[Freeipa-users] Re: sss_ssh_authorizedkeys slow on IPA-server

Mon, 10 Feb 2020 00:57:59 -0800 

Hi all,
Seems like a usefull feature; oscp and I rather keep it enabled. On all other IPA-clients, even a Raspberry Pi 3, it is much much more fast. On the IPA-server is suffering here :( 

What could be causing this slowness....

Winfried


Op 10-02-2020 om 08:13 schreef Sumit Bose via FreeIPA-users:

On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users 
wrote:

On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:

Hi all,
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely 
slow on the IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real      0m9.520suser    
0m0.022ssys     0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays 
using a ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real      0m0.020suser    
0m0.005ssys     0m0.003s
Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on 
the IPA-server will bring back performance, but sound like a poor workaround.
Any idea what is happening here?

SSSD picks up certificates associated with the user entry for use as SSH
keys as well. I guess verification of those certificates via OCSP takes
time and that's why switching off the verification helps.

Hi,

if you are not interested in this feature at all you can disable it
completely in recent versions of SSSD by setting
'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf.
Please check if 'man sssd.conf' shows this option for your version of
SSSD.

HTH

bye,
Sumit



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to