Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022



ssh-pubkey-ldap - request public keys stored in an LDAP server


/usr/lib/ssh/ssh-pubkey-ldap [username] 


ssh-pubkey-ldap is used as a helper application for the OpenSSH sshd(8) server. It is designed to be the value of the AuthorizedKeysCommand setting in the sshd_config(5) file. When run, it requests a user's ssh(1) Public key from an LDAP server.

The name 'sshPublicKey' is the default ssh(1) public key attribute name in the LDAP schema. This application uses the ldapsearch(1oldap) command to request a user\'s SSH public key.

If no username is specified, then the username of the target user is automatically passed in by the AuthorizedKeysCommand setting in the sshd_config(5) file.


The recommended way to use this sshd(8) helper application is to configure the AuthorizedKeysCommand and the AuthorizedKeysCommandUser settings in the sshd_config(5) file. Example 2 shows how this application can be used from the command line with a username specified as an option.

Example 1 Retrieving SSH public keys from LDAP

This example shows how to configure the SSH server to retrieve the target user's public key from the LDAP server configured as the system nameservice. Add the following lines to sshd_config(5):

AuthorizedKeysCommand /usr/lib/ssh/ssh-pubkey-ldap
AuthorizedKeysCommandUser daemon

Note that the user of the ssh-pubkey-ldap program must be specified. This user must be able to read data from the LDAP server. It may be necessary in some cases to set 'root' as the AuthorizedKeysCommandUser if a restricted set of LDAP ACIs are in place and a proxy user is configured for the Solaris LDAP nameservice.

It may be appropriate to enable this for a subset of users using the Match block facility defined in sshd_config(5).

Example 2 Retrieving SSH public keys from LDAP only

As example 1 above but also add the following entry to sshd_config(5) to ensure that no authorized_keys files in the users home directory are used.

AuthorizedKeysFile /dev/null

Exit Status

The following exit values are returned:


Successful completion.


An error occurred.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

ssh(1), sshd_config(5), sshd(8)