Gael Martinez
2006-Mar-14 01:47 UTC
groups issue with openssh (all versions since at least 3.8), AIX 5.3 and NIS
Hello We are have a massive performance issue in our environment since a while. SSH logins simply take 30 s to 1 minute to give a prompt, telnet are instantaneous. After doing a few tcpdump and comparisons between telnet and ssh connections, we noticed that in average a ssh connection is generating over 12000 nis sessions, scanning basically all the group.byname table a few times and we got a few thousands groups... :( I was wondering if it could be the same issue that we saw with DB2 which behaves the exact same way each time a user logs in...they were using the wrong function to determine the groups associated to one user http://www-1.ibm.com/support/docview.wss?uid=swg1IY44229 As we got over a thousand AIX machines running my build of openssh in a very large environment, this is causing a real overall performance issue with our nis environment ... Details about the current test build: apsp8111:/gael/src/openssh-4.3p2 #oslevel -r 5300-03 bash-2.05a$ gcc -v Reading specs from /opt/gcc/gcc-3.2.2/lib/gcc-lib/powerpc-ibm-aix5.1.0.0/3.3.2/specs Configured with: ./configure --prefix=/opt/gcc/gcc-3.2.2 --enable-languages=c,c++ Thread model: aix gcc version 3.3.2 apsp8111:/gael/src/openssh-4.3p2 #/usr/local/ssl/bin/openssl version OpenSSL 0.9.7i 14 Oct 2005 apsp8111:/gael/src/openssh-4.3p2 #./ssh -v OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005 $ ./configure --without-rsh --disable-suid-ssh --sysconfdir=/etc/ssh --with-mantype=man --libexecdir=/usr/local/sbin --with-pid-di r=/etc/ssh --with-zlib=../zlib-1.2.3 --with-default-path=/bin:/usr/bin:/usr/local/bin Let me know, I will assist as much as possible, this is really a big issue for us, and I'm not able to determine if that issue can be resolved with a patch to openssh or at the OS level. Regards -- Gael
Darren Tucker
2006-Mar-14 03:11 UTC
groups issue with openssh (all versions since at least 3.8), AIX 5.3 and NIS
On Mon, Mar 13, 2006 at 07:47:37PM -0600, Gael Martinez wrote: [...]> that in average a ssh connection is generating over 12000 nis sessions, > scanning basically all the group.byname table a few times and we got a > few thousands groups... :([...]> Let me know, I will assist as much as possible, this is really a big > issue for us, and I'm not able to determine if that issue > can be resolved with a patch to openssh or at the OS level.Looking briefly at the URL and the code, it looks like it could be resolved by implementing an AIX-specific getgroupslist() based on getgrset(). I'll look at at it if you can test patches. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.