I have an IPA 4.1 installation that works perfectly. We just suffer from
slow logins ( this is also slow in other operations such invoking SUDO )
1st. login: 30 seconds
2nd login: 8 seconds
3rd login: 6.5 seconds
4rth login: 20 seconds
Consistently under 2 seconds
In SSH have tried:
Setting UseDNS to no
Setting GSSAPIAuthentication to no
I have tried various things that would work on an slow SSH, with no effect.
In fact, local users have no problem.
DNS both forward and reverse works well, works fast and gives consistent
results. That is no the issue.
While trying to find out more about the issue, I see that after the client
has connected, it spends most of the time here:
debug2: input_userauth_pk_ok: fp
debug3: sign_and_send_pubkey: RSA
debug1: Authentication succeeded (publickey).
At first I though it might be the key retrival from the IPA service, but it
is actually quite fast:
time /usr/bin/sss_ssh_authorizedkeys testuser
We have all the configration files just as they were after installing the
ipa-client. The only modification was made to sshd_config as these two
I also tried removing the _srv_ in the ipa server line in sssd.conf, but
that did not make any difference either.
So, in brief:
- SSH is fast for local users
- authorized keys get retrieved quickly
- no DNS issues.
- IPA users take from 6 to 30 seconds to login (and also to perform sudo
- While watching ssh logins, for ipa users, it takes a long time to pass
Could someone give me an idea of what to try next?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project