[Bug 3747] ssh with ldap user account slow every time, local accounts unaffected

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Oct 23 21:00:50 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3747

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Firstly, since this is a vendor modified binary, ultimately they are
the ones that will need to help you, unless you or they can reproduce
the problem with an unmodified OpenSSH as available on openssh.com.

That said, looking through the debug log, the first time sink is:

Oct 15 12:34:37 ip-10-248-139-188 sshd[501923]: debug1: fd 5 clearing
O_NONBLOCK
Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug1:
/home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo

6 seconds to read a file in the user's home directory.  Are these
automounted or something?

Oct 15 12:34:46 ip-10-248-139-188 sshd[501923]: debug1: fd 5 clearing
O_NONBLOCK
Oct 15 12:34:52 ip-10-248-139-188 sshd[501923]: debug1:
/home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo

Another 6 seconds to read a file.

(In reply to Craig Emery from comment #1)
> It's lines like this that stand out for me:
> 
> Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug3:
> ensure_minimum_time_since: elapsed 5689.207ms, delaying 3656.119ms
> (requested 9.126ms) [preauth]
> 
> Why would there be a 3656ms delay during a connection that has no
> failures. No back off etc.

Once an authentication has taken some amount of time, sshd will try to
keep the amount of time consistent for other auth attempts to prevent
leaking information about user or authentication state via timing
attacks.  If some operations are slow that carries over to other ones. 
If you can fix whatever is causing the slowdowns those will reduce to
match.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list