On Tue, Apr 09, 2019 at 03:12:33PM -0600, Orion Poplawski wrote: > Any suggestions for speeding up sss_ssh_authorizedkeys? It seems to take > around .25s per certificate, and some of our users have many certificates. > > Could this be cached?
Hi, I guess what takes time is the validation of the certificate especially if OCSP is used. Iirc the OCSP replies have a timestamp how long they are valid, so it might be possible to cache them. To understand if it would help in your case, can you try to set 'certificate_verification=no_ocsp' and check if it is faster? If you do not need the keys from the certificates you can disable this step completely by setting 'ssh_use_certificate_keys=false' (see man sssd.conf for details). I'm planning to add certificate matching rules to the ssh responder as well so that not all certificates have to be checked. bye, Sumit > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane [email protected] > Boulder, CO 80301 https://www.nwra.com/ > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
