Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-5930: SSH login delays over Centrify-enabled OpenSSH configured with Match statement

Authentication Service ,  

28 September,16 at 11:53 PM

Applies to:

All versions of Centrify-enabled OpenSSH on all platforms


When deploying Centrify-enabled OpenSSH with DirectControl AD users are seeing longer than expected delays when trying to login over SSH.  The users experiencing delays are members of many nested AD groups and one or more Match statements have been configured in the
/etc/centrifydc/ssh/sshd_config file


There is a known issue in the open-source version of OpenSSH where it makes an NSS call "getgrent()" when enumerating a user's group membership for the Match statement which can be a resource intensive NSS operation especially for users with hundreds of AD group memberships.  Combined with the fact that this call bypasses nscd it can result in delays of several minutes or more per login session.  Since Centrify-enabled OpenSSH is based on the open source version we are affected by this.  


Remove the SSH Match statements if possible, or consider migrating them to the Centrify SSH session-based rights feature as documented in Chapter 7 of our Admin guide which offers equivalent functionality or better and is not affected by this issue:


Although it is up to the open source vendor to address the issue Centrify does plan to incorporate an interim fix to our version of OpenSSH in an upcoming release of Centrify Server Suite.  

(All links are provided as a courtesy)