From owner-freebsd-hackers Sat Jan 10 11:27:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA04350 for hackers-outgoing; Sat, 10 Jan 1998 11:27:47 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from kai.nectar.com (kai.nectar.com [204.27.64.101]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA04323 for ; Sat, 10 Jan 1998 11:27:24 -0800 (PST) (envelope-from nectar@kai.nectar.com) Received: (from smap@localhost) by kai.nectar.com (8.8.8/8.8.7) id NAA11423; Sat, 10 Jan 1998 13:26:51 -0600 (CST) Message-Id: <199801101926.NAA11423@kai.nectar.com> X-Authentication-Warning: kai.nectar.com: smap set sender to using -f Received: from localhost.communique.net(127.0.0.1) by kai.nectar.com via smap (V2.0) id xma011415; Sat, 10 Jan 98 13:26:33 -0600 From: Jacques Vidrine To: hackers@FreeBSD.ORG cc: Jaye Mathisen Subject: Re: How are people handling lots of accounts? In-reply-to: <19980110124412.19068@mcs.net> References: <19980110124412.19068@mcs.net> Date: Sat, 10 Jan 1998 13:26:33 -0600 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk Kerberos + Hesiod is also a good solution. Jacques Vidrine On 10 January 1998 at 12:44, Karl Denninger wrote: > On Sat, Jan 10, 1998 at 05:54:52PM +0100, Wolfram Schneider wrote: > > Jaye Mathisen writes: > > > With 50000 test accounts in master.passwd, it takes something like 10 > > > minutes to rebuild the .db files, completely preventing anybody else from > > > doing anything password related. > > > > > > Is there anything that can be done to speed this up? Changing the > > > password isn't too bad, only about 30 seconds, but adding takes forever. > > > > You can increase the database cache size from 4MB to a higher value in > > pwd_mkdb. See pwd_mkdb.c line 70. You must recompile pwd_mkdb for this > > change. > > > > Did you use the -u option? > > pwd_mkdb(8) > > -u username > > Only update the record for the specified user. Utilities that o p- > > erate on a single user can use this option to avoid the overhead of > > rebuilding the entire database. > > > > -- > > Wolfram Schneider http://www.freebsd.org/~wosch/ > > We handled this problem (and I consider it a serious one) by replacing the > entire authorization system with a DBMS-based package written in-house that > uses encrypted data streams between the client and server. > > This was a serious pain in the ass (and done incorrectly or with > insufficient redundancy screws you completely, as you then can't log in!) > but its worth it - our management is now centralized. We still create > "fallback" pwd.db and spwd.db files from that database and distribute them > for the "emergency" case, but this is then a low-priority thing that can be > done at the "background noise" level. > > For multi-machine environments you *have to* centralize things somehow, and > NIS just isn't secure enough for an ISP environment. > > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin > http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service > | NEW! K56Flex support on ALL modems > Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS > Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost