On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Yep, I do use user-certs for authentication and it seems ocsp takes time;
but only on the IPA-server. Even on a Rapsberry Pi 3 as an IPA-client, using
the same IPA-server, it is 4 times faster...
Hence; something seems going wrong in oscp, but what could be causing the
problem?
Hi,
which versions of SSSD are using one the client and the server? Older
version of SSSD might use NSS and do the certificate validation in the
ssh responder process, newer version might use OpenSSL and do the
validation with the help of p11_child. Not sure if any of this might be
a reason.
Maybe you can take network trace of the communication with the OCSP
responder to see if the delay happens on the network?
bye,
Sumit
Winfried
Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
> On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
> > Hi all,
> > For some reason, for a particular user, sss_ssh_authorizedkeys is
> > extremely slow on the IPA-server:
> > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser
> > 0m0.022ssys 0m0.018s
> > It will return all the public keys, but is is slow, causing
> > SSH-login delays using a ssh-keys.
> > On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
> > time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser
> > 0m0.005ssys 0m0.003s
> > Some difference...Adding "certificate_verification = no_ocsp" to
> > sssd.conf on the IPA-server will bring back performance, but sound
> > like a poor workaround.
> > Any idea what is happening here?
>
> SSSD picks up certificates associated with the user entry for use as SSH
> keys as well. I guess verification of those certificates via OCSP takes
> time and that's why switching off the verification helps.
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...