ssh-pubkey-ldap - request public keys stored in an LDAP server
ssh-pubkey-ldap is used as a helper application for the OpenSSH sshd(8) server. It is designed to be the value of the AuthorizedKeysCommand setting in the sshd_config(5) file. When run, it requests a user's ssh(1) Public key from an LDAP server.
If no username is specified, then the username of the target user is automatically passed in by the AuthorizedKeysCommand setting in the sshd_config(5) file.
The recommended way to use this sshd(8) helper application is to configure the AuthorizedKeysCommand and the AuthorizedKeysCommandUser settings in the sshd_config(5) file. Example 2 shows how this application can be used from the command line with a username specified as an option.Example 1 Retrieving SSH public keys from LDAP
This example shows how to configure the SSH server to retrieve the target user's public key from the LDAP server configured as the system nameservice. Add the following lines to sshd_config(5):
AuthorizedKeysCommand /usr/lib/ssh/ssh-pubkey-ldap AuthorizedKeysCommandUser daemon
Note that the user of the ssh-pubkey-ldap program must be specified. This user must be able to read data from the LDAP server. It may be necessary in some cases to set 'root' as the AuthorizedKeysCommandUser if a restricted set of LDAP ACIs are in place and a proxy user is configured for the Solaris LDAP nameservice.
It may be appropriate to enable this for a subset of users using the Match block facility defined in sshd_config(5).Example 2 Retrieving SSH public keys from LDAP only
As example 1 above but also add the following entry to sshd_config(5) to ensure that no authorized_keys files in the users home directory are used.
The following exit values are returned:
An error occurred.
See attributes(7) for descriptions of the following attributes: