Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5930: SSH login delays over Centrify-enabled OpenSSH configured with Match statement

Authentication Service ,  

28 September,16 at 11:53 PM

Applies to:

All versions of Centrify-enabled OpenSSH on all platforms


Problem:

When deploying Centrify-enabled OpenSSH with DirectControl AD users are seeing longer than expected delays when trying to login over SSH.  The users experiencing delays are members of many nested AD groups and one or more Match statements have been configured in the /etc/centrifydc/ssh/sshd_config file


Cause:

There is a known issue in the open-source version of OpenSSH where it makes an NSS call "getgrent()" when enumerating a user's group membership for the Match statement which can be a resource intensive NSS operation especially for users with hundreds of AD group memberships.  Combined with the fact that this call bypasses nscd it can result in delays of several minutes or more per login session.  Since Centrify-enabled OpenSSH is based on the open source version we are affected by this.  


Workaround:

Remove the SSH Match statements if possible, or consider migrating them to the Centrify SSH session-based rights feature as documented in Chapter 7 of our Admin guide which offers equivalent functionality or better and is not affected by this issue:

https://docs.centrify.com/en/css/suite2016/centrify-unix-adminguide.pdf?_ga=1.18735673.1244936735.1438715042


Resolution:

Although it is up to the open source vendor to address the issue Centrify does plan to incorporate an interim fix to our version of OpenSSH in an upcoming release of Centrify Server Suite.  

(All links are provided as a courtesy)

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III