[Freeipa-users] Slow SSH login for IPA users only
Sumit Bose
sbose at redhat.com
Wed Oct 7 10:35:57 UTC 2015
On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> All,
>
> I have an IPA 4.1 installation that works perfectly. We just suffer from
> slow logins ( this is also slow in other operations such invoking SUDO )
>
> IPA user:
>
> 1st. login: 30 seconds
> 2nd login: 8 seconds
> 3rd login: 6.5 seconds
> 4rth login: 20 seconds
>
> Local user:
>
> Consistently under 2 seconds
>
> In SSH have tried:
>
> Setting UseDNS to no
> Setting GSSAPIAuthentication to no
>
> I have tried various things that would work on an slow SSH, with no effect.
> In fact, local users have no problem.
>
> DNS both forward and reverse works well, works fast and gives consistent
> results. That is no the issue.
>
> While trying to find out more about the issue, I see that after the client
> has connected, it spends most of the time here:
>
> [...]
> debug2: input_userauth_pk_ok: fp
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug3: sign_and_send_pubkey: RSA
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug1: Authentication succeeded (publickey).
> [...]
>
> At first I though it might be the key retrival from the IPA service, but it
> is actually quite fast:
>
> time /usr/bin/sss_ssh_authorizedkeys testuser
> real 0m0.209s
>
> We have all the configration files just as they were after installing the
> ipa-client. The only modification was made to sshd_config as these two
> lines:
>
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser nobody
>
> I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> that did not make any difference either.
>
> So, in brief:
>
> - SSH is fast for local users
> - authorized keys get retrieved quickly
> - no DNS issues.
> - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> invocations)
> - While watching ssh logins, for ipa users, it takes a long time to pass
> these two:
>
> - input_userauth_pk_ok
> - sign_and_send_pubkey
>
> Could someone give me an idea of what to try next?
Please check the SSSD logs especailly the ones for the domain. You might
need to increase the debug_level, please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
bye,
Sumit
>
> Thanks!
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list