AuthorizedKeysCommand idea

Michael W. Lucas mwlucas at
Thu Jun 20 00:10:28 EST 2013


I've been kicking this idea around, and the problem with it escapes
me. I'm looking for someone to tell me why this is a bad idea.

The new OpenSSH includes the AuthorizedKeysCommand, which was mostly
added to let people use a command to look up user keys in LDAP.

LDAP key lookup have some limitations -- specifically, the common
openssh-lpk_openldap schema won't let you add restrictions at the
front of the key. This didn't matter so much when the LPK patch was
such a pain, but now that OpenSSH can actually do this out of the box
I'd like to use it.


What about using a SQLite database, copied to all machines, and a
simple sqlite lookup for AuthorizedKeysCommand?

If a user can't log into the local machine, because PAM or no local
account or whatever, the presence of the key shouldn't matter.

For key adds/changes/deletions, I just push the new sqlite DB to all
my machines.

This seems easy. Too easy. What am I missing?


Michael W. Lucas  -  mwlucas at, Twitter @mwlauthor,
Absolute OpenBSD 2/e -
coupon code "ILUVMICHAEL" gets you 30% off & helps me.

More information about the openssh-unix-dev mailing list