openssh unix dev - Aug 2003 - splitting big authorized_keys files

Hello everybody,

I have a problem. You may have the answer :-)


I'd like to use openssh for an authentication service.
But that gives me a user, whose ~/.ssh/authorized_keys file has about 15000 
entries.
With about 300 characters per line I'd get 4,5 MB of data.

I believe that this length of file could lead to performance issues; so I'm 
looking for solutions.

I already saw the possibility of using "%u" or "%h" in 
sshd_conf/AuthorizedKeysFile; but that's system-wide and not for this one 
user.
And %u wouldn't differentiate between my users, as the target-user is always
the same.

One solution would be to have a %2p, which would take 2 characters of the 
public-key (preferably the last two - the first two won't differ much :-)
and
use that in a AuthorizedKeysFile-statement, and leaving AuthorizedKeys2File 
as-is - so the normal login procedure would go and use 
~/.ssh/authorized_keys2 as usual, but it would try and use eg for 
"%h/.ssh/authorized_keys_%2p" a file ~/.ssh/authorized_keys_A2 or
whatever
and find there only the matching subset of keys.
So the authorized_keys-file could be split along multiples of 16 (ie., one 
hex-character); so /16, /256, /4096, ...
This way I could split my user-list in 256 files of about 60 entries each; 
that could be handled, I think.


Or, another, possibly better, solution: have sshd generate an index for 
authorized_keys automatically (based on file-date).
So sshd looks for the public key in the index, reads the index for the 
authorized_keys file, seeks there, and uses the key.
If sshd detects that the index is older than the file (or has another mtime 
stored), the index gets regenerated.


Can you please share your experiences regarding big authorized_keys-files with 
me? Any hints, tips or patches (:-) welcome.


Regards,

Phil

On Tue, Aug 19, 2003 at 10:14:35AM +0200, Ph. Marek
wrote:
> But that gives me a user, whose ~/.ssh/authorized_keys file has about 15000
> entries.
the current scheme was not intented for 15000 entries, you
should try to switch some database...

> > But that gives me a user, whose ~/.ssh/authorized_keys file has about
> > 15000 entries.
>
> the current scheme was not intented for 15000 entries, you
> should try to switch some database...
"man 5 nsswitch" shows that even /etc/passwd and shadow can be done
through a
db backend.

Is anyone opposed to having an index for ~/.ssh/authorized_keys?


Regards,

Phil

What about this:

1. Break up your current file into mutliple files containing only keys
   based on the first two letters of the user name, as you suggested
   earlier.

2. Put them into a directory

3. Create symbolic (or hard) links for each username to their
   respective authorized_keys file.

4. Specifying the path to your authorized_keys "forest" in the server
   configuration value AuthorizedKeysFile and use the %u token as a suffix.

The server uses the authorized_keys file selected by the user name.
This file is actually a link to the (smaller) chunk of the old
authorized_keys file.

This effectively uses the filesystem as your "database", and the
only "index" available is the username, unfortunately.

Whether the filesystem finding the username "entry" in a directory
of 1500 "files", and then performing the key lookup (albeit in a
smaller file), is faster than SSH looking up the key in the larger
authorized_keys file, only you can decide.

It's not a "great" way to do this, but it could work. The
authorized_keys
files get more manageable, but then the directory you put them in
gets more unmanagable with all of the user links in it.

HTH,
Mike/