10

I'm developing a solution which inserts a big number of SSH-keys into the authorized keys files of my SSH-server. Does anyone know the limit of keys that you can insert into that file? Are we talking about a hundred, thousand or tens of thousands? Any idea? And how is the performance affected when you have a large number of keys?

I suppose it is preferable to divide keys between various users, but I would like to know the limits of one user.

Teun Zengerink
  • 199
  • 5
  • 13
enedebe
  • 1,066
  • 3
  • 11
  • 18
  • This is a good question for testing. From the fact that the file is plain text we can assume that there is no indexing, and the complexity to find a certain key should be at least linear - O(n). – Deer Hunter Mar 11 '13 at 10:45
  • It's what I thought, but I'm asking because if someone has experience in that case it will be useful. I will update this post with my testing. Thank's! – enedebe Mar 11 '13 at 10:56
  • If you are really looking at thousands you might want to look at the newish CA support. You might be able to just add the CA key. – Zoredache Mar 11 '13 at 13:07
  • In OpenSSH 6.2 there is a feature that may be of help to you: http://article.gmane.org/gmane.os.openbsd.announce/171 - "sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option." – Deer Hunter Mar 23 '13 at 17:13

2 Answers2

12

There is no limit to the number of entries in the file. From the source code

auth2-pubkey.c 
/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{ ...

while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
    char *cp, *key_options = NULL;

As you can see this simply loops over the file until read_keyfile_line returns -1.

user9517
  • 115,471
  • 20
  • 215
  • 297
2

There is no limit, but finding the correct key will be slow, like GREPing a large text file.

Andrei Mikhaltsov
  • 3,027
  • 1
  • 23
  • 31