splitting big authorized_keys files

mike808 mike808 at users.sourceforge.net
Thu Aug 28 08:46:22 EST 2003 

> sorry, but the authorized_keys file handling won't be changed in
> the near future.

I'm confused. The proposal I suggested did not require any changes
in the authorized_keys file handling. It's actually just an unusual
configuration trick. Whether it is faster than the single-large-file
approach, I cannot say.

>From the manpage:

 AuthorizedKeysFile
  Specifies the file that contains the public  keys  that
  can  be  used for user authentication.  AuthorizedKeys-
  File may contain tokens of the form %T which  are  sub-
  stituted during connection set-up. The following tokens
  are defined: %% is replaced by a  literal  '%',  %h  is
  replaced  by  the  home  directory  of  the  user being
  authenticated and %u is replaced  by  the  username  of
  that  user.   After  expansion,  AuthorizedKeysFile  is
  taken to be an absolute path or  one  relative  to  the
  user's     home     directory.     The    default    is
  ``.ssh/authorized_keys''.

I take that to mean that something like the following is possible:

In the sshd_config, we have something like:

AuthorizedKeysFile /usr/local/etc/authorized_keys/%u

And in that /usr/local/etc/authorized_keys directory,
we have something like the following, where we've split up the
monolithic authorized_keys file, grouping the keys by username
into each file:

 -rw-r--r-- ... Authkeys_A_to_E
 -rw-r--r-- ... Authkeys_F_to_J
 -rw-r--r-- ... Authkeys_K_to_O
 -rw-r--r-- ... Authkeys_P_to_T
 -rw-r--r-- ... Authkeys_U_to_Z

Then, in the same directory, we create symbolic links for each user
to the respective authorized_keys file.

 lrwxrwxrwx ... adam -> Authkeys_A_to_E
 lrwxrwxrwx ... jane -> Authkeys_F_to_J
 lrwxrwxrwx ... mike -> Authkeys_K_to_O
 lrwxrwxrwx ... sarah -> Authkeys_P_to_T
 lrwxrwxrwx ... thomas -> Authkeys_P_to_T
 lrwxrwxrwx ... wendy -> Authkeys_U_to_Z

If the code doesn't follow symbolic links, then just use hard links.

Thus, when user 'mike' connects, the server applies the '%u' expansion to
the AuthorizedKeysFile value and will look in the file
'/usr/local/etc/authorized_keys/mike', and, following the symbolic link,
actually opens 'Authkeys_K_to_O', which would contain the key for the
user 'mike'. And fewer keys to search through than the monolithic
authorized_keys file. As I said, I don't know if directory searches
will be any faster than key searches. YMMV. That said, it does solve
the OP's problem of breaking up a monolithic authorized keys file.

Then again, you could just use separate authorized_keys files for
each user and the username is the index key and the filesystem is the
"database".

Either way, I don't see how that would require any changes to OpenSSH.
Or am I missing something here?

Mike/

More information about the openssh-unix-dev mailing list