Gentoo Archives: gentoo-security

From: Anders Bruun Olsen <anders@×××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Advice about security solution
Date: Tue, 15 Nov 2005 11:42:47
Message-Id: 20051115113653.GW14230@elmer.skumleren.net
In Reply to: Re: [gentoo-security] Advice about security solution by William Yang
1 On Sun, Nov 13, 2005 at 08:41:21PM -0500, William Yang wrote:
2 > >>just curious, by why not use 'net-www/mod_auth_mysql' and store your
3 > >>users in a MySQL DB?
4 > >Because I want a single place for storing users that all services will
5 > >auth against, which also means ssh and so forth. I know that pam_mysql
6 > >will bring me most of the way, but I have my doubts about using
7 > >nss_mysql (which is also not in Portage). Call me crazy, but I neither
8 > >trust the security nor stability of mysql :)
9 > >Plus I already have experience with LDAP...
10 > I run a production ISP environment--http/ftp, e-mail, limited user
11 > shells, RADIUS dialup auth--using pam_mysql, and have for more than a
12 > year. There have been no stability issues and, to date, no security
13 > problems that we've detected.
14 > The biggest problem has to do with performance, which nscd was excellent
15 > for. NSCD does odd things when the MySQL queries return numbers
16 > significantly smaller than the number of rows in the user auth tables --
17 > I found that it would periodically just crash when I had disabled or
18 > locked-out accounts. A daemon which checks and restarts core services
19 > was all I needed to take care of it, though.
20
21 If you have daemons that crash periodically and needs to be restarted, I
22 would say that counts as stability issues. At least it does in my book.
23
24 But if you can live with it, then it's all good. I prefer the stability
25 of LDAP however :)
26
27 --
28 Anders
29 -----BEGIN GEEK CODE BLOCK-----
30 Version: 3.12
31 GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
32 PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
33 ------END GEEK CODE BLOCK------
34 PGPKey: http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
35 --
36 gentoo-security@g.o mailing list