I recently bought a Yubikey, mainly to force myself to lean on the security/crypo topics a bit more. So far it seems working, since I now have a shiny gpg key, which has subkeys for signing/authentication under it. Also programmed one of its slots to use HOTP etc.
While examining to see what can I do more, I realize gpg-agent has "ssh-agent emulation" feature. So I can export ssh public key from my gpg/auth key and use it to authenticate while logging in to servers. Neat, right?
Not so fast.
As a sysadmin, I use ssh a lot, sometimes even massively parallel. So after setting this feature up and logging in once or twice, I felt like "oh this feels slow". And fired up polysh, a parallel ssh tool, to compare gpg-agent's performance.
Polysh is not a magical tool, it acts like you open n number of tabs, entered the ssh command for each server and pressed enter at (almost) same time. So I started an ssh-server on my local and ran:
time polysh $(for i in `seq 1 100`; do echo -n "localhost "; done) --command "echo ok"
So basically my client will connect to ssh server on localhost, and run the command
echo ok 100 times. I added same private key and authenticated through it on both agents. Here is the result:
ssh-agent: 15 connections = ~0.6 seconds 100 connections = ~3 seconds 200 connections = ~5 seconds gpg-agent: 15 connections = ~2.5 seconds 100 connections = N/A
Yes, I started to hear my laptop's fan, and gpg-agent couldn't cope with parallelism, even failed and asked me the passphrase I supplied before the test sometimes, but I couldn't manage to run it.
For now, I reverted back to the ssh-agent, and searched on internet like "how the hell this wasn't noticed before, or am I doing something terribly wrong?". I realized openpgp developers are aware of this and seems like new version will help. I'll upgrade as soon as I find a suitable Debian package :)