Ticket #1063 (closed enhancement: fixed)
Improve initgroups() performance for ssh and similar services
|Reported by:||sbose||Owned by:||sgallagh|
|Coverity Bug:||Patch Submitted:||yes|
|Red Hat Bugzilla:||0||Design link:|
|Design review:||Fedora test page:|
|Chosen:||Candidate to push out:|
Currently sssd records in a client session if an online initgroups() call was already done and does not run a second online call if the last one falls in a timeout.
sshd and maybe other services uses two different PAM sessions, one for authentication and authorization and a second one for the session setup. Form the sssd perspective these are two different client sessions and two online initgroups() calls are preformed for a single ssh connection. As far as I know it is not possible to to related the two PAM session.
To improve the performance here I would like to suggest to save the time of the last initgroups() call for a user not only in the client context, but additionally in a global context. This way critical task like authentication, access control and maybe password changes can still check the timeout of the client context to make sure the initgroups() is at least done once online with this session is run. Other task can check the global timeout and can use that data which is stored by other sessions if it is not too old.
- Resolution set to fixed
- Status changed from assigned to closed