[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: PAM, shadow using DBM files?

Thanks for the replies, everyone!

I took Steve's advice and replaced references to pam_pwdb.so with
pam_unix.so in the appropriate /etc/pam.d configuration files, and that
alone cut the 15-20 second authentications down to less than 2 seconds.


-----Original Message-----
From: Steve Langasek [mailto:vorlon@netexpress.net]
Sent: Tuesday, July 25, 2000 11:39 AM
To: pam-list@redhat.com
Subject: Re: PAM, shadow using DBM files?

On Tue, 25 Jul 2000, Scott Isaacson wrote:

> I administer a RedHat 6.2 system with about 6000 users.  Authentications
> noticeably slow, with users toward the bottom of the passwd file often
> taking 15-20 seconds to authenticate via ipop3d.  I suspect the
> authentication mechanism itself because users toward the top of the passwd
> file will authenticate within 1 second.

> A theory I have is that hashing the passwd and shadow files, as on some
> commercial *nixes, would speed things up and solve the problem.  It looks
> like the capability to use DBM files is at least partially written into
> shadow password package, but not enabled on the version distributed with
> RedHat 6.2.

Switching to DBM files would speed things up, but you'll find that simply
replacing the references to pam_pwdb.so in your PAM config files with
pam_unix.so will speed things up tremendously.  Our password file is about
9000 lines long at the moment, and we're able to continue using pam_unix for

If you feel that authentication is still too slow, then yes, you can also
NSS to tweak the back-end that pam_unix uses for authentication, using 'db'
nsswitch.conf ahead of 'files'.  I doubt you'll need to go to the extra
effort, though.

Steve Langasek
postmodern programmer

To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []