[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: a few questions on implementation

From: Malcolm Beattie <mbeattie sable ox ac uk>
To: pam-list redhat com
Subject: Re: a few questions on implementation
Date: Thu, 4 Feb 1999 10:01:27 +0000 (GMT)

Stephen Langasek writes:
> On Wed, 3 Feb 1999, Ben Collins wrote:
> 
> > I'm stuck on whether to use pam_pwdb as the default module as opposed
> > to the pam_unix_* modules. Obviously pam_pwdb has the advantage of
> > lifting suid root permissions from some binaries like xlock, as well as
> > making it easier for suid root svgalib programs to drop priviledges
> > while still being able to authenticate users, such as vclock.
> 
> Personal opinion here, based on our own experiences at work and on
> comments from many other RedHat users, is that the pam_unix_* set would be
> a better choice for a default setup at this point.  pam_pwdb in its
> current form seems to have some serious performance problems when used on
> large user databases, and all in all doesn't seem to scale well ATM.

In particular, pam_pwdb doesn't use straight getsp{nam,ent}() calls
and so you can't switch to using nss_db /var/db/shadow.db when you
have lots of users.

--Malcolm

-- 
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services

References:
- Re: a few questions on implementation
  - From: Stephen Langasek <vorlon@netexpress.net>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []