Date: Sat, 10 Jan 1998 13:26:33 -0600 From: Jacques Vidrine <n@nectar.com> To: hackers@FreeBSD.ORG Cc: Jaye Mathisen <mrcpu@cdsnet.net> Subject: Re: How are people handling lots of accounts? Message-ID: <199801101926.NAA11423@kai.nectar.com> In-Reply-To: <19980110124412.19068@mcs.net> References: <Pine.NEB.3.95.980107181608.25611Q-100000@mail.cdsnet.net> <p1ioh1k5kwy.fsf@panke.panke.de> <19980110124412.19068@mcs.net>
index | next in thread | previous in thread | raw e-mail
Kerberos + Hesiod is also a good solution.
Jacques Vidrine <n@nectar.com>
On 10 January 1998 at 12:44, Karl Denninger <karl@mcs.net> wrote:
> On Sat, Jan 10, 1998 at 05:54:52PM +0100, Wolfram Schneider wrote:
> > Jaye Mathisen <mrcpu@cdsnet.net> writes:
> > > With 50000 test accounts in master.passwd, it takes something like 10
> > > minutes to rebuild the .db files, completely preventing anybody else from
> > > doing anything password related.
> > >
> > > Is there anything that can be done to speed this up? Changing the
> > > password isn't too bad, only about 30 seconds, but adding takes forever.
> >
> > You can increase the database cache size from 4MB to a higher value in
> > pwd_mkdb. See pwd_mkdb.c line 70. You must recompile pwd_mkdb for this
> > change.
> >
> > Did you use the -u option?
> > pwd_mkdb(8)
> > -u username
> > Only update the record for the specified user. Utilities that o
p-
> > erate on a single user can use this option to avoid the overhead
of
> > rebuilding the entire database.
> >
> > --
> > Wolfram Schneider <wosch@freebsd.org> http://www.freebsd.org/~wosch/
>
> We handled this problem (and I consider it a serious one) by replacing the
> entire authorization system with a DBMS-based package written in-house that
> uses encrypted data streams between the client and server.
>
> This was a serious pain in the ass (and done incorrectly or with
> insufficient redundancy screws you completely, as you then can't log in!)
> but its worth it - our management is now centralized. We still create
> "fallback" pwd.db and spwd.db files from that database and distribute them
> for the "emergency" case, but this is then a low-priority thing that can be
> done at the "background noise" level.
>
> For multi-machine environments you *have to* centralize things somehow, and
> NIS just isn't secure enough for an ISP environment.
>
> --
> --
> Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
> http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service
> | NEW! K56Flex support on ALL modems
> Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
> Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801101926.NAA11423>