[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attribute for storing SSH RSA host keys

Stephan Fabel wrote:
> On 04/16/2014 11:20 AM, Michael Ströder wrote:
>> It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:
>> https://code.google.com/p/openssh-lpk/
> Found this in sshd_config(5):
> *------snip-------
> AuthorizedKeysCommand*
>              Specifies a program to be used to look up the user's public keys.
>              The program must be owned by root and not writable by group or
>              others.  It will be invoked with a single argument of the
>              username being authenticated, and should produce on standard
>              output zero or more lines of authorized_keys output (see
>              AUTHORIZED_KEYS in sshd(8) <http://www.openssh.com/cgi-bin/man.cgi?query=sshd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current>).  If a key supplied by
>              AuthorizedKeysCommand does not successfully authenticate and
>              authorize the user then public key authentication continues using
>              the usual *AuthorizedKeysFile* files.  By default, no
>              AuthorizedKeysCommand is run
> ------snip-------

Yes, that would be usable for retrieving authorized keys remotely though I
personally prefer to sync SSH authorized keys to a central directory and set
AuthorizedKeysFile accordingly.

But I understood the original poster that he wants to generate a known hosts
file by retrieving all the *host* keys from LDAP.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature