2014-09-05 14:26:11

How the size of authorized_keys affects speed of ssh authorization

Yesterday during Fedora infrastructure meeting we discussed how size of authorized_keys file affects speed of ssh. Long story short: per each 1500 records, the performance drops by 17 %. More details follows.

During the discussion, we found that sshd reads keys sequential so the size of authorized_keys matters. And the position of your key in that file matters even more. But we did not know how much it matters. I volunteered to do that benchmark.

First, I created script to generate lots of ssh keys. I created authorized_keys file with one, 1501 (Fedora have 1500 packagers, therefore this number interested us) and 15001 keys. My own key is always at the end of the file, therefore sshd have to go through whole file and we get worst case measured.

Then I prepared script, which try to ssh to localhost and execute only /usr/bin/true (no shell is executed). That means most of the time is spent on authorizing, which interest us. The connection is done in loop and repeated one hundred times.

Then I put correct authorized_keys into ~/.ssh/. I done that for 1, 1501 and 15001. And repeated that three times in row and then make averege of those measurement. This is the test suite.

  • 1 key: 24.09 sec
  • 1500 keys: 28.12 sec
  • 15000 keys: 61.40 sec

This time means 100 logins in row. Therefore if you want to get time for one login (on my machine) divide it by 100. I.e. if your authorized_keys have 1.5k of keys. One login may take up up to quarter of second to proceed. If I take time with one record as 100 %, then time of case with 1500 keys is 117% (with 15k keys it is 255 %). Increase of time, means decrease of perfomance. Therefore I can say that if you add 1.5k records to your authorized_keys file, the performance of sshd login will decrease by 17 percent. And the performance decrease is nearly linear.

Here are the raw data:

1 key

1st round

real    0m25.620s
user    0m1.614s
sys     0m0.418s

2nd round

real    0m23.455s
user    0m1.548s
sys     0m0.394s

3rd round

real    0m23.218s
user    0m1.529s
sys     0m0.401s

1500 keys

1st round

real    0m28.212s
user    0m1.567s
sys     0m0.425s

2nd round

real    0m28.137s
user    0m1.528s
sys     0m0.424s

3rd round

real    0m28.020s
user    0m1.577s
sys     0m0.399s

15000 keys

1st round

real    1m1.518s
user    0m1.559s
sys     0m0.429s

2nd round

real    1m1.469s
user    0m1.628s
sys     0m0.373s

3rd round

real    1m1.238s
user    0m1.581s
sys     0m0.394s

Posted by Miroslav Suchý | Permanent link
comments powered by Disqus