[Freeipa-users] Slow SSH login for IPA users only

Sumit Bose sbose at redhat.com
Wed Oct 7 10:35:57 UTC 2015 

On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> All,
> 
> I have an IPA 4.1 installation that works perfectly. We just suffer from
> slow logins ( this is also slow in other operations such invoking SUDO )
> 
> IPA user:
> 
> 1st. login: 30 seconds
> 2nd login: 8 seconds
> 3rd  login: 6.5 seconds
> 4rth login: 20 seconds
> 
> Local user:
> 
> Consistently under 2  seconds
> 
> In SSH have tried:
> 
> Setting UseDNS to no
> Setting GSSAPIAuthentication to no
> 
> I have tried various things that would work on an slow SSH, with no effect.
> In fact, local users have no problem.
> 
> DNS both forward and reverse works well, works fast and gives consistent
> results. That is no the issue.
> 
> While trying to find out more about the issue, I see that after the client
> has connected, it spends most of the time here:
> 
> [...]
> debug2: input_userauth_pk_ok: fp
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug3: sign_and_send_pubkey: RSA
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug1: Authentication succeeded (publickey).
> [...]
> 
> At first I though it might be the key retrival from the IPA service, but it
> is actually quite fast:
> 
> time /usr/bin/sss_ssh_authorizedkeys testuser
> real    0m0.209s
> 
> We have all the configration files just as they were after installing the
> ipa-client. The only modification was made to sshd_config as  these two
> lines:
> 
> AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser nobody
> 
> I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> that did not make any difference either.
> 
> So, in brief:
> 
> - SSH is fast for local users
> - authorized keys get retrieved quickly
> - no DNS issues.
> - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> invocations)
> - While watching ssh logins, for  ipa users, it takes a long time to pass
> these two:
> 
>    - input_userauth_pk_ok
>    - sign_and_send_pubkey
> 
> Could someone give me an idea of what to try next?

Please check the SSSD logs especailly the ones for the domain. You might
need to increase the debug_level, please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.

bye,
Sumit

> 
> Thanks!

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list