splitting big authorized_keys files

Peter Stuge stuge-openssh-unix-dev at cdy.org
Tue Aug 26 03:37:36 EST 2003


On Mon, Aug 25, 2003 at 08:47:58AM +0200, Ph. Marek wrote:
> > > But that gives me a user, whose ~/.ssh/authorized_keys file has about
> > > 15000 entries.
> >
> > the current scheme was not intented for 15000 entries, you
> > should try to switch some database...
> 
> "man 5 nsswitch" shows that even /etc/passwd and shadow can be done
> through a  db backend.
> 
> Is anyone opposed to having an index for ~/.ssh/authorized_keys?

I think most of the developers are opposed to implementing a database system
in OpenSSH. It is certainly outside the scope of the program.

Further, I don't think nsswitch is quite as portable as OpenSSH-portable,
meaning it's not something we want to rely on.


I suggest you modify a version of OpenSSH so that it works reliably and
performs well for you, or hire someone to do so, and then present the
changes, preferably in diff -U format, to this mailing list.

I believe someone suggested using cdb by Dan J. Berstein, my experiences
with that database, although somewhat shallow, tells me it's well-suited for
the job.

Please do check license and portability status of whatever package you
decide to use, "You may distribute unmodified copies of the cdb package.
Packages that need to read cdb files should incorporate the necessary
portions of the cdb library rather than relying on an external cdb library."
and "cdb works only under UNIX." applies to cdb, e.g. I would guess that the
wording in the license will be a problem, should you want your changes
included in mainstream OpenBSD OpenSSH, and probably in -portable, too.

For a different (and more UNIX-like) way of solving your problem, OpenSSH
could be made to use an external command for it's databases, like the client
currently uses external commands for proxy handling.
(man ssh_config, look for ProxyCommand)

That way, you could use your favorite database for the job, as long as
simple commands can be created for reading and writing.

I'm not sure how this latter addition would be received by the group, but I
am sure that it's better than creating an OpenSSH database system.
Although I personally wouldn't have anything against the feature, except of
course that it is yet another feature, the implementation could turn out to
be messy.

Please investigate, though.


//Peter




More information about the openssh-unix-dev mailing list