[Freeipa-users] Slow SSH login for IPA users only

Guillem Liarte guillem.liarte at googlemail.com
Wed Oct 7 10:07:08 UTC 2015 

All,

I have an IPA 4.1 installation that works perfectly. We just suffer from
slow logins ( this is also slow in other operations such invoking SUDO )

IPA user:

1st. login: 30 seconds
2nd login: 8 seconds
3rd  login: 6.5 seconds
4rth login: 20 seconds

Local user:

Consistently under 2  seconds

In SSH have tried:

Setting UseDNS to no
Setting GSSAPIAuthentication to no

I have tried various things that would work on an slow SSH, with no effect.
In fact, local users have no problem.

DNS both forward and reverse works well, works fast and gives consistent
results. That is no the issue.

While trying to find out more about the issue, I see that after the client
has connected, it spends most of the time here:

[...]
debug2: input_userauth_pk_ok: fp
e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
debug3: sign_and_send_pubkey: RSA
e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
debug1: Authentication succeeded (publickey).
[...]

At first I though it might be the key retrival from the IPA service, but it
is actually quite fast:

time /usr/bin/sss_ssh_authorizedkeys testuser
real    0m0.209s

We have all the configration files just as they were after installing the
ipa-client. The only modification was made to sshd_config as  these two
lines:

AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

I also tried removing the _srv_ in the ipa server line in sssd.conf, but
that did not make any difference either.

So, in brief:

- SSH is fast for local users
- authorized keys get retrieved quickly
- no DNS issues.
- IPA users take from 6 to 30 seconds to login (and also to perform sudo
invocations)
- While watching ssh logins, for  ipa users, it takes a long time to pass
these two:

   - input_userauth_pk_ok
   - sign_and_send_pubkey

Could someone give me an idea of what to try next?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151007/0b16ab99/attachment.htm>

More information about the Freeipa-users mailing list