1SSS_SSH_AUTHORIZEDKE(1)        SSSD Manual pages       SSS_SSH_AUTHORIZEDKE(1)
2
3
4

NAME

6       sss_ssh_authorizedkeys - get OpenSSH authorized keys
7

SYNOPSIS

9       sss_ssh_authorizedkeys [options] USER
10

DESCRIPTION

12       sss_ssh_authorizedkeys acquires SSH public keys for user USER and
13       outputs them in OpenSSH authorized_keys format (see the
14       “AUTHORIZED_KEYS FILE FORMAT” section of sshd(8) for more information).
15
16       sshd(8) can be configured to use sss_ssh_authorizedkeys for public key
17       user authentication if it is compiled with support for
18       “AuthorizedKeysCommand” option. Please refer to the sshd_config(5) man
19       page for more details about this option.
20
21       If “AuthorizedKeysCommand” is supported, sshd(8) can be configured to
22       use it by putting the following directives in sshd_config(5):
23
24             AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
25             AuthorizedKeysCommandUser nobody
26
27
28   KEYS FROM CERTIFICATES
29       In addition to the public SSH keys for user USER sss_ssh_authorizedkeys
30       can return public SSH keys derived from the public key of a X.509
31       certificate as well.
32
33       To enable this the “ssh_use_certificate_keys” option must be set to
34       true (default) in the [ssh] section of sssd.conf. If the user entry
35       contains certificates (see “ldap_user_certificate” in sssd-ldap(5) for
36       details) or there is a certificate in an override entry for the user
37       (see sss_override(8) or sssd-ipa(5) for details) and the certificate is
38       valid SSSD will extract the public key from the certificate and convert
39       it into the format expected by sshd.
40
41       Besides “ssh_use_certificate_keys” the options
42
43       ·   ca_db
44
45       ·   p11_child_timeout
46
47       ·   certificate_verification
48
49       can be used to control how the certificates are validated (see
50       sssd.conf(5) for details).
51
52       The validation is the benefit of using X.509 certificates instead of
53       SSH keys directly because e.g. it gives a better control of the
54       lifetime of the keys. When the ssh client is configured to use the
55       private keys from a Smartcard with the help of a PKCS#11 shared library
56       (see ssh(1) for details) it might be irritating that authentication is
57       still working even if the related X.509 certificate on the Smartcard is
58       already expired because neither ssh nor sshd will look at the
59       certificate at all.
60
61       It has to be noted that the derived public SSH key can still be added
62       to the authorized_keys file of the user to bypass the certificate
63       validation if the sshd configuration permits this.
64

OPTIONS

66       -d,--domain DOMAIN
67           Search for user public keys in SSSD domain DOMAIN.
68
69       -?,--help
70           Display help message and exit.
71

EXIT STATUS

73       In case of success, an exit value of 0 is returned. Otherwise, 1 is
74       returned.
75

SEE ALSO

77       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
78       sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sssd-session-recording(5),
79       sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8),
80       sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
81       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
82       sssd-systemtap(5)
83

AUTHORS

85       The SSSD upstream - https://pagure.io/SSSD/sssd/
86
87
88
89SSSD                              07/01/2019           SSS_SSH_AUTHORIZEDKE(1)
Impressum