From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1EbTQR-0002HG-JM
	for garchives@archives.gentoo.org; Mon, 14 Nov 2005 01:46:28 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jAE1iiEA029022;
	Mon, 14 Nov 2005 01:44:44 GMT
Received: from ktel.gcfn.net (ktel.gcfn.net [69.1.200.69])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jAE1fE3t001212
	for <gentoo-security@lists.gentoo.org>; Mon, 14 Nov 2005 01:41:15 GMT
Received: from [172.20.8.5] (home.gcfn.net [24.210.76.35])
	(authenticated bits=0)
	by ktel.gcfn.net (8.13.4/8.13.4) with ESMTP id jAE1fB1c007068
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <gentoo-security@lists.gentoo.org>; Sun, 13 Nov 2005 20:41:13 -0500
Message-ID: <4377EB41.70008@gcfn.net>
Date: Sun, 13 Nov 2005 20:41:21 -0500
From: William Yang <wyang@gcfn.net>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Advice about security solution
References: <20051109211014.GM14230@elmer.skumleren.net> <ME-1EZySZ-0002lS-CL@indigorobot.com> <20051110072810.GO14230@elmer.skumleren.net>
In-Reply-To: <20051110072810.GO14230@elmer.skumleren.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 04fbcfe3-35a8-4228-9920-300cbfa43dfe
X-Archives-Hash: 76abc0c9ce78cab16bfaf4d5c3ae36c0

Anders Bruun Olsen wrote:
> On Wed, Nov 09, 2005 at 05:30:28PM -0500, xyon wrote:
> 
>>just curious, by why not use 'net-www/mod_auth_mysql' and store your
>>users in a MySQL DB?
> 
> 
> Because I want a single place for storing users that all services will
> auth against, which also means ssh and so forth. I know that pam_mysql
> will bring me most of the way, but I have my doubts about using
> nss_mysql (which is also not in Portage). Call me crazy, but I neither
> trust the security nor stability of mysql :)
> Plus I already have experience with LDAP...
> 

I run a production ISP environment--http/ftp, e-mail, limited user 
shells, RADIUS dialup auth--using pam_mysql, and have for more than a 
year.  There have been no stability issues and, to date, no security 
problems that we've detected.

The biggest problem has to do with performance, which nscd was excellent 
for.  NSCD does odd things when the MySQL queries return numbers 
significantly smaller than the number of rows in the user auth tables -- 
I found that it would periodically just crash when I had disabled or 
locked-out accounts.  A daemon which checks and restarts core services 
was all I needed to take care of it, though.

	-Bill
-- 
gentoo-security@gentoo.org mailing list