RSS feed

Re: sshd repeated polling for non-local uidNumber?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: sshd repeated polling for non-local uidNumber?

On Fri, 2020-05-15 at 15:16 +0000, Dave Sclarsky wrote:
> One thing I noticed is that if a user logs in via ssh and is
> authenticated via LDAP, we see repeated queries to the LDAP server as
> shown below, but only if the uidNumber in the LDAP database is not
> present in the local Linux password database.  The repeated polling
> seems to happen once a minute if the user is idle at a shell prompt,
> and will also happen when they enter certain commands (e.g. ps).
> Here's output from nslcd -d showing the poll:
> nslcd: [0e0f76] DEBUG: connection from  pid=27529 uid=0 gid=0

If you have a test-setup you could try to figure out what process ID
27529 is. I don't know of any regular name lookups of idle shells but
if it runs every minute it could be some cron job.

There are a lot of things that could trigger this. If there is a
process that runs e.g. `ps -ef` on the system it will do name lookups
for all users that own processes on the system. I've also seen bash
completion triggering name lookups under certain conditions so there
are a lot of processes that can potentially cause this.

One way to limit the load on your LDAP server for this is to use nscd
or unscd which will ensure that repeated lookups do not all hit nslcd.

Hope this helps,

-- arthur - - --