,000+ users? Or other large scale user authentication solutions? Egan

Hrm. Strange, I am very surprised that there is no similar functionality in linux as there is in BSD for this problem. Password databases are in use by default on Freebsd (as far back as Freebsd 2.2.8(9?) from what I've seen). Somebody out there has to have more information on this. -miah On Tue, Jan 16, 2001 at 04:57:07PM -0500, Egan wrote:

Now I know why they said that.

They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh!

That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search.

Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet.

Now I know why they said that.

They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh!

That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search.

Hu? Have you guys ever heard of nscd? It should start scaling at a limit of more than 4000 users, and running 30000-60000 users isn't really a problem. But you might want to think of delivering mails into the home and placing the home directories into a terminfo-like directory hierarchy. nscd doesn't cache crypted passwords from shadow.

Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet.

Egan

Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

I tried using an APOP email client and SuSE popper reported no database found. Is APOP supported? I could not find any info on it. Egan

On Wed, 17 Jan 2001 10:58:29 +0100 (CET), Arvin Schnell wrote:

Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites.

I'm still running 6.4. Does popauth exist/work on 6.4? Egan

Arvin Schnell wrote:

On Wed, 17 Jan 2001, Egan wrote:

...

On Wed, 17 Jan 2001 10:58:29 +0100 (CET), Arvin Schnell wrote:

...

Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites.

I'm still running 6.4. Does popauth exist/work on 6.4?

No, sorry.

But you should be able to install the 7.0 rpm, I think there were no changes to the libraries.

ciao Arvin

<SNIP> Hello, AFAIK you have to compile qpopper with APOP support to get it running. Download the sources from http://www.eudora.com/qpopper (qpopper 3.1 - free) It's explained in the docs, how to set it up to use APOP. Good luck Michael Heiming Sysadmin -- __ __ __ Virtueller Bau-Markt AG \ / [__) [__] [ __ Meerbuscher Strasse 64 \/ [__) | | [_./ 40670 Meerbusch www.vbag.de Michael Heiming (mh@vbag.de)

Egan wrote:

On Wed, 17 Jan 2001 15:14:05 +0100, Michael Heiming wrote:

...

...

But you should be able to install the 7.0 rpm, I think there were no changes to the libraries.

...

AFAIK you have to compile qpopper with APOP support to get it running.

Download the sources from http://www.eudora.com/qpopper (qpopper 3.1 - free)

I installed the 7.0 RPM from SuSE, and APOP is working now.

What's the difference between SuSE's pop vs. qpopper?

Egan

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Hello, SuSE popper is AFAIK qpopper, but mostly not the latest version, telnet to port 110 to see what you have running and APOP support is not compiled (AFAIK). Downloading the newest version, reading the docs/compiling/setup, is almost the faster & better way to get it running and get some knowledge about how something works...:-) Good luck Michael Heiming Sysadmin -- __ __ __ Virtueller Bau-Markt AG \ / [__) [__] [ __ Meerbuscher Strasse 64 \/ [__) | | [_./ 40670 Meerbusch www.vbag.de Michael Heiming (mh@vbag.de) Confucius say: He who play in root, eventually kill tree.

...

APOP support is not compiled (AFAIK).

APOP support must be compiled. It's working.

...

Downloading the newest version, reading the docs/compiling/setup, is almost the faster & better way to get it running and get some knowledge about how something works...:-)

With so many tasks and too little time, the less I know about popper the better. I just want it to work with APOP, and I am happy to get advice from the experts at SuSE on making that happen.

There is some lecture in that. :-)

;-) Egan

...

nscd doesn't cache crypted passwords from shadow.

Then what is the benefit of nscd? Won't you still access shadow on every authorization request?

Yes, you will. But you won't have several hundred getspent()- or alike calls on a "normal" machine. It's getpwnam() and getpwuid() or getpwent() that cause big load. Create 50000 users and compare the time it takes to ls -la /home with and without nscd. Of course, things like radius and alike scream for a solution. Volunteer to work on it? :-)

Egan

Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

No time for volunteer work. That's why I pay my $70 to SuSE for the next release.

It's somebody else's job. I think so, too. (It's ours!)

How far along is 7.1, BTW? I skipped 7.0, but I'm expecting greatness with 7.1.

Near. You can tell from the lags in the outstanding updates that we're busy. I hope that we meet the expectations. But there will not be support for radius servers using databases, I fear...

Egan

Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Will anything break if I remove world read and execute permissions from the /proc directory? I don't know if it works, but you may want to use the patch from http://www.openwall.com/linux which prevents users to see other users processes and some other things ...

bye! Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \ 13