[Bug 3747] ssh with ldap user account slow every time, local accounts unaffected
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Oct 23 21:00:50 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3747
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Firstly, since this is a vendor modified binary, ultimately they are
the ones that will need to help you, unless you or they can reproduce
the problem with an unmodified OpenSSH as available on openssh.com.
That said, looking through the debug log, the first time sink is:
Oct 15 12:34:37 ip-10-248-139-188 sshd[501923]: debug1: fd 5 clearing
O_NONBLOCK
Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug1:
/home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo
6 seconds to read a file in the user's home directory. Are these
automounted or something?
Oct 15 12:34:46 ip-10-248-139-188 sshd[501923]: debug1: fd 5 clearing
O_NONBLOCK
Oct 15 12:34:52 ip-10-248-139-188 sshd[501923]: debug1:
/home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo
Another 6 seconds to read a file.
(In reply to Craig Emery from comment #1)
> It's lines like this that stand out for me:
>
> Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug3:
> ensure_minimum_time_since: elapsed 5689.207ms, delaying 3656.119ms
> (requested 9.126ms) [preauth]
>
> Why would there be a 3656ms delay during a connection that has no
> failures. No back off etc.
Once an authentication has taken some amount of time, sshd will try to
keep the amount of time consistent for other auth attempts to prevent
leaking information about user or authentication state via timing
attacks. If some operations are slow that carries over to other ones.
If you can fix whatever is causing the slowdowns those will reduce to
match.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list