Password file

Keith Woodworth kwoody at citytel.net
Fri Jul 14 02:05:58 UTC 2006 

On Thu, 13 Jul 2006, David J. Orman wrote:

|->1 - SSH daemon changes in 4.11 would be my guess
|->2 - Changed UID/GID for postfix user. You need to chown/chmod the spool directory/contents
       properly using the new postfix user account UID/GID
|->3 - No idea.
|->
|->Your best bet is going to be reinstall, it'll be much less painful IMO. Secondly, the way you are
   handling this, is bad. It may have worked for a long time, but it's not
   the correct way to go about this.
|->
|->#1 - You should not allow root login via ssh. You should ssh as a normal user and su. This is for all
   cases, not just automated processes. Bad bad bad.
|->
|->#2 - Although you didn't explain why, it *seems* as if you're copying the master.passwd file/rebuilding
   your pwdb to make sure user accounts are synched on the machines? If so
-  no comment, other then stop right now. In this kind of deployment,
   where you have multiple servers which need to have synchronized user
   accounts, you need to setup some kind of directory server (LDAP would
   be most common - OpenLDAP is a free LDAP server.) Then your servers can
   do authentication via the LDAP store. Virtual users in postfix can be
   handled the same way.

Hi.

For ssh, yes that is possible. I was going to do that for postfix, but as
I had just recompiled it with pcre about 2 hrs before, I just did a make;
make upgrade with postfix and its running again as all perms were good to
begin with.

As for not being able to ssh in as a user, I used rmuser to delete the
user from the password file and added them back and now I can ssh into the
server again with those user accounts. My only other issue now is named. I
cant just go rmuser root and add root in again. Almost like the process's
lost 'state' when I dicked with the passwd file. Dumbass idiot I am, I
should know better... Hell, just a simple reboot might fix it...but I'm
not ready to try that yet.

I know its not a good idea for root logins, but it was one of those
temporary things that we just kept around. It is only one server that does
this and we have it so only one machine can login as root via wrappers and
ACL's.

And this is the way user accounts are sync'd between two servers. Not
pretty I know and I know not the correct way. But at the time (over a year
ago now) it was quick and easy to do. And now that I think about it, I had
copied the passwd file first then installed all the other programs.

All in all, we will be undergoing a large paradigm shift in the next 3 or
4 months and will need to go to an LDAP type system as we are integrating
two very diseperate ISP's into one and will need something like that to
make it all work.

Thanks for the reply, it was appreciated.
Keith

More information about the freebsd-isp mailing list