#1063 Improve initgroups() performance for ssh and similar services

Created 5 years ago by sbose
Modified 8 months ago

Currently sssd records in a client session if an online initgroups() call was already done and does not run a second online call if the last one falls in a timeout.

sshd and maybe other services uses two different PAM sessions, one for authentication and authorization and a second one for the session setup. Form the sssd perspective these are two different client sessions and two online initgroups() calls are preformed for a single ssh connection. As far as I know it is not possible to to related the two PAM session.

To improve the performance here I would like to suggest to save the time of the last initgroups() call for a user not only in the client context, but additionally in a global context. This way critical task like authentication, access control and maybe password changes can still check the timeout of the client context to make sure the initgroups() is at least done once online with this session is run. Other task can check the global timeout and can use that data which is stored by other sessions if it is not too old.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.7.0

Fields changed

owner: somebody => jhrozek

Fields changed

owner: jhrozek => jzeleny

Fields changed

owner: jzeleny => sgallagh

Fields changed

blockedby: =>
blocking: =>
patch: 0 => 1

Fields changed

status: new => assigned

Fixed by d844aab

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

8 months ago

Metadata Update from @sbose:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.7.0

Login to comment on this ticket.

enhancement

PAM

1.6.2

0

1

0

cancel