2
1
In an ssh connection with key authentication the user sends the ID of the public key he wants to use. Then, the server checks the authorized_keys file for the publick key.
I'd like the server to not look for that ID in the authorized_keys file, but using the user name to retrieve the key from another source (e.g. a databse, another file, a remote server etc.)
Is it possible to do that?
Federico Taschin
Posted 2018-12-04T12:35:04.130
Reputation: 123
2
To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.
For example, to keep the default authorized_keys location and add a file in /etc:
AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/users/%u.txt
To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.
The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.
For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
user1686
Posted 2018-12-04T12:35:04.130
Reputation: 283 655