problem with AuthorizedKeysCommand on OpenBSD

Michael W. Lucas mwlucas at
Wed Nov 14 07:34:28 EST 2012


I'm attempting to test the AuthorizedKeysCommand feature with the new
port of ssh-ldap-wrapper to OpenBSD.  I'm running yesterday's
OpenBSD-current i386 snapshot, which includes AuthorizedKeysCommand.

The port of ssh-ldap-helper (at contains
all the bits I need, and the individual pieces appear to work once

# sudo -u nobody /usr/local/libexec/ssh-ldap-wrapper mwlucas
ssh-rsa AAAAB3NzaC1yc...

ssh-rsa AAAAB3NzaC1yc2EA...

(Two keys come out, with a blank line between them)

My sshd_config has:

AuthorizedKeysCommand /usr/local/libexec/ssh-ldap-wrapper
AuthorizedKeysCommandUser nobody

(Yes, a user other than nobody will go into production, but I'm just
trying to make the blasted thing work right now.)

The keys don't seem to be making it to the SSH server, however. Run
with debugging, I get:

debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x81973440
debug1: temporarily_use_uid: 32767/32767 (e=0/0)
debug3: Running AuthorizedKeysCommand: "/usr/local/libexec/ssh-ldap-wrapper" as "nobody"
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 32767/32767 (e=0/0)
debug2: key not found
user_key_command_allowed2: dup2: Bad file descriptor
AuthorizedKeysCommand /usr/local/libexec/ssh-ldap-wrapper returned status 1
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)

Any suggestions, folks?


Michael W. Lucas,
Latest book: SSH Mastery
mwlucas at, Twitter @mwlauthor

More information about the openssh-unix-dev mailing list