gpg-agent and performance

· by Gürkan · Read in about 2 min · (338 Words)

I recently bought a Yubikey, mainly to force myself to lean on the security/crypo topics a bit more. So far it seems working, since I now have a shiny gpg key, which has subkeys for signing/authentication under it. Also programmed one of its slots to use HOTP etc.

While examining to see what can I do more, I realize gpg-agent has "ssh-agent emulation" feature. So I can export ssh public key from my gpg/auth key and use it to authenticate while logging in to servers. Neat, right?

Not so fast.

As a sysadmin, I use ssh a lot, sometimes even massively parallel. So after setting this feature up and logging in once or twice, I felt like "oh this feels slow". And fired up polysh, a parallel ssh tool, to compare gpg-agent's performance.

Polysh is not a magical tool, it acts like you open n number of tabs, entered the ssh command for each server and pressed enter at (almost) same time. So I started an ssh-server on my local and ran:

time polysh $(for i in `seq 1 100`; do echo -n "localhost "; done) --command "echo ok"

So basically my client will connect to ssh server on localhost, and run the command echo ok 100 times. I added same private key and authenticated through it on both agents. Here is the result:

15 connections = ~0.6 seconds
100 connections = ~3 seconds
200 connections = ~5 seconds

15 connections = ~2.5 seconds
100 connections = N/A

Yes, I started to hear my laptop's fan, and gpg-agent couldn't cope with parallelism, even failed and asked me the passphrase I supplied before the test sometimes, but I couldn't manage to run it.

For now, I reverted back to the ssh-agent, and searched on internet like "how the hell this wasn't noticed before, or am I doing something terribly wrong?". I realized openpgp developers are aware of this and seems like new version will help. I'll upgrade as soon as I find a suitable Debian package :)