[Bug 1298] Use of Allow/DenyGroups leads to slow login

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=1298

           Summary: Use of Allow/DenyGroups leads to slow login
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: forsberg at cendio.se


The code checking if the user is a member of a group listed in either
AllowGroups or DenyGroups finds out which groups a user is member of by
getting the list of all groups on the system, then checking the list of
members of each group to see if the current user is a member.

This leads to bad performance on some setups. One example of such a
setup is Linux systems using nss_ldap, talking to LDAP servers that
uses the DN of a user as member attribute for each group. As the DN
must be looked up in the directory to see which username it corresponds
to, this leads to huge amounts of LDAP queries when enumerating groups.
We've seen login delays of 30 seconds or more when using AllowGroups on
systems fetching user/group information from medium-sized LDAP
directories. 

A solution based on initgroups() would get much better performance as
there is code in nss_ldap that makes optimized queries (asking the LDAP
server which groups the user is member of).




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.