OpenSSH ignoring keys

Sun, 27 Sep 2009 11:18:18 -0700 

It seems that ssh-add, ssh-agent or sshd start letting any key in when
authorized_keys contains an overwhelming number of keys.

I made three sets of rsa keys, 768 bits, 1024 bits and 2048 bits, each
with over 90000 rsa keys a piece.  On the client, I start ssh-agent and
load a key using ssh-add.  This lets me log in using that specific key
as normal, and not with others with small numbers of keys.

I'm not sure what number of keys makes the overload.
On the set up I have with current, 90001 keys and fewer in
authorized_keys gives expected behavior.  However, when I put 90002
public keys in .ssh/authorized_keys, then *any* key is accepted
regardless of which was loaded using ssh-add and no pass phrase is
requested.  That behavior is exhibited using any ofthe three key lengths.

Here is an illustration.

        # two keys with different fingerprints and pass phrases
        $ ssh-keygen -l -f ./Keys768/key_rsa_90000;ssh-keygen -l \
          -f ./Keys768/key_rsa_00000;
        768 87:d2:95:1d:c6:ad:c1:af:c1:ac:94:84:1c:cf:9c:88 \
        ./Keys768/key_rsa_90000.pub (RSA)
        768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \
        ./Keys768/key_rsa_00000.pub (RSA)

        # clear ssh agent
        ssh-add -D;
        All identities removed.

        # load key 00000
        $ ssh-add ./Keys768/key_rsa_00000
        Enter passphrase for ./Keys768/key_rsa_00000:
        Identity added: ./Keys768/key_rsa_00000 \
         (./Keys768/key_rsa_00000)

        # show which key is loaded (00000)
                $ ssh-add -l
        768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \
        ./Keys768/key_rsa_00000 (RSA)
        $ ssh -i ./Keys768/key_rsa_90000 -l lizard 127.0.0.1 \
        whoami
        lizard

        # show that key 00000 is loaded in the agent
        $ time ssh -i ./Keys768/key_rsa_00000 -l lizard 127.0.0.1 whoami
        lizard
            0m3.80s real     0m0.00s user     0m0.01s system

        # now log in with two more keys we aren't using
        $ time ssh -i ./Keys768/key_rsa_10000 -l lizard 127.0.0.1 whoami
        lizard
            0m3.85s real     0m0.01s user     0m0.00s system
        $ time ssh -i ./Keys768/key_rsa_20000 -l lizard 127.0.0.1 whoami
        lizard
            0m3.84s real     0m0.00s user     0m0.01s system

        $ ssh-add -l
        768 37:42:e3:de:40:64:ed:6f:a2:92:43:d4:05:52:fc:72 \
        ./Keys768/key_rsa_00000 (RSA)


I have some more material also regarding how long it takes to tar or
move 90+K files in FFS.

I realize that there may not may be too many occasions that an account
is going to be shared with that many keys, but an error message or
failure to be able to log in (with the wrong key) is what I was expecting.

Regards,
/Lars

Reply via email to