Thanks for the tip on name service switch extensions -- I shall look.. Maybe adding something that lets you query the users there is all I need... we'll see. The AuthorizedKeysCommand could be a script - and figures out everything - the ssh connection doesn't' get that far when the user doesn't exist on the system yet :( Hence - maybe a NSS User Database extension which looks for the public keys from a webservice (and then maybe writes them to /tmp/<username>. The AuthorzedKeysCommand could then just return the tmp/username information.. Hoping the NSS shows some promise.. Wow , thanks for all the help! On Fri, Feb 6, 2015 at 2:26 PM, Scott Neugroschl <scott_n@xxxxxxxxx> wrote: > >>> However - as I got into that - I realized that I have no way to "find" >>> just the keys for a single user. Since the only argument to that ssh >>> keys command, is the username. It's not HTTP so I couldn't point at a >>> subdomain and use that to look up the information. > >>You may be interested in the bug report "extend the parameters to the >>AuthorizedKeysCommand": > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2081 > > > Why not have the Authorized Keys Command be a script that figures out the domain from the username? > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev