[RHEL-5099] Slow ssh connection when using password authentication due to a large amount of "close" syscall

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.0.0
Component/s: pam
Labels:
- MigratedToJIRA

Fixed in Build:
pam-1.5.1-16.el9
Regression:
None
Severity:
Important

Pool Team:

rhel-sst-idm-sssd
Sub-System Group:

ssg_idm

Dev Target Milestone:
11
Internal Target Milestone:
12
Story Points:
0
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/123902
Test Coverage:

RegressionOnly

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 2234460

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
Connecting via ssh to a server with a password is longer with RHEL 9 compared to RHEL 8

IT seemed to be resolved in RHEL 8 with the patch pam-1.3.1-fds-closing.patch (RHBZ1737812), but the fix has been reverted upstream and is not part of the code anymore.

Version-Release number of selected component (if applicable):
9.0, 9.1 and 9.2

How reproducible:
Connect using a password authentication

Actual results:
With RHEL 9, sshd spends 25% of its time running the close syscall :
RHEL 9 :
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
71.81 1.680497 35755 47 21 wait4
25.48 0.596416 4 131894 131057 close
0.48 0.011248 11 979 335 openat
0.31 0.007196 359 20 execve
...

RHEL 8 :
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
81.89 0.099364 1505 66 31 wait4
2.64 0.003209 4 773 208 openat
2.53 0.003064 139 22 execve
2.26 0.002739 80 34 clone
1.21 0.001467 27 53 socket
1.09 0.001328 16 80 3 write
1.04 0.001260 2 493 2 read
0.90 0.001094 2 495 mmap

Is it possible to recreate a patch to correct this behavior?

external trackers

PnT-DevOps Jira RHELPLAN-158698

Red Hat Bugzilla 1737812

Red Hat Customer Portal 03592918

Red Hat Issue Tracker RHELPLAN-166438

Red Hat Issue Tracker SSSD-6655

links to

RHBA-2023:123902 pam bug fix and enhancement update

mentioned on

Merge request - Several PAM fixes

(1 links to, 1 mentioned on)

Errata Tool added a comment - 2024/04/30 10:51 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Moderate: pam security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:2438

Errata Tool added a comment - 2024/04/30 10:51 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: pam security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:2438

gitlab-bot added a comment - 2023/11/10 9:51 AM

Iker Pedrosa mentioned this issue in a merge request of Red Hat / centos-stream / rpms / pam on branch 9_4:

Several PAM fixes

gitlab-bot added a comment - 2023/11/10 9:51 AM Iker Pedrosa mentioned this issue in a merge request of Red Hat / centos-stream / rpms / pam on branch 9_4 : Several PAM fixes

Iker Pedrosa added a comment - 2023/09/29 12:46 PM

I have changed the code and checked the behaviour of close_range(). It is slightly better, but I don't know if it will be enough for the client. Admittedly, my environment is quite limited. Would the customer be willing to use a test build to see if the behaviour improves?

Iker Pedrosa added a comment - 2023/09/29 12:46 PM I have changed the code and checked the behaviour of close_range(). It is slightly better, but I don't know if it will be enough for the client. Admittedly, my environment is quite limited. Would the customer be willing to use a test build to see if the behaviour improves?

Christophe Besson added a comment - 2023/09/28 7:29 AM

Increasing the severity as the customer is awaiting for a fix.

Christophe Besson added a comment - 2023/09/28 7:29 AM Increasing the severity as the customer is awaiting for a fix.

pm-rhel added a comment - 2023/09/19 2:01 PM

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

pm-rhel added a comment - 2023/09/19 2:01 PM Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Assignee:: Iker Pedrosa

Reporter:: Nicolas Bourgeois

Developer:: Iker Pedrosa

QA Contact:: SSSD QE

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/09/19 2:00 PM

Updated:: 2024/09/23 9:11 PM

Resolved:: 2024/04/30 10:51 AM

Dev Target end:: 2023/11/17

Target end:: 2023/11/24

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/04/30 10:51 AM

Expand comment: Errata Tool added a comment - 2024/04/30 10:51 AM

Collapse comment: gitlab-bot added a comment - 2023/11/10 9:51 AM

Expand comment: gitlab-bot added a comment - 2023/11/10 9:51 AM

Collapse comment: Iker Pedrosa added a comment - 2023/09/29 12:46 PM

Expand comment: Iker Pedrosa added a comment - 2023/09/29 12:46 PM

Collapse comment: Christophe Besson added a comment - 2023/09/28 7:29 AM

Expand comment: Christophe Besson added a comment - 2023/09/28 7:29 AM

Collapse comment: pm-rhel added a comment - 2023/09/19 2:01 PM

Expand comment: pm-rhel added a comment - 2023/09/19 2:01 PM

People

Dates