The code checking if the user is a member of a group listed in either AllowGroups or DenyGroups finds out which groups a user is member of by getting the list of all groups on the system, then checking the list of members of each group to see if the current user is a member. This leads to bad performance on some setups. One example of such a setup is Linux systems using nss_ldap, talking to LDAP servers that uses the DN of a user as member attribute for each group. As the DN must be looked up in the directory to see which username it corresponds to, this leads to huge amounts of LDAP queries when enumerating groups. We've seen login delays of 30 seconds or more when using AllowGroups on systems fetching user/group information from medium-sized LDAP directories. A solution based on initgroups() would get much better performance as there is code in nss_ldap that makes optimized queries (asking the LDAP server which groups the user is member of).
sshd uses getgrouplist for this which queries only for the specified user. If the platform doesn't have getgrouplist then the compat code does enumerate all groups. Is your configuration using a native getgrouplist (check config.h for HAVE_GETGROUPLIST)? If so, why doesn't getgrouplist do the same optimization as initgroups?
12 years with no followup == no bug
Move resolved bugs -> CLOSED after 8.0 release