[Bug 3747] ssh with ldap user account slow every time, local accounts unaffected
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Oct 23 21:37:42 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3747
--- Comment #4 from Craig Emery <craig.emery at arm.com> ---
That's fair. :-)
(In reply to Darren Tucker from comment #3)
> Firstly, since this is a vendor modified binary, ultimately they are
> the ones that will need to help you, unless you or they can
> reproduce the problem with an unmodified OpenSSH as available on
> openssh.com.
>
> That said, looking through the debug log, the first time sink is:
>
> Oct 15 12:34:37 ip-10-248-139-188 sshd[501923]: debug1: fd 5
> clearing O_NONBLOCK
> Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug1:
> /home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
> SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo
>
> 6 seconds to read a file in the user's home directory. Are these
> automounted or something?
I think this will have been the first ever LDAP mount of the user home
directory.
JOOI: Is there a DB / file I can remove that deletes the history of how
long things previously took?
So going forward I can see quicker times?
> Oct 15 12:34:46 ip-10-248-139-188 sshd[501923]: debug1: fd 5
> clearing O_NONBLOCK
> Oct 15 12:34:52 ip-10-248-139-188 sshd[501923]: debug1:
> /home/craeme02/.ssh/authorized_keys:1: matching key found: RSA
> SHA256:EsGSIDs3cY1EdOy67jomy4+XxJYj+tqIT3TUo5wsHgo
>
> Another 6 seconds to read a file.
>
> (In reply to Craig Emery from comment #1)
> > It's lines like this that stand out for me:
> >
> > Oct 15 12:34:43 ip-10-248-139-188 sshd[501923]: debug3:
> > ensure_minimum_time_since: elapsed 5689.207ms, delaying 3656.119ms
> > (requested 9.126ms) [preauth]
> >
> > Why would there be a 3656ms delay during a connection that has no
> > failures. No back off etc.
>
> Once an authentication has taken some amount of time, sshd will try
> to keep the amount of time consistent for other auth attempts to
> prevent leaking information about user or authentication state via
> timing attacks. If some operations are slow that carries over to
> other ones. If you can fix whatever is causing the slowdowns those
> will reduce to match.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list