KB-5930: SSH login delays over Centrify-enabled OpenSSH configured with Match statement
Applies to:
All versions of Centrify-enabled OpenSSH on all platforms
Problem:
When deploying Centrify-enabled OpenSSH with DirectControl AD users are seeing longer than expected delays when trying to login over SSH. The users experiencing delays are members of many nested AD groups and one or more Match statements have been configured in the /etc/centrifydc/ssh/sshd_config file
Cause:
There is a known issue in the open-source version of OpenSSH where it makes an NSS call "getgrent()" when enumerating a user's group membership for the Match statement which can be a resource intensive NSS operation especially for users with hundreds of AD group memberships. Combined with the fact that this call bypasses nscd it can result in delays of several minutes or more per login session. Since Centrify-enabled OpenSSH is based on the open source version we are affected by this.
Workaround:
Remove the SSH Match statements if possible, or consider migrating them to the Centrify SSH session-based rights feature as documented in Chapter 7 of our Admin guide which offers equivalent functionality or better and is not affected by this issue:
Although it is up to the open source vendor to address the issue Centrify does plan to incorporate an interim fix to our version of OpenSSH in an upcoming release of Centrify Server Suite.