splitting big authorized_keys files

Ph. Marek philipp.marek at bmlv.gv.at
Tue Aug 19 18:14:35 EST 2003


Hello everybody,

I have a problem. You may have the answer :-)


I'd like to use openssh for an authentication service.
But that gives me a user, whose ~/.ssh/authorized_keys file has about 15000 
entries.
With about 300 characters per line I'd get 4,5 MB of data.

I believe that this length of file could lead to performance issues; so I'm 
looking for solutions.

I already saw the possibility of using "%u" or "%h" in 
sshd_conf/AuthorizedKeysFile; but that's system-wide and not for this one 
user.
And %u wouldn't differentiate between my users, as the target-user is always 
the same.

One solution would be to have a %2p, which would take 2 characters of the 
public-key (preferably the last two - the first two won't differ much :-) and 
use that in a AuthorizedKeysFile-statement, and leaving AuthorizedKeys2File 
as-is - so the normal login procedure would go and use 
~/.ssh/authorized_keys2 as usual, but it would try and use eg for 
"%h/.ssh/authorized_keys_%2p" a file ~/.ssh/authorized_keys_A2 or whatever 
and find there only the matching subset of keys.
So the authorized_keys-file could be split along multiples of 16 (ie., one 
hex-character); so /16, /256, /4096, ...
This way I could split my user-list in 256 files of about 60 entries each; 
that could be handled, I think.


Or, another, possibly better, solution: have sshd generate an index for 
authorized_keys automatically (based on file-date).
So sshd looks for the public key in the index, reads the index for the 
authorized_keys file, seeks there, and uses the key.
If sshd detects that the index is older than the file (or has another mtime 
stored), the index gets regenerated.


Can you please share your experiences regarding big authorized_keys-files with 
me? Any hints, tips or patches (:-) welcome.


Regards,

Phil






More information about the openssh-unix-dev mailing list