Thank you for your quick response. Everything appears to be working as you described. Keep up the excellent work! Thanks, Lucas -----Original Message----- From: Peter Moody [mailto:peter@xxxxxxxx] Sent: Friday, July 29, 2016 11:33 AM To: Lucas Halbert <lhalbert@xxxxxxxxxxx> Cc: openssh-unix-dev@xxxxxxxxxxx Subject: Re: Openssh AuthorizedKeysCommand Inquiry AuthorizedKeysCommand would point to a script/binary that you write that when run with the configured options, returns what you want the AuthorizedKeysFile to look like for that user. So if you have pubkeys and options stored with your users in ldap in two separate attributes, you should be able to have something like this: # this is in your sshd_config AuthorizedKeysCommand /my/authorized_keys_command %u # and this is the authorized_keys_command script. #!/bin/sh $uid=$1 pubkey=$(ldapsearch uid=$uid sshPubkey| grep -v dn | cut -d ':' -f 2) echo $pubkey On Fri, Jul 29, 2016 at 7:18 AM, Lucas Halbert <lhalbert@xxxxxxxxxxx> wrote: > To whom it may concern, > > I have a question regarding the AuthorizedKeysCommand functionality. Currently I am working on building an openldap sshPublicKey infrastructure which contains sshPublicKey entries with the following format(options keytype base64-encoded-key comment) example: (from="host1.example.com" ssh-rsa AB3Nz...EN8w== user@xxxxxxxxxxxxxxxxx<mailto:user@xxxxxxxxxxxxxxxxx>). I am wondering if the AuthorizedKeysCommand directive, or some other openssh function, offers a facility to parse the "options" field of the sshPublicKey entry in LDAP like openssh does using the authorized_keys file. My goal is to restrict the origin of SSH connections which use key exchange based on the from="" option of the sshPublicKey stored in LDAP. Any guidance you have is appreciated. > > Thanks, > Lucas > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
