[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_pwdb slowdown



It's the "account" pwdb module that slows things down, not the "auth" 
pwdb module.  (at least in my experience)  Replace the account module 
with pam_unix_acct and see what happens.  (leave the auth one alone)

Bob


> Has anyone looked into why using pam_pwdb with more than a few users
> slows everything down?  I have an /etc/passwd file with under 3000 users
> in it.  If I type 'su <username>', it takes about 4 seconds for the
> Password: prompt to come up and about 6 seconds to get a prompt after
> the password is entered.  And that is with the system mostly idle.
> 
> If I let my POP daemon use PAM with connections coming in at 40-60 a
> minute, the server quickly falls over from the load.  If I recompile my
> POP daemon without PAM support, it handles those connections with no
> problems (this is cucipop).
> 
> I read that this is a known problem and to use pam_unix_auth instead,
> but it doesn't seem to work for me for su.  My /etc/pam.d/su used to
> look like:
> 
> #%PAM-1.0
> auth       required	/lib/security/pam_wheel.so group=wheel use_uid
> auth       required	/lib/security/pam_pwdb.so shadow nullok
> auth       optional     /usr/local/lib/security/pam_mail.so nopen hash=2
> auth       optional     /lib/security/pam_env.so
> account    required	/lib/security/pam_pwdb.so
> password   required	/lib/security/pam_cracklib.so
> password   required	/lib/security/pam_pwdb.so shadow use_authtok nullok
> session    required	/lib/security/pam_pwdb.so
> session    required	/lib/security/pam_limits.so
> 
> and all I did was change
> 
> auth       required	/lib/security/pam_pwdb.so shadow nullok
> 
> to
> 
> auth       required	/lib/security/pam_unix_auth.so
> 
> Now, only if you are running su as root can you su to another user.
> Only members of the wheel group can su to root (which is what I want),
> but everyone else can't su to anyone.
> 
> -- 
> Chris Adams - cadams@ro.com
> System Administrator - Renaissance Internet Services
> I don't speak for anybody but myself - that's enough trouble.
> 
> -- 
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 
> 


-- 
Bob Farmer                                     ucs_brf@shsu.edu
Computer Services, Sam Houston State University; Huntsville, TX 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []