[fvt]

Very interesting read.

GitHub explained in "How We Made GitHub Fast"(2009) [1] they patched their ssh daemon, so that it would do some lookups in a MySQL DB.

I wonder if daemons like OpenSSH now have some kind of plugin mechanism that lets one use their own lookup strategy.

[1]: https://github.com/blog/530-how-we-made-github-fast

[1_player]

Not yet.. I've set up a GitHub clone and had to patch OpenSSH: the authorisation process can execute an external command (AuthorizedKeysCommand option IIRC) but doesn't provide enough information to do a DB lookup à-la-GitHub.

[josegonzalez]

Is there a reason AuthorizedKeysCommand can't suffice in this case?

[belak]

AuthorizedKeysCommand doesn't scale. Particularly for Github and Bitbucket because they would need to return a few million lines.

From the man page:

Specifies a program to be used for lookup of the user's public keys. The program will be invoked with its first argument the name of the user being authorized, and should produce on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS in sshd(8)). By default (or when set to the empty string) there is no AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully authorize the user, authorization falls through to the AuthorizedKeysFile. Note that this option has an effect only with PubkeyAuthentication turned on.

[1_player]

The AuthorizedKeysCommand script is invoked with the user name of the connecting user, which isn't enough to do a database lookup, as, for example, on GitHub all incoming connections are from user git.

The patch basically makes OpenSSH send the incoming user key to the script's stdin, and from the key it's trivial to match it against a user.

Here's a similar patch with the same purpose: https://github.com/norbauer/openssh-for-git

[_Soulou]

Post author here, unfortunately no, after some time, we realized it was quicker to develop a complete SSH server than patching some legacy C code. It was really confortable to work with go to do that.