I have an application idea that would require calling ssh-agent rather frequently - but how many requests per second can it handle?
To answer this question I wrote a small benchmark in Go. It runs a tight loop sending messages for ssh-agent to sign. Turns out the agent is pretty fast!
On a cheap cloud machine it was able to reliably sign more than 500 messages per second with an ED25519 key. RSA signing was about 4-5 times slower, as expected. For a personal heuristic I've decided to memorize that ED25519 signatures cost 2ms and RSA ones 8ms.
Message size had little effect on throughput because both in ED25519 and in RSA signatures inputs are hashed with a fast SHA algorithm prior to any other processing.
Just in case my random number generator was too slow I checked if it affects the benchmark results. Tests confirmed that it doesn't.
Of course, 500 rps does not sound web scale but for me it's more than enough. OpenSSH ssh-agent utilizes only a single CPU core, so there is some potential for performance improvement if you need - but that would mean doing the signatures in your software. I would rather trust OpenSSH team (who are known to be just the right amount of paranoid) than touch private key material with my clumsy hands.
You can run the same tests yourself: clone the repo and execute
Benchmark names describe the key being used, message size and whether the
message is unique or the same for each iteration. Here is a sample output:
BenchmarkSshAgent/key_ed25519/32B/unique-4 3553 1763363 ns/op
BenchmarkSshAgent/key_ed25519/32B/same-4 3568 1708270 ns/op
BenchmarkSshAgent/key_rsa4096/32B/unique-4 778 7824780 ns/op
BenchmarkSshAgent/key_rsa4096/32B/same-4 763 7657785 ns/op
BenchmarkSshAgent/key_ed25519/64B/unique-4 3456 1752457 ns/op
BenchmarkSshAgent/key_ed25519/64B/same-4 3598 1733750 ns/op
BenchmarkSshAgent/key_rsa4096/64B/unique-4 781 7639828 ns/op
BenchmarkSshAgent/key_rsa4096/64B/same-4 798 7720210 ns/op
BenchmarkSshAgent/key_ed25519/256B/unique-4 3549 1735906 ns/op
BenchmarkSshAgent/key_ed25519/256B/same-4 3417 1722301 ns/op
BenchmarkSshAgent/key_rsa4096/256B/unique-4 698 7738767 ns/op
BenchmarkSshAgent/key_rsa4096/256B/same-4 787 7625366 ns/op
BenchmarkSshAgent/key_ed25519/1024B/unique-4 3555 1703601 ns/op
BenchmarkSshAgent/key_ed25519/1024B/same-4 3651 1633226 ns/op
BenchmarkSshAgent/key_rsa4096/1024B/unique-4 805 7542115 ns/op
BenchmarkSshAgent/key_rsa4096/1024B/same-4 810 7437307 ns/op
BenchmarkSshAgent/key_ed25519/16384B/unique-4 3205 1935190 ns/op
BenchmarkSshAgent/key_ed25519/16384B/same-4 3296 1907921 ns/op
BenchmarkSshAgent/key_rsa4096/16384B/unique-4 783 7624776 ns/op
BenchmarkSshAgent/key_rsa4096/16384B/same-4 759 7620548 ns/op