splitting big authorized_keys files
Ph. Marek
philipp.marek at bmlv.gv.at
Tue Aug 19 18:14:35 EST 2003
Hello everybody,
I have a problem. You may have the answer :-)
I'd like to use openssh for an authentication service.
But that gives me a user, whose ~/.ssh/authorized_keys file has about 15000
entries.
With about 300 characters per line I'd get 4,5 MB of data.
I believe that this length of file could lead to performance issues; so I'm
looking for solutions.
I already saw the possibility of using "%u" or "%h" in
sshd_conf/AuthorizedKeysFile; but that's system-wide and not for this one
user.
And %u wouldn't differentiate between my users, as the target-user is always
the same.
One solution would be to have a %2p, which would take 2 characters of the
public-key (preferably the last two - the first two won't differ much :-) and
use that in a AuthorizedKeysFile-statement, and leaving AuthorizedKeys2File
as-is - so the normal login procedure would go and use
~/.ssh/authorized_keys2 as usual, but it would try and use eg for
"%h/.ssh/authorized_keys_%2p" a file ~/.ssh/authorized_keys_A2 or whatever
and find there only the matching subset of keys.
So the authorized_keys-file could be split along multiples of 16 (ie., one
hex-character); so /16, /256, /4096, ...
This way I could split my user-list in 256 files of about 60 entries each;
that could be handled, I think.
Or, another, possibly better, solution: have sshd generate an index for
authorized_keys automatically (based on file-date).
So sshd looks for the public key in the index, reads the index for the
authorized_keys file, seeks there, and uses the key.
If sshd detects that the index is older than the file (or has another mtime
stored), the index gets regenerated.
Can you please share your experiences regarding big authorized_keys-files with
me? Any hints, tips or patches (:-) welcome.
Regards,
Phil
More information about the openssh-unix-dev
mailing list