Learn more about these different git repos.
Other Git URLs
I see that when sss_ssh_authorizedkeys tries to fetch keys for a user in a FreeIPA realm, and that user has certificates added to their account, it causes sssd_ssh to try to connect to ipa-ca.example.com to perform OCSP.
sss_ssh_authorizedkeys
sssd_ssh
ipa-ca.example.com
Now, ipa-ca.example.com resolves to an A record for each CA in my FreeIPA domain. If the first IP address it tries happens to be unreachable, after some seconds I see the following message in /var/log/messages:
/var/log/messages
sssd: Killing service [ssh], not responding to pings!
From a user's point of view, ssh says:
ssh
Authentication failed.
It would be better if sssd_ssh could (be configured to?) quickly give up on an unresponsive OCSP server and try the next one returned by the A record.
Thank you, I think this is a good idea. May I ask on which platform/operation system you are using SSSD?
bye, Sumit
Hey sumit. This would be good for all platforms.
May I ask on which platform/operation system you are using SSSD?
Good question. I believe so far I've only seen this issue on CentOS 6.
May I ask on which platform/operation system you are using SSSD? Good question. I believe so far I've only seen this issue on CentOS 6.
Thanks, on CentOS 6 OCSP is completely handled by NSS. I'll check how multiple addresses are handled by NSS and if there is a different between CentOS/RHEL 6 and 7.
NSS should check all addresses returned by DNS but uses a hardcoded timeout of 30s before trying the next server.
Can you try to set p11_child_timeout = 100 to allow 100s for the certificate validation to see if now more than one OCSP is tried? If this is the case we might ask NSS to allow a configurable timeout but I doubt that this will ever get backported to RHEL6.
p11_child_timeout = 100
For the OpenSSL version used in recent Fedora versions I'll use this ticket to implement the feature.
On CentOS 6, setting p11_child_timeout = 100 didn't help. I still see Authentication failed from SSH after 30 seconds. Stracing sssd_ssh, I see that it retries the same OSCP server after 60 seconds.
Authentication failed
Metadata Update from @pbrezina: - Issue tagged with: Future milestone
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4907
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.