Jakub/Sumit,

I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my 
primary concern. In my recent tests I changed the key listed on the local 
upstream server from the server line in /etc/ipa/default.conf and the ssh-key 
showed up after 8 minutes, remote servers (replica ipa servers) took another 30 
minutes.

Same process to delete the key, took 45 minutes from local change to remote 
server via replica (deleted at 9:52, refreshed at 10:30) which makes me think 
it's more the ldap replication over sss cache.

entry_cache_timeout is the default 5400 seconds (and it's children follow that 
value)

I assume if I want/need this to expire/replicate faster, I would want to set 
entry_cache_user_timeout to a value closer to a few minutes (300-900), can you 
see any drawbacks to this?

Is this value required on Server, Clients, Both.

As always, you guys are excellent and I really appreciate all the help!

Thanks,
-Jacob


----- Original Message -----
From: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Sumit Bose" <sb...@redhat.com>
Sent: Wednesday, May 31, 2017 5:01:22 AM
Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues

On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
> Looks like this is applied immediately, but required a service sssd restart; 
> sss_cache -E 
> 
> Do these attributes have a TTL set? 
> 
> I know these are all SSSD Specific questions, and not directly related to 
> FreeIPA. 

The keys are stored in the SSSD cache and the cache objects have a
lifetime. Please check entry_cache_timeout or entry_cache_user_timeout
in man sssd.conf for details.

HTH

bye,
Sumit

> 
> Thanks, 
> Jake 
> 
> 
> From: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
> Cc: "Jake" <em...@ml.jacobdevans.com> 
> Sent: Tuesday, May 30, 2017 1:15:32 PM 
> Subject: [Freeipa-users]SSH Key replication time/issues 
> 
> Hey again, 
> I'm trying to track down how to ensure ssh keys are added AND removed 
> quickly. 
> 
> Right now it seems I must restart ipa services or sss_cache -E to force them 
> to update, and there doesn't seem to be a determinate amount of time to allow 
> replication. 
> 
> Note, SSH keys are stored in the "Default View" for external users (external 
> one-way trust with AD). 
> 
> Thanks, 
> -Jake 
> 
> _______________________________________________ 
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to