#1138626 openssh: repeated calls to getpwent cause very slow connection establishment

#1138626#5
Date:
2026-06-01 13:34:35 UTC
From:
To:
Hi,

I found SSH connections to a remote server to be consistently slow
(~15 seconds to get a shell) despite the server being responsive and
geographically close.

The user database for the system in question is on LDAP, and it is quite
large. `getent passwd` takes ~4-5 seconds. However, I expected PAM user
lookups to be targeted to a single user, and `getent passwd ema` is very
fast.

It took a while to figure out that the full user database was being
dumped instead, multiple times. This is due to getpwent being called in
user-group-modes.patch. Even setting the highest possible sshd LogLevel
(DEBUG3) was not too helpful, no specific clues were given other than
the fact that somehow parsing authorized_keys took several seconds:

09:25:13 hostname sshd[3242229]: debug1: trying public key file /home/ema/.ssh/authorized_keys
09:25:13 hostname sshd[3242229]: debug1: fd 5 clearing O_NONBLOCK

And:

09:25:18 hostname sshd[3242229]: debug1: /home/ema/.ssh/authorized_keys:3: matching key found

After finding the code path in user-group-modes.patch that calls
getpwent, I changed the permissions of ~/.ssh to 700, and all files
within to 600. getpwent is now not being called anymore, and I am
getting a shell without performance issues.

In the process of debugging this problem, I discovered that nscd does
not cache getpwent calls by design, exacerbating the issue:
https://sourceware.org/pipermail/libc-alpha/2006-August/020774.html

While I do understand the reason for deviating from upstream behavior, I
also wonder if there could be any way to either avoid potentially
expensive getpwent calls, or at least inform the user about what is
going on?

Thanks,
  ema