Hi all,
Seems like a usefull feature; oscp and I rather keep it enabled. On all
other IPA-clients, even a Raspberry Pi 3, it is much much more fast. On
the IPA-server is suffering here :(
What could be causing this slowness....
Winfried
Op 10-02-2020 om 08:13 schreef Sumit Bose via FreeIPA-users:
On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users
wrote:
On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely
slow on the IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser
0m0.022ssys 0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays
using a ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser
0m0.005ssys 0m0.003s
Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on
the IPA-server will bring back performance, but sound like a poor workaround.
Any idea what is happening here?
SSSD picks up certificates associated with the user entry for use as SSH
keys as well. I guess verification of those certificates via OCSP takes
time and that's why switching off the verification helps.
Hi,
if you are not interested in this feature at all you can disable it
completely in recent versions of SSSD by setting
'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf.
Please check if 'man sssd.conf' shows this option for your version of
SSSD.
HTH
bye,
Sumit
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org