6

Instead of a traditional authorized_keys file on my server, I'm using a custom key verifier which sshd calls via the AuthorizedKeysCommand option. In the sshd_config, I can specify that this command should be fed the user's public key as an argument, like so:

AuthorizedKeysCommand /path/to/verifier %k

The problem is that the key encodes a lot of additional data and so can be quite large. If it's bigger than around 4135 bytes, sshd logs a fatal error while expanding the %k token:

sshd[5914]: fatal: percent_expand: string too long

I've been combing through the source code of percent_expand and I don't see anywhere where this string too long error might be encountered. It appears that there is some kind of limit on the token size, but what is it? Where is it defined?

Improve this question
0

1 Answer 1

Reset to default
12

You are using an older OpenSSH version that happens to limit the entire expansion buffer to 4096 octets. Update beyond 8.1, which you should, anyway.

The message you did not find in source code was removed in commit switch percent_expand() to use sshbuf instead of a limited fixed buffer - see OpenSSH-portable and OpenBSD upstream

Improve this answer
2
  • 2
    I think the limit after that is close to the 256kiB maximum packet size (printed as "upload size" when calling sftp -v) - well beyond the expected cert size with allowed key sizes - which on OpenSSH-portable on Linux would stay below (base64-encoded) 2MiB ARG_MAX for command invocation.
    – anx
    Nov 29 at 15:22
  • Upgrading solved my issue! As for the absolute upper bound on later versions of OpenSSH, I've yet to hit it :)
    – data princess
    Nov 29 at 15:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .