bugzilla-daemon at mindrot.org
2007-Mar-15 10:23 UTC
[Bug 1298] Use of Allow/DenyGroups leads to slow login
http://bugzilla.mindrot.org/show_bug.cgi?id=1298
Summary: Use of Allow/DenyGroups leads to slow login
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: forsberg at cendio.se
The code checking if the user is a member of a group listed in either
AllowGroups or DenyGroups finds out which groups a user is member of by
getting the list of all groups on the system, then checking the list of
members of each group to see if the current user is a member.
This leads to bad performance on some setups. One example of such a
setup is Linux systems using nss_ldap, talking to LDAP servers that
uses the DN of a user as member attribute for each group. As the DN
must be looked up in the directory to see which username it corresponds
to, this leads to huge amounts of LDAP queries when enumerating groups.
We've seen login delays of 30 seconds or more when using AllowGroups on
systems fetching user/group information from medium-sized LDAP
directories.
A solution based on initgroups() would get much better performance as
there is code in nss_ldap that makes optimized queries (asking the LDAP
server which groups the user is member of).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 1298] Use of Allow/DenyGroups leads to slow login
- [Bug 999] AllowGroups ,DenyGroups failed to report hostname
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
Wisdom of the Ancients
