nono. What he means is a database of username's passwords. On freebsd it would be /etc/pwd.db and /etc/spwd.db. When you have *tons* of users it speeds things up. Looking on my SuSE box I dont see the util needed to make the database (pwd_mkdb) but then again, it may be different under linux. -miah On Tue, Jan 16, 2001 at 04:38:44PM +0100, Stiefenhofer, Marek ECOFIS wrote:
I don't see any kind of passwd database on SuSE 6.4.
/etc/passwd /etc/shadow
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, Jan 16, 2001 at 08:48 -0800, Jeremiah Johnson wrote:
nono. What he means is a database of username's passwords. On freebsd it would be /etc/pwd.db and /etc/spwd.db. When you have *tons* of users it speeds things up. Looking on my SuSE box I dont see the util needed to make the database (pwd_mkdb) but then again, it may be different under linux.
Yes, it is. PAM should give you the knobs to authenticate against some DB storage instead of text files. Easily. Recently there's been a feature article at securityportal (no doubt Kurt Seifried will invite you to visit http://securityportal.com/). [ Did you ever consider to wrap your lines and answer below the cite? It would make your messages easier to read and answer to. ] virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Jeremiah Johnson wrote:
nono. What he means is a database of username's passwords. On freebsd it would be /etc/pwd.db and /etc/spwd.db. When you have *tons* of users it speeds things up. Looking on my SuSE box I dont see the util needed to make the database (pwd_mkdb) but then again, it may be different under linux.
-miah
On Tue, Jan 16, 2001 at 04:38:44PM +0100, Stiefenhofer, Marek ECOFIS wrote:
I don't see any kind of passwd database on SuSE 6.4.
/etc/passwd /etc/shadow
If you mean just e-mail server it is possible to patch for ex. sendmail to use other auth. mechainsms. Other mail servers has such ability often included out of the box. Or just go directly to: http://www.kernel.org/pub/linux/libs/pam/modules.html You can find there pam_mysql, pam_pwdb and other modules, that should help You with keeping Your servers happy even with 10000's of users. Grzegorz Prokopski
On Tue, 16 Jan 2001 20:45:41 +0100, Grzegorz Prokopski
http://www.kernel.org/pub/linux/libs/pam/modules.html You can find there pam_mysql, pam_pwdb and other modules, keeping Your servers happy even with 10000's of users.
The link on that page to pwdb is broken. :-( But at least now I realize I did not install the SuSE pwdb package, that's why I did not see anything on my system. I'm getting ready to install it now. Last night however, somewhere I read that pwdb was slow. I'll have to try and find that again. Anyone have actual experience with pwdb and 10,000+ users? Or other large scale user authentication solutions? Egan
On Tue, 16 Jan 2001 16:07:30 -0500, Egan
On Tue, 16 Jan 2001 20:45:41 +0100, Grzegorz Prokopski
wrote: http://www.kernel.org/pub/linux/libs/pam/modules.html You can find there pam_mysql, pam_pwdb and other modules, keeping Your servers happy even with 10000's of users.
Last night however, somewhere I read that pwdb was slow. I'll have to try and find that again.
Now I know why they said that. They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh! That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search. Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet. Egan
Hrm. Strange, I am very surprised that there is no similar functionality in linux as there is in BSD for this problem. Password databases are in use by default on Freebsd (as far back as Freebsd 2.2.8(9?) from what I've seen). Somebody out there has to have more information on this. -miah On Tue, Jan 16, 2001 at 04:57:07PM -0500, Egan wrote:
Now I know why they said that.
They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh!
That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search.
Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet.
We do this very thing. What you do is add a default entry in your users file using PAM, then build a pam file for the method of authentication you are using. We use LDAP, so we point to the pam_ldap.so libraries. You would point yours to whatever you want to use. I am not sure if pwdb is supported, but I know a lot of other good DB/directory formats are. Hope this helps. Cliff On Tue, 16 Jan 2001, Jeremiah Johnson wrote:
Hrm. Strange, I am very surprised that there is no similar functionality in linux as there is in BSD for this problem. Password databases are in use by default on Freebsd (as far back as Freebsd 2.2.8(9?) from what I've seen). Somebody out there has to have more information on this.
-miah
On Tue, Jan 16, 2001 at 04:57:07PM -0500, Egan wrote:
Now I know why they said that.
They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh!
That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search.
Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Now I know why they said that.
They were talking about RADIUS clients authenticating via PAM pwdb, and in the SuSE pwdb docs I just read, pam_pwdb is nothing more than a wrapper to the /etc/passwd file! Arrggh!
That's what I'm trying to avoid. If /etc/passwd is not a database, then each lookup must be a simple linear search.
Hu? Have you guys ever heard of nscd? It should start scaling at a limit of more than 4000 users, and running 30000-60000 users isn't really a problem. But you might want to think of delivering mails into the home and placing the home directories into a terminfo-like directory hierarchy. nscd doesn't cache crypted passwords from shadow.
Maybe pam_mysql is a possibility, but I've not had time to get mysql running yet.
Egan
Roman.
--
- -
| Roman Drahtmüller
I tried using an APOP email client and SuSE popper reported no database found. Is APOP supported? I could not find any info on it. Egan
On Wed, 17 Jan 2001, Egan wrote:
I tried using an APOP email client and SuSE popper reported no database found.
Is APOP supported? I could not find any info on it.
Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites. ciao Arvin
Egan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ******************************************* Dipl.-Phys. Arvin Schnell email: arvin@suse.de tel: +49 911 74053-362
On Wed, 17 Jan 2001 10:58:29 +0100 (CET), Arvin Schnell
Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites.
I'm still running 6.4. Does popauth exist/work on 6.4? Egan
On Wed, 17 Jan 2001, Egan wrote:
On Wed, 17 Jan 2001 10:58:29 +0100 (CET), Arvin Schnell
wrote: Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites.
I'm still running 6.4. Does popauth exist/work on 6.4?
No, sorry. But you should be able to install the 7.0 rpm, I think there were no changes to the libraries. ciao Arvin
Egan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ******************************************* Dipl.-Phys. Arvin Schnell email: arvin@suse.de
Arvin Schnell wrote:
On Wed, 17 Jan 2001, Egan wrote:
On Wed, 17 Jan 2001 10:58:29 +0100 (CET), Arvin Schnell
wrote: Yes, APOP is supported. When your clients use APOP, you have to create the database first with popauth. Unfortunally, popauth didn't work on 7.0, but we have a fixed version on our ftp sites.
I'm still running 6.4. Does popauth exist/work on 6.4?
No, sorry.
But you should be able to install the 7.0 rpm, I think there were no changes to the libraries.
ciao Arvin
<SNIP> Hello, AFAIK you have to compile qpopper with APOP support to get it running. Download the sources from http://www.eudora.com/qpopper (qpopper 3.1 - free) It's explained in the docs, how to set it up to use APOP. Good luck Michael Heiming Sysadmin -- __ __ __ Virtueller Bau-Markt AG \ / [__) [__] [ __ Meerbuscher Strasse 64 \/ [__) | | [_./ 40670 Meerbusch www.vbag.de Michael Heiming (mh@vbag.de)
On Wed, 17 Jan 2001 15:14:05 +0100, Michael Heiming
But you should be able to install the 7.0 rpm, I think there were no changes to the libraries.
AFAIK you have to compile qpopper with APOP support to get it running.
Download the sources from http://www.eudora.com/qpopper (qpopper 3.1 - free)
I installed the 7.0 RPM from SuSE, and APOP is working now. What's the difference between SuSE's pop vs. qpopper? Egan
Egan wrote:
On Wed, 17 Jan 2001 15:14:05 +0100, Michael Heiming
wrote: But you should be able to install the 7.0 rpm, I think there were no changes to the libraries.
AFAIK you have to compile qpopper with APOP support to get it running.
Download the sources from http://www.eudora.com/qpopper (qpopper 3.1 - free)
I installed the 7.0 RPM from SuSE, and APOP is working now.
What's the difference between SuSE's pop vs. qpopper?
Egan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello, SuSE popper is AFAIK qpopper, but mostly not the latest version, telnet to port 110 to see what you have running and APOP support is not compiled (AFAIK). Downloading the newest version, reading the docs/compiling/setup, is almost the faster & better way to get it running and get some knowledge about how something works...:-) Good luck Michael Heiming Sysadmin -- __ __ __ Virtueller Bau-Markt AG \ / [__) [__] [ __ Meerbuscher Strasse 64 \/ [__) | | [_./ 40670 Meerbusch www.vbag.de Michael Heiming (mh@vbag.de) Confucius say: He who play in root, eventually kill tree.
Hello,
SuSE popper is AFAIK qpopper, but mostly not the latest version, telnet to port 110 to see what you have running and APOP support is not compiled (AFAIK).
Yes, this is correct. Licensing problems. The problems have been resolved so that 7.1 will have recent 3.x version.
Downloading the newest version, reading the docs/compiling/setup, is almost the faster & better way to get it running and get some knowledge about how something works...:-)
There is some lecture in that. :-)
Good luck
Michael Heiming Sysadmin
Thanks,
Roman.
--
- -
| Roman Drahtmüller
APOP support is not compiled (AFAIK).
APOP support must be compiled. It's working.
Downloading the newest version, reading the docs/compiling/setup, is almost the faster & better way to get it running and get some knowledge about how something works...:-)
With so many tasks and too little time, the less I know about popper the better. I just want it to work with APOP, and I am happy to get advice from the experts at SuSE on making that happen.
There is some lecture in that. :-)
;-) Egan
Quoting Egan (egan@sevenkings.net) on Wed, Jan 17, 2001 at 06:45:27AM +0100:
I tried using an APOP email client and SuSE popper reported no database found.
You have to initialize it. And it is seperate from the regular pw db. APOP does not use crypt but it's own mechanism based on MD5.
Is APOP supported? I could not find any info on it. No idea, I am using qpopper as I need DRAC.
cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!
nscd doesn't cache crypted passwords from shadow.
Then what is the benefit of nscd? Won't you still access shadow on every authorization request?
Yes, you will. But you won't have several hundred getspent()- or alike calls on a "normal" machine. It's getpwnam() and getpwuid() or getpwent() that cause big load. Create 50000 users and compare the time it takes to ls -la /home with and without nscd. Of course, things like radius and alike scream for a solution. Volunteer to work on it? :-)
Egan
Roman.
--
- -
| Roman Drahtmüller
On Wed, 17 Jan 2001 07:42:25 +0100 (MET), Roman Drahtmueller
Of course, things like radius and alike scream for a solution. Volunteer to work on it? :-)
No time for volunteer work. That's why I pay my $70 to SuSE for the next release. How far along is 7.1, BTW? I skipped 7.0, but I'm expecting greatness with 7.1. Egan
No time for volunteer work. That's why I pay my $70 to SuSE for the next release.
It's somebody else's job. I think so, too. (It's ours!)
How far along is 7.1, BTW? I skipped 7.0, but I'm expecting greatness with 7.1.
Near. You can tell from the lags in the outstanding updates that we're busy. I hope that we meet the expectations. But there will not be support for radius servers using databases, I fear...
Egan
Roman.
--
- -
| Roman Drahtmüller
Will anything break if I remove world read and execute permissions from the /proc directory? I would like to prevent shell users from seeing cpuinfo and other things I don't want them to know, if possible. Egan
Will anything break if I remove world read and execute permissions from the /proc directory? I don't know if it works, but you may want to use the patch from http://www.openwall.com/linux which prevents users to see other users processes and some other things ...
bye! Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \ 13
participants (11)
-
Andreas Siegert
-
Arvin Schnell
-
Cliff Friedel
-
Egan
-
Gerhard Sittig
-
Grzegorz Prokopski
-
Jeremiah Johnson
-
Markus Gaugusch
-
Michael Heiming
-
Roman Drahtmueller
-
Stiefenhofer, Marek ECOFIS