Openssh AuthorizedKeysCommand Inquiry

Lucas Halbert lhalbert at
Sat Jul 30 01:52:00 AEST 2016

Thank you for your quick response. Everything appears to be working as you described. Keep up the excellent work!


-----Original Message-----
From: Peter Moody [mailto:peter at] 
Sent: Friday, July 29, 2016 11:33 AM
To: Lucas Halbert <lhalbert at>
Cc: openssh-unix-dev at
Subject: Re: Openssh AuthorizedKeysCommand Inquiry

AuthorizedKeysCommand would point to a script/binary that you write that when run with the configured options, returns what you want the AuthorizedKeysFile to look like for that user. So if you have pubkeys and options stored with your users in ldap in two separate attributes, you should be able to have something like this:

# this is in your sshd_config
AuthorizedKeysCommand /my/authorized_keys_command %u

# and this is the authorized_keys_command script.


pubkey=$(ldapsearch uid=$uid sshPubkey| grep -v dn | cut -d ':' -f 2)

echo $pubkey

On Fri, Jul 29, 2016 at 7:18 AM, Lucas Halbert <lhalbert at> wrote:
> To whom it may concern,
> I have a question regarding the AuthorizedKeysCommand functionality. Currently I am working on building an openldap sshPublicKey infrastructure which contains sshPublicKey entries with the following format(options keytype base64-encoded-key comment) example: (from="" ssh-rsa AB3Nz...EN8w== user at<mailto:user at>). I am wondering if the AuthorizedKeysCommand directive, or some other openssh function, offers a facility to parse the "options" field of the sshPublicKey entry in LDAP like openssh does using the authorized_keys file. My goal is to restrict the origin of SSH connections which use key exchange based on the from="" option of the sshPublicKey stored in LDAP. Any guidance you have is appreciated.
> Thanks,
> Lucas
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list