On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote: > > Hi all, > > For some reason, for a particular user, sss_ssh_authorizedkeys is extremely > > slow on the IPA-server: > > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser > > 0m0.022ssys 0m0.018s > > It will return all the public keys, but is is slow, causing SSH-login > > delays using a ssh-keys. > > On another CentOS Stream (8.1) IPA-client, using the same IPA-server: > > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser > > 0m0.005ssys 0m0.003s > > Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf > > on the IPA-server will bring back performance, but sound like a poor > > workaround. > > Any idea what is happening here? > > SSSD picks up certificates associated with the user entry for use as SSH > keys as well. I guess verification of those certificates via OCSP takes > time and that's why switching off the verification helps.
Hi, if you are not interested in this feature at all you can disable it completely in recent versions of SSSD by setting 'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf. Please check if 'man sssd.conf' shows this option for your version of SSSD. HTH bye, Sumit > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org