On 4/9/19 11:22 PM, Sumit Bose wrote: > On Tue, Apr 09, 2019 at 03:12:33PM -0600, Orion Poplawski wrote: >> Any suggestions for speeding up sss_ssh_authorizedkeys? It seems to take >> around .25s per certificate, and some of our users have many certificates. >> >> Could this be cached? > > Hi, > > I guess what takes time is the validation of the certificate especially > if OCSP is used. Iirc the OCSP replies have a timestamp how long they > are valid, so it might be possible to cache them. To understand if it > would help in your case, can you try to set > 'certificate_verification=no_ocsp' and check if it is faster?
It does not appear to have any effect. I think it's basically the overhead of running p11_child (I think that is what is being run): ==> /var/log/sssd/sssd_ssh.log <== (Wed Apr 10 08:42:57 2019) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Wed Apr 10 08:42:57 2019) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Wed Apr 10 08:42:58 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13210] finished successfully. (Wed Apr 10 08:42:58 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13218] finished successfully. (Wed Apr 10 08:42:58 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13222] finished successfully. (Wed Apr 10 08:42:59 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13229] finished successfully. (Wed Apr 10 08:42:59 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13232] finished successfully. (Wed Apr 10 08:42:59 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13235] finished successfully. (Wed Apr 10 08:43:00 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13238] finished successfully. (Wed Apr 10 08:43:00 2019) [sssd[ssh]] [child_sig_handler] (0x0100): child [13246] finished successfully. (Wed Apr 10 08:43:00 2019) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! Tried with no_verification just to see, but that totally breaks things: sssd[12693]: Cannot run verification with option 'no_verification'. sssd[12693]: (Wed Apr 10 08:41:23 2019) [[sssd[p11_child[12847]]]] [main] (0x0020): p11_child failed! > If you do not need the keys from the certificates you can disable this > step completely by setting 'ssh_use_certificate_keys=false' (see man > sssd.conf for details). I'm definitely making use of the certificates. > I'm planning to add certificate matching rules to the ssh responder as > well so that not all certificates have to be checked. That sounds promising. Thanks, Orion -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
