Password file
Keith Woodworth
kwoody at citytel.net
Fri Jul 14 02:05:58 UTC 2006
On Thu, 13 Jul 2006, David J. Orman wrote:
|->1 - SSH daemon changes in 4.11 would be my guess
|->2 - Changed UID/GID for postfix user. You need to chown/chmod the spool directory/contents
properly using the new postfix user account UID/GID
|->3 - No idea.
|->
|->Your best bet is going to be reinstall, it'll be much less painful IMO. Secondly, the way you are
handling this, is bad. It may have worked for a long time, but it's not
the correct way to go about this.
|->
|->#1 - You should not allow root login via ssh. You should ssh as a normal user and su. This is for all
cases, not just automated processes. Bad bad bad.
|->
|->#2 - Although you didn't explain why, it *seems* as if you're copying the master.passwd file/rebuilding
your pwdb to make sure user accounts are synched on the machines? If so
- no comment, other then stop right now. In this kind of deployment,
where you have multiple servers which need to have synchronized user
accounts, you need to setup some kind of directory server (LDAP would
be most common - OpenLDAP is a free LDAP server.) Then your servers can
do authentication via the LDAP store. Virtual users in postfix can be
handled the same way.
Hi.
For ssh, yes that is possible. I was going to do that for postfix, but as
I had just recompiled it with pcre about 2 hrs before, I just did a make;
make upgrade with postfix and its running again as all perms were good to
begin with.
As for not being able to ssh in as a user, I used rmuser to delete the
user from the password file and added them back and now I can ssh into the
server again with those user accounts. My only other issue now is named. I
cant just go rmuser root and add root in again. Almost like the process's
lost 'state' when I dicked with the passwd file. Dumbass idiot I am, I
should know better... Hell, just a simple reboot might fix it...but I'm
not ready to try that yet.
I know its not a good idea for root logins, but it was one of those
temporary things that we just kept around. It is only one server that does
this and we have it so only one machine can login as root via wrappers and
ACL's.
And this is the way user accounts are sync'd between two servers. Not
pretty I know and I know not the correct way. But at the time (over a year
ago now) it was quick and easy to do. And now that I think about it, I had
copied the passwd file first then installed all the other programs.
All in all, we will be undergoing a large paradigm shift in the next 3 or
4 months and will need to go to an LDAP type system as we are integrating
two very diseperate ISP's into one and will need something like that to
make it all work.
Thanks for the reply, it was appreciated.
Keith
More information about the freebsd-isp
mailing list