Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

execute “ssh-keygen -t rsa -b 4096” make asyncssh connection slow #733

Open
xjie0626 opened this issue Jan 16, 2025 · 3 comments
Open

Comments

@xjie0626
Copy link

I tried to execute the command to generate private key file on Linux, “ssh-keygen -t rsa -b 4096” ,but after execution, the connection of asyncssh through user password will be slow, and the larger the -b parameter, the slower the execution. Why? Is there any version to solve this problem?

asyncssh 2.19.0

Multiple ssh versions are like this.
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
or
OpenSSH_9.2p1, OpenSSL 1.1.1f 31 Mar 2020

@ronf
Copy link
Owner

ronf commented Jan 16, 2025

Using a larger RSA key size is definitely going to make things slower. The last time I measured this, signing with a 4096 bit RSA key is about 6-7 times slower than a 2048 bit key. This has nothing to do with SSH -- you can see this difference when using something like "openssl speed" and running the raw crypto operation without any other protocol overhead.

Also, note that the ssh-keygen command you're asking about is provided by OpenSSH, not AsyncSSH. The AsyncSSH equivalent to this would be:

    key = asyncssh.generate_private_key('ssh-rsa', key_size=4096)

If you needed to write the resulting key out to a file, you'd then do something like:

    key.write_private_key(filename)

Whether you use AsyncSSH or OpenSSH to generate the key won't really make any difference in speed when using that key, though. If you want the added security of a large key, you have to pay the cost.

That said, you might consider using ECDSA or EdDSA keys if this an issue. They also get slower with larger key sizes, but you get MUCH better security at a much lower cost. Going with something like a 256 bit ECDSA key would be the equivalent of a 3072 bit RSA key but be significantly faster (about 100x faster on my machine here, though some of that might be due to hardware acceleration).

@xjie0626
Copy link
Author

@ronf thanks
But I directly execute SSH [email protected] After entering the username and password, the hostname quickly obtained the return value, Isn't asyncssh a similar process

@ronf
Copy link
Owner

ronf commented Jan 22, 2025

Can you provide some sample code for the asyncssh case where you are seeing the slowness? Also, when you compare it to 'ssh user@host', are you actually providing the 'ssh-keygen' command as part of the SSH command, or are you logging into a shell on the remote system and then entering the 'ssh-keygen' command into that shell? What is the exact command there?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants