[Python-Dev] Collecting SSH keys

Stephen J. Turnbull stephen at xemacs.org
Mon Aug 22 09:39:03 CEST 2005

>>>>> "Martin" == Martin v Löwis <martin at v.loewis.de> writes:

    Martin> I don't know how this scales in OpenSSH having an
    Martin> authorized_keys file with hundred or more keys.

On cvs.xemacs.org (aka SunSITE.dk) ssh+cvs access with cvs access
control being handled by a Perl script scales to approximately 85
users.  I don't handle key management directly, but I believe several
users use multiple keys (I don't personally).  I've never heard any
complaints from the guys who actually do key management; they just
keep authorized_keys in alphabetical order by comment (= user's real
name).  Nor do I notice any authorization overhead vs. a simple ssh
login when accessing the cvs server.[1]  Evidently the "what keys do
you  have?" negotiation with the agent takes very little time (in
terms of what a human can notice).

If you want time(1) timings or something like that, I'd be happy to
get an exact count of the number of keys and do them (but it will have
to wait until I get back from travel August 28).

[1]  For testing whether keys are properly installed, the sequence
"ssh xemacs at cvs.xemacs.org", then asking the server for "version" and
sending EOF (^D), is what we use.  So there is no overhead from a
local CVS or anything like that, although of course you do have to
start the remote cvs server process (via the COMMAND= in the
.ssh/config file).  How that compares to starting a shell I'm not sure.

School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.

More information about the Python-Dev mailing list