SSH server checking public keys from another source












2














In an ssh connection with key authentication the user sends the ID of the public key he wants to use. Then, the server checks the authorized_keys file for the publick key.



I'd like the server to not look for that ID in the authorized_keys file, but using the user name to retrieve the key from another source (e.g. a databse, another file, a remote server etc.)



Is it possible to do that?










share|improve this question



























    2














    In an ssh connection with key authentication the user sends the ID of the public key he wants to use. Then, the server checks the authorized_keys file for the publick key.



    I'd like the server to not look for that ID in the authorized_keys file, but using the user name to retrieve the key from another source (e.g. a databse, another file, a remote server etc.)



    Is it possible to do that?










    share|improve this question

























      2












      2








      2


      1





      In an ssh connection with key authentication the user sends the ID of the public key he wants to use. Then, the server checks the authorized_keys file for the publick key.



      I'd like the server to not look for that ID in the authorized_keys file, but using the user name to retrieve the key from another source (e.g. a databse, another file, a remote server etc.)



      Is it possible to do that?










      share|improve this question













      In an ssh connection with key authentication the user sends the ID of the public key he wants to use. Then, the server checks the authorized_keys file for the publick key.



      I'd like the server to not look for that ID in the authorized_keys file, but using the user name to retrieve the key from another source (e.g. a databse, another file, a remote server etc.)



      Is it possible to do that?







      ssh ssh-keys authorized-keys






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 4 at 12:35









      Federico Taschin

      133




      133






















          1 Answer
          1






          active

          oldest

          votes


















          2














          To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.



          For example, to keep the default authorized_keys location and add a file in /etc:



          AuthorizedKeysFile  .ssh/authorized_keys  /etc/ssh/users/%u.txt


          To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.



          The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.



          For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.



          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody





          share|improve this answer





















          • That's what I needed, thanks!
            – Federico Taschin
            Dec 4 at 16:13











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380683%2fssh-server-checking-public-keys-from-another-source%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.



          For example, to keep the default authorized_keys location and add a file in /etc:



          AuthorizedKeysFile  .ssh/authorized_keys  /etc/ssh/users/%u.txt


          To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.



          The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.



          For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.



          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody





          share|improve this answer





















          • That's what I needed, thanks!
            – Federico Taschin
            Dec 4 at 16:13
















          2














          To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.



          For example, to keep the default authorized_keys location and add a file in /etc:



          AuthorizedKeysFile  .ssh/authorized_keys  /etc/ssh/users/%u.txt


          To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.



          The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.



          For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.



          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody





          share|improve this answer





















          • That's what I needed, thanks!
            – Federico Taschin
            Dec 4 at 16:13














          2












          2








          2






          To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.



          For example, to keep the default authorized_keys location and add a file in /etc:



          AuthorizedKeysFile  .ssh/authorized_keys  /etc/ssh/users/%u.txt


          To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.



          The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.



          For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.



          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody





          share|improve this answer












          To change the file path, you can specify the AuthorizedKeysFile option in sshd_config (assuming the server runs OpenSSH). You can give multiple paths, either relative to the user's home directory, or absolute paths with %u expanding to the username.



          For example, to keep the default authorized_keys location and add a file in /etc:



          AuthorizedKeysFile  .ssh/authorized_keys  /etc/ssh/users/%u.txt


          To use an external command, if the server is using OpenSSH 6.2 or later, you can specify AuthorizedKeysCommand in the server's sshd_config file, pointing to a custom program or script.



          The program will be run on every login, receive a username as command-line parameter, and needs to output a list of keys for that user (using the same format as authorized_keys) via stdout.



          For example, if you are using LDAP, the SSSD LDAP client already includes a tool sss_ssh_authorizedkeys for retrieving keys from the user's sshPublicKey attribute.



          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 4 at 12:43









          grawity

          232k35490546




          232k35490546












          • That's what I needed, thanks!
            – Federico Taschin
            Dec 4 at 16:13


















          • That's what I needed, thanks!
            – Federico Taschin
            Dec 4 at 16:13
















          That's what I needed, thanks!
          – Federico Taschin
          Dec 4 at 16:13




          That's what I needed, thanks!
          – Federico Taschin
          Dec 4 at 16:13


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380683%2fssh-server-checking-public-keys-from-another-source%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар