AuthorizedKeysCommand support added

Damien Miller djm at
Wed Oct 31 11:16:00 EST 2012


I just commited the patch on It adds
an AuthorizedKeysCommand option to sshd_config to use helper program to
fetch a user's authorized keys. Quite a few people have asked for this
to allow storage of public keys in LDAP or other databases.

The program is executed (directly, not via the shell) with a single
argument of the user being logged in. It produces on stdout zero or more
lines in authorized_keys format. The program must terminate normally and
with a zero exit status or its output is disregarded.

The program is executed as the user being logged in, unless a different
user is specified using AuthorizedKeysCommandUser.

A facility like this grants a large opportunity to shoot oneself in
the foot. We try to prevent obvious mistakes (like having the command
writable by others), but the best approach is to use a well-audited
helper, owned and writable only by root, that runs under a dedicated
account that is not used by anything else.

Portable OpenSSH snapshots with this change will be available tomorrow
(dated 20121101 or later). If you have an interest in this feature then
please help review and test it before out next release. It would be
handy if there were a good selection of helper commands ready then for
common backends (LDAP at least).

The patch was mostly written by Jan Chadima from Redhat, and I apologise
for taking too long to polish and integrate it.


More information about the openssh-unix-dev mailing list