Bug 1886661
| Summary: | SSH public key authentication keeps working after keys are removed from ID view (due to being cached by SSSD locally) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ding-Yi Chen <dchen> |
| Component: | sssd | Assignee: | Paweł Poławski <ppolawsk> |
| Status: | CLOSED WONTFIX | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | atikhono, bthekkep, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, ppolawsk, sbose, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-16 02:13:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ding-Yi Chen
2020-10-09 05:14:29 UTC
Hi, (In reply to Ding-Yi Chen from comment #0) > > Workaround: Stop SSSD, clean SSSD db and mc, and start sssd fix the problem Does this happen on server, client or both? I guess both. Anyway, I don't think this is a regression. Comments https://github.com/SSSD/sssd/pull/472#discussion_r160399768 from Sumit says: "I think it might be better to postpone this patch and document that ssh-key will not be deleted immediately in the cache" So IIUC bz 1537272 resolved issue that ssh-key wasn't removed even during cache update, but didn't address issue of outdated data cached locally. > Does this happen on server, client or both? I guess both. Yes, you are right. > What are the expectations here: local cache entry being invalidated as soon as `ipa idoverrideuser-del` executed or merely `sss_cache -E` to destroy this attribute? The customer expects the `ipa idoverrideuser-del` should remove the ssh-key immediately. Customer does not mention `sss_cache -E`. I just provide it as additional information. > So IIUC bz 1537272 resolved issue that ssh-key wasn't removed even during cache update, but didn't address issue of outdated data cached locally. Customer would like to know how often the cache update? What option control the frequency of cache update? So they might not need to manually restart thousands of computers. (In reply to Ding-Yi Chen from comment #5) > > > So IIUC bz 1537272 resolved issue that ssh-key wasn't removed even during cache update, but didn't address issue of outdated data cached locally. > > Customer would like to know how often the cache update? > What option control the frequency of cache update? `entry_cache_timeout` or, I think, more specifically `entry_cache_user_timeout`. But please take a note having those value very low can result in significant performance impact. Customer has confirmed "entry_cache_timeout" in sssd.conf is working as expected. The corresponding case is closed as the request is fulfilled. Thanks for your help! I'm changing resolution because problem with cache invalidation is a real issue, but it's not something that can be easily addressed/fixed. |