Ten second intermittent delay on login
Johnnie W Adams
We're experiencing an odd ten-second delay intermittently when logging
into any of our Linux boxes which authenticate against LDAP. Here's where
it happens:
Jul 13 11:54:23 console2 sshd[1853]: debug1: temporarily_use_uid: <my
uid\gid> (e=0/0)
Jul 13 11:54:35 console2 sshd[1853]: debug1: trying public key file <my key
file>
My assumption is there's something in sssd slowing it down, but I'm
having a heck of a time figuring out what or why. Any guidance would be
greatly appreciated.
Thanks,
John A
--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxa...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*
Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Darren Tucker
> We're experiencing an odd ten-second delay intermittently when logging
> greatly appreciated.
you can connect to another port, you can do something like this to run
sshd on 2222, tracing both parent and child sshds:
$ sudo strace -f /usr/sbin/sshd -De -ologlevel=fatal -p 2222
(note that the trace may contain sensitive information so treat it with caution)
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
hvjunk
> On 20 Jul 2023, at 19:45, Johnnie W Adams <jxa...@ualr.edu> wrote:
>
> Hi, folks,
>
> We're experiencing an odd ten-second delay intermittently when logging
> into any of our Linux boxes which authenticate against LDAP. Here's where
> it happens:
>
> Jul 13 11:54:23 console2 sshd[1853]: debug1: temporarily_use_uid: <my
> uid\gid> (e=0/0)
>
> Jul 13 11:54:35 console2 sshd[1853]: debug1: trying public key file <my key
> file>
>
> My assumption is there's something in sssd slowing it down, but I'm
> having a heck of a time figuring out what or why. Any guidance would be
> greatly appreciated.
Disabling that had been one of the easy fixes for me when I get hit by that "hang" .. its actually, so frequent for me, it's part of my script to copy-paste when prepping a LXC DEbian 11&12 instance
Nico Kadel-Garcia
>
> Hi, folks,
>
> We're experiencing an odd ten-second delay intermittently when logging
> into any of our Linux boxes which authenticate against LDAP. Here's where
> it happens:
>
> Jul 13 11:54:23 console2 sshd[1853]: debug1: temporarily_use_uid: <my
> uid\gid> (e=0/0)
>
> Jul 13 11:54:35 console2 sshd[1853]: debug1: trying public key file <my key
> file>
>
> My assumption is there's something in sssd slowing it down, but I'm
> having a heck of a time figuring out what or why. Any guidance would be
> greatly appreciated.
>
> Thanks,
>
> John A
sssd is a pretty aggressively "optimized" tool. It's designed, not to
issue LDAP queries, but to pull from a locally stashed copy of the
*entire* upstream LDAP directory, or at least enough of the LDAP
directory to contain every dolder it may reference. The result can be
really nasty when the VPN connection between an internal AD and a
cloud environment, especially when it thinks it has to refresh that
cache. All of it. Without notice. And crash, if it doesn't succeed
within the hard-coded and un-tunable timeout periods.
I'm not happy with some of sssd's behavior, especially the head games
it plays with systemd about "I'm started, I'm running, I'm allowing
logins via SSH, la-la-la-la-la, I failed to cache the full LDAP and
now I will crash hard with systemd not noticing and recovering the
service". It's an unpleasant problem.
Howard Chu
Sounds like you'd be better off using nslcd. And if you want caching
of the LDAP info, use a local OpenLDAP slapd with slapo-pcache instead, which
has all cache refresh/expiration/etc intervals fully configurable.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Nico Kadel-Garcia
At that time, I probably would have been better off doing that for the
environment I was organizing. One of the problems of consulting work
is the need to leave something well documented and supportable by the
permanent staff. Another can be getting the people behind the
bureaucrati cwalls to admit what they're doing, and its consequences,
when you weren't hired as part of their department. I'm afraid that
they were fairly miffed at me for usin "ldapbrowser" to look around at
their AD structure. I was *not* supposed to have permission to look,
and the supervisor of security demanded that even his own personnel
not share insights with each other. It got weirder when I yanked out
the secret root user public SSH keys in the OS images I was supposed
to secure for deployment.
It took time to negotiate with the AD admins, and them to realize I
understood what I was asking for, to organize the relevant OU's in one
LDAP directory so sssd only had to stash that LDAP directory. It's a
good technique for improving sssd performance, especially in remotely
deployed environments without a high availability AD domain controller
at the end of a VPN for big cloud environments.
For our original poster here, the lesson is "take a look at your sssd
setup and see if you can reduce the relevant LDAP directory space".