On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
> Hi all,
> For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on
the IPA-server:
> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m9.520suser 0m0.022ssys 0m0.018s
> It will return all the public keys, but is is slow, causing SSH-login delays using a
ssh-keys.
> On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m0.020suser 0m0.005ssys 0m0.003s
> Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf
on the IPA-server will bring back performance, but sound like a poor workaround.
> Any idea what is happening here?
SSSD picks up certificates associated with the user entry for use as SSH
keys as well. I guess verification of those certificates via OCSP takes
time and that's why switching off the verification helps.
Hi,
if you are not interested in this feature at all you can disable it
completely in recent versions of SSSD by setting
'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf.
Please check if 'man sssd.conf' shows this option for your version of
SSSD.
HTH
bye,
Sumit
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...