Have you check authentication source order in nsswitch.conf ? Maybe there it hit some timeout or so.

From: Winfried de Heiden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Sent: dimanche 9 février 2020 13:55
To: freeipa-users@lists.fedorahosted.org
Cc: Winfried de Heiden <wdh@dds.nl>
Subject: [Freeipa-users] sss_ssh_authorizedkeys slow on IPA-server

Hi all,

For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the IPA-server:

time /usr/bin/sss_ssh_authorizedkeys <username>

real 0m9.520s

user 0m0.022s

sys 0m0.018s

It will return all the public keys, but is is slow, causing SSH-login delays using a ssh-keys.

On another CentOS Stream (8.1) IPA-client, using the same IPA-server:

time /usr/bin/sss_ssh_authorizedkeys <username>

real 0m0.020s

user 0m0.005s

sys 0m0.003s

Some difference...

Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will bring back performance, but sound like a poor workaround.

Any idea what is happening here?

Some more details:

CentOS Linux release 8.1.1911 (Core) (stream)

ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64

sssd-common-2.2.0-19.el8.x86_64

Winfried