6:54 a.m.
Hi all,
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the
IPA-server:
time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m9.520suser 0m0.022ssys 0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays using a
ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m0.020suser 0m0.005ssys 0m0.003s
Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on
the IPA-server will bring back performance, but sound like a poor workaround.
Any idea what is happening here?
Some more details:CentOS Linux release 8.1.1911 (Core)
(stream)ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64sssd-common-2.2.0-19.el8.x86_64
Winfried
12:20 p.m.
Have you check authentication source order in nsswitch.conf ? Maybe there it hit some
timeout or so.
From: Winfried de Heiden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: dimanche 9 février 2020 13:55
To: freeipa-users(a)lists.fedorahosted.org
Cc: Winfried de Heiden <wdh(a)dds.nl>
Subject: [Freeipa-users] sss_ssh_authorizedkeys slow on IPA-server
Hi all,
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the
IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>
~
real 0m9.520s
user 0m0.022s
sys 0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays using a
ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>
~
real 0m0.020s
user 0m0.005s
sys 0m0.003s
Some difference...
Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will
bring back performance, but sound like a poor workaround.
Any idea what is happening here?
Some more details:
CentOS Linux release 8.1.1911 (Core) (stream)
ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
sssd-common-2.2.0-19.el8.x86_64
Winfried
3:06 p.m.
On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the
IPA-server:
time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m9.520suser 0m0.022ssys 0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays using a
ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m0.020suser 0m0.005ssys 0m0.003s
Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on
the IPA-server will bring back performance, but sound like a poor workaround.
Any idea what is happening here?
SSSD picks up certificates associated with the user entry for use as SSH
keys as well. I guess verification of those certificates via OCSP takes
time and that's why switching off the verification helps.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1:13 a.m.
On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
> Hi all,
> For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on
the IPA-server:
> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m9.520suser 0m0.022ssys 0m0.018s
> It will return all the public keys, but is is slow, causing SSH-login delays using a
ssh-keys.
> On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m0.020suser 0m0.005ssys 0m0.003s
> Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf
on the IPA-server will bring back performance, but sound like a poor workaround.
> Any idea what is happening here?
SSSD picks up certificates associated with the user entry for use as SSH
keys as well. I guess verification of those certificates via OCSP takes
time and that's why switching off the verification helps.
Hi,
if you are not interested in this feature at all you can disable it
completely in recent versions of SSSD by setting
'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf.
Please check if 'man sssd.conf' shows this option for your version of
SSSD.
HTH
bye,
Sumit
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2:56 a.m.
Hi all,
Seems like a usefull feature; oscp and I rather keep it enabled. On all
other IPA-clients, even a Raspberry Pi 3, it is much much more fast. On
the IPA-server is suffering here :(
What could be causing this slowness....
Winfried
Op 10-02-2020 om 08:13 schreef Sumit Bose via FreeIPA-users:
> On Sun, Feb 09, 2020 at 11:06:46PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
>> On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>>> Hi all,
>>> For some reason, for a particular user, sss_ssh_authorizedkeys is extremely
slow on the IPA-server:
>>> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m9.520suser 0m0.022ssys 0m0.018s
>>> It will return all the public keys, but is is slow, causing SSH-login delays
using a ssh-keys.
>>> On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
>>> time /usr/bin/sss_ssh_authorizedkeys
<username>~real 0m0.020suser 0m0.005ssys 0m0.003s
>>> Some difference...Adding "certificate_verification = no_ocsp" to
sssd.conf on the IPA-server will bring back performance, but sound like a poor
workaround.
>>> Any idea what is happening here?
>> SSSD picks up certificates associated with the user entry for use as SSH
>> keys as well. I guess verification of those certificates via OCSP takes
>> time and that's why switching off the verification helps.
> Hi,
>
> if you are not interested in this feature at all you can disable it
> completely in recent versions of SSSD by setting
> 'ssh_use_certificate_keys = False' in the [ssh] section of sssd.conf.
> Please check if 'man sssd.conf' shows this option for your version of
> SSSD.
>
> HTH
>
> bye,
> Sumit
>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
2:54 a.m.
Hi all,
Yep, I do use user-certs for authentication and it seems ocsp takes
time; but only on the IPA-server. Even on a Rapsberry Pi 3 as an
IPA-client, using the same IPA-server, it is 4 times faster...
Hence; something seems going wrong in oscp, but what could be causing
the problem?
Winfried
Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
> On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>> Hi all,
>> For some reason, for a particular user, sss_ssh_authorizedkeys is
>> extremely slow on the IPA-server:
>> time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser
>> 0m0.022ssys 0m0.018s
>> It will return all the public keys, but is is slow, causing SSH-login
>> delays using a ssh-keys.
>> On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
>> time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser
>> 0m0.005ssys 0m0.003s
>> Some difference...Adding "certificate_verification = no_ocsp" to
>> sssd.conf on the IPA-server will bring back performance, but sound
>> like a poor workaround.
>> Any idea what is happening here?
>
> SSSD picks up certificates associated with the user entry for use as SSH
> keys as well. I guess verification of those certificates via OCSP takes
> time and that's why switching off the verification helps.
>
>
3:46 a.m.
On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Yep, I do use user-certs for authentication and it seems ocsp takes time;
but only on the IPA-server. Even on a Rapsberry Pi 3 as an IPA-client, using
the same IPA-server, it is 4 times faster...
Hence; something seems going wrong in oscp, but what could be causing the
problem?
Hi,
which versions of SSSD are using one the client and the server? Older
version of SSSD might use NSS and do the certificate validation in the
ssh responder process, newer version might use OpenSSL and do the
validation with the help of p11_child. Not sure if any of this might be
a reason.
Maybe you can take network trace of the communication with the OCSP
responder to see if the delay happens on the network?
bye,
Sumit
Winfried
Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
> On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
> > Hi all,
> > For some reason, for a particular user, sss_ssh_authorizedkeys is
> > extremely slow on the IPA-server:
> > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser
> > 0m0.022ssys 0m0.018s
> > It will return all the public keys, but is is slow, causing
> > SSH-login delays using a ssh-keys.
> > On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
> > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser
> > 0m0.005ssys 0m0.003s
> > Some difference...Adding "certificate_verification = no_ocsp" to
> > sssd.conf on the IPA-server will bring back performance, but sound
> > like a poor workaround.
> > Any idea what is happening here?
>
> SSSD picks up certificates associated with the user entry for use as SSH
> keys as well. I guess verification of those certificates via OCSP takes
> time and that's why switching off the verification helps.
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
6:44 a.m.
Hi all,
sssd 2.20 is being used.
I cannot figure out why the network might cause problems since the "good
clients" are running on the same network, switches etc.
I dived into it anyway, finding a rather large and increasing number of
dropped packages and dive into that first. Nevertheless, this hardly
cannot be the cause since the issue only happens on the IPA-server
itself...
Winfried
Sumit Bose via FreeIPA-users schreef op 10-02-2020 10:46:
> On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via
> FreeIPA-users wrote:
>> Hi all,
>>
>> Yep, I do use user-certs for authentication and it seems ocsp takes
>> time;
>> but only on the IPA-server. Even on a Rapsberry Pi 3 as an IPA-client,
>> using
>> the same IPA-server, it is 4 times faster...
>>
>> Hence; something seems going wrong in oscp, but what could be causing
>> the
>> problem?
>
> Hi,
>
> which versions of SSSD are using one the client and the server? Older
> version of SSSD might use NSS and do the certificate validation in the
> ssh responder process, newer version might use OpenSSL and do the
> validation with the help of p11_child. Not sure if any of this might be
> a reason.
>
> Maybe you can take network trace of the communication with the OCSP
> responder to see if the delay happens on the network?
>
> bye,
> Sumit
>
>>
>> Winfried
>>
>> Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
>> > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>> > > Hi all,
>> > > For some reason, for a particular user, sss_ssh_authorizedkeys is
>> > > extremely slow on the IPA-server:
>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m9.520suser
>> > > 0m0.022ssys 0m0.018s
>> > > It will return all the public keys, but is is slow, causing
>> > > SSH-login delays using a ssh-keys.
>> > > On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m0.020suser
>> > > 0m0.005ssys 0m0.003s
>> > > Some difference...Adding "certificate_verification = no_ocsp"
to
>> > > sssd.conf on the IPA-server will bring back performance, but sound
>> > > like a poor workaround.
>> > > Any idea what is happening here?
>> >
>> > SSSD picks up certificates associated with the user entry for use as SSH
>> > keys as well. I guess verification of those certificates via OCSP takes
>> > time and that's why switching off the verification helps.
>> >
>> >
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
12:11 a.m.
On Mon, Feb 10, 2020 at 01:44:52PM +0100, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
sssd 2.20 is being used.
Hi,
with this version all validation should be done with the help of
p11_child. If you add debug_level=9 to the [ssh] section of sssd.conf
you should be able to see from the p11_child.log where the time is
spend.
bye,
Sumit
I cannot figure out why the network might cause problems since the "good
clients" are running on the same network, switches etc.
I dived into it anyway, finding a rather large and increasing number of
dropped packages and dive into that first. Nevertheless, this hardly cannot
be the cause since the issue only happens on the IPA-server itself...
Winfried
Sumit Bose via FreeIPA-users schreef op 10-02-2020 10:46:
> On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via
> FreeIPA-users wrote:
> > Hi all,
> >
> > Yep, I do use user-certs for authentication and it seems ocsp takes
> > time;
> > but only on the IPA-server. Even on a Rapsberry Pi 3 as an
> > IPA-client, using
> > the same IPA-server, it is 4 times faster...
> >
> > Hence; something seems going wrong in oscp, but what could be
> > causing the
> > problem?
>
> Hi,
>
> which versions of SSSD are using one the client and the server? Older
> version of SSSD might use NSS and do the certificate validation in the
> ssh responder process, newer version might use OpenSSL and do the
> validation with the help of p11_child. Not sure if any of this might be
> a reason.
>
> Maybe you can take network trace of the communication with the OCSP
> responder to see if the delay happens on the network?
>
> bye,
> Sumit
>
> >
> > Winfried
> >
> > Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
> > > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
> > > > Hi all,
> > > > For some reason, for a particular user, sss_ssh_authorizedkeys is
> > > > extremely slow on the IPA-server:
> > > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m9.520suser
> > > > 0m0.022ssys 0m0.018s
> > > > It will return all the public keys, but is is slow, causing
> > > > SSH-login delays using a ssh-keys.
> > > > On another CentOS Stream (8.1) IPA-client, using the same
IPA-server:
> > > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m0.020suser
> > > > 0m0.005ssys 0m0.003s
> > > > Some difference...Adding "certificate_verification =
no_ocsp" to
> > > > sssd.conf on the IPA-server will bring back performance, but sound
> > > > like a poor workaround.
> > > > Any idea what is happening here?
> > >
> > > SSSD picks up certificates associated with the user entry for use as SSH
> > > keys as well. I guess verification of those certificates via OCSP takes
> > > time and that's why switching off the verification helps.
> > >
> > >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
9:01 a.m.
Hi all,
Got rid of the dropped packages by simply restarting the Cable
modem/router...
Anyway, this wasn't the problem. Still cannot find the reason why
sss_ssh_authorizedkeys slow on IPA-server is so slow, ONLY on the
IPA-server...
Winfried
Op 10-02-2020 om 13:44 schreef Winfried de Heiden via FreeIPA-users:
> Hi all,
>
> sssd 2.20 is being used.
>
> I cannot figure out why the network might cause problems since the
> "good clients" are running on the same network, switches etc.
>
> I dived into it anyway, finding a rather large and increasing number
> of dropped packages and dive into that first. Nevertheless, this
> hardly cannot be the cause since the issue only happens on the
> IPA-server itself...
>
> Winfried
>
> Sumit Bose via FreeIPA-users schreef op 10-02-2020 10:46:
>> On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via
>> FreeIPA-users wrote:
>>> Hi all,
>>>
>>> Yep, I do use user-certs for authentication and it seems ocsp takes
>>> time;
>>> but only on the IPA-server. Even on a Rapsberry Pi 3 as an
>>> IPA-client, using
>>> the same IPA-server, it is 4 times faster...
>>>
>>> Hence; something seems going wrong in oscp, but what could be
>>> causing the
>>> problem?
>>
>> Hi,
>>
>> which versions of SSSD are using one the client and the server? Older
>> version of SSSD might use NSS and do the certificate validation in the
>> ssh responder process, newer version might use OpenSSL and do the
>> validation with the help of p11_child. Not sure if any of this might be
>> a reason.
>>
>> Maybe you can take network trace of the communication with the OCSP
>> responder to see if the delay happens on the network?
>>
>> bye,
>> Sumit
>>
>>>
>>> Winfried
>>>
>>> Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
>>> > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>>> > > Hi all,
>>> > > For some reason, for a particular user, sss_ssh_authorizedkeys is
>>> > > extremely slow on the IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m9.520suser
>>> > > 0m0.022ssys 0m0.018s
>>> > > It will return all the public keys, but is is slow, causing
>>> > > SSH-login delays using a ssh-keys.
>>> > > On another CentOS Stream (8.1) IPA-client, using the same
>>> IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m0.020suser
>>> > > 0m0.005ssys 0m0.003s
>>> > > Some difference...Adding "certificate_verification =
no_ocsp" to
>>> > > sssd.conf on the IPA-server will bring back performance, but sound
>>> > > like a poor workaround.
>>> > > Any idea what is happening here?
>>> >
>>> > SSSD picks up certificates associated with the user entry for use
>>> as SSH
>>> > keys as well. I guess verification of those certificates via OCSP
>>> takes
>>> > time and that's why switching off the verification helps.
>>> >
>>> >
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
4:26 a.m.
Hi all,
After all, no issues at all with FreeIPA. The reboot of the Cable modem
caused changing the IPv6 Prefix Delegation, more or less destroying my
IPv6 setup.
After fixing IPv6 (enabled on IPA also :) ) all is going blazing fast again.
Winfried
Op 11-02-2020 om 16:01 schreef Winfried de Heiden via FreeIPA-users:
Hi all,
Got rid of the dropped packages by simply restarting the Cable
modem/router...
Anyway, this wasn't the problem. Still cannot find the reason why
sss_ssh_authorizedkeys slow on IPA-server is so slow, ONLY on the
IPA-server...
Winfried
Op 10-02-2020 om 13:44 schreef Winfried de Heiden via FreeIPA-users:
> Hi all,
>
> sssd 2.20 is being used.
>
> I cannot figure out why the network might cause problems since the
> "good clients" are running on the same network, switches etc.
>
> I dived into it anyway, finding a rather large and increasing number
> of dropped packages and dive into that first. Nevertheless, this
> hardly cannot be the cause since the issue only happens on the
> IPA-server itself...
>
> Winfried
>
> Sumit Bose via FreeIPA-users schreef op 10-02-2020 10:46:
>> On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via
>> FreeIPA-users wrote:
>>> Hi all,
>>>
>>> Yep, I do use user-certs for authentication and it seems ocsp takes
>>> time;
>>> but only on the IPA-server. Even on a Rapsberry Pi 3 as an
>>> IPA-client, using
>>> the same IPA-server, it is 4 times faster...
>>>
>>> Hence; something seems going wrong in oscp, but what could be
>>> causing the
>>> problem?
>>
>> Hi,
>>
>> which versions of SSSD are using one the client and the server? Older
>> version of SSSD might use NSS and do the certificate validation in the
>> ssh responder process, newer version might use OpenSSL and do the
>> validation with the help of p11_child. Not sure if any of this might be
>> a reason.
>>
>> Maybe you can take network trace of the communication with the OCSP
>> responder to see if the delay happens on the network?
>>
>> bye,
>> Sumit
>>
>>>
>>> Winfried
>>>
>>> Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
>>> > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>>> > > Hi all,
>>> > > For some reason, for a particular user, sss_ssh_authorizedkeys is
>>> > > extremely slow on the IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m9.520suser
>>> > > 0m0.022ssys 0m0.018s
>>> > > It will return all the public keys, but is is slow, causing
>>> > > SSH-login delays using a ssh-keys.
>>> > > On another CentOS Stream (8.1) IPA-client, using the same
>>> IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m0.020suser
>>> > > 0m0.005ssys 0m0.003s
>>> > > Some difference...Adding "certificate_verification =
no_ocsp" to
>>> > > sssd.conf on the IPA-server will bring back performance, but sound
>>> > > like a poor workaround.
>>> > > Any idea what is happening here?
>>> >
>>> > SSSD picks up certificates associated with the user entry for use
>>> as SSH
>>> > keys as well. I guess verification of those certificates via OCSP
>>> takes
>>> > time and that's why switching off the verification helps.
>>> >
>>> >
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1529
days inactive
1537
days old
freeipa-users@lists.fedorahosted.org
10 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Christophe TREFOIS -
Sumit Bose -
Winfried de Heiden