[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_pwdb slowdown



According to Bob Farmer:
>It's the "account" pwdb module that slows things down, not the "auth" 
>pwdb module.  (at least in my experience)  Replace the account module 
>with pam_unix_acct and see what happens.  (leave the auth one alone)

Tried that.  My slowdown is definately the auth module.  Look at my
example below - if I change just the auth line from pwdb to unix_auth,
all the slowdowns (at least for su) disappear.  I tried tracing it at
one time, and it looked like the pwdb module read through both the
passwd and shadow files more than once.
-- 
Chris Adams - cadams@ro.com
System Administrator - Renaissance Internet Services
I don't speak for anybody but myself - that's enough trouble.

>> Has anyone looked into why using pam_pwdb with more than a few users
>> slows everything down?  I have an /etc/passwd file with under 3000 users
>> in it.  If I type 'su <username>', it takes about 4 seconds for the
>> Password: prompt to come up and about 6 seconds to get a prompt after
>> the password is entered.  And that is with the system mostly idle.
>> 
>> If I let my POP daemon use PAM with connections coming in at 40-60 a
>> minute, the server quickly falls over from the load.  If I recompile my
>> POP daemon without PAM support, it handles those connections with no
>> problems (this is cucipop).
>> 
>> I read that this is a known problem and to use pam_unix_auth instead,
>> but it doesn't seem to work for me for su.  My /etc/pam.d/su used to
>> look like:
>> 
>> #%PAM-1.0
>> auth       required	/lib/security/pam_wheel.so group=wheel use_uid
>> auth       required	/lib/security/pam_pwdb.so shadow nullok
>> auth       optional     /usr/local/lib/security/pam_mail.so nopen hash=2
>> auth       optional     /lib/security/pam_env.so
>> account    required	/lib/security/pam_pwdb.so
>> password   required	/lib/security/pam_cracklib.so
>> password   required	/lib/security/pam_pwdb.so shadow use_authtok nullok
>> session    required	/lib/security/pam_pwdb.so
>> session    required	/lib/security/pam_limits.so
>> 
>> and all I did was change
>> 
>> auth       required	/lib/security/pam_pwdb.so shadow nullok
>> 
>> to
>> 
>> auth       required	/lib/security/pam_unix_auth.so
>> 
>> Now, only if you are running su as root can you su to another user.
>> Only members of the wheel group can su to root (which is what I want),
>> but everyone else can't su to anyone.
>> 
>> -- 
>> Chris Adams - cadams@ro.com
>> System Administrator - Renaissance Internet Services
>> I don't speak for anybody but myself - that's enough trouble.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []