OpenSSH 6.2.x and LDAP authentication

Since the release of OpenSSH 6.2, two new configuration parameters have been added:

  • AuthorizedKeysCommand
  • AuthorizedKeysCommandUser

These parameters allow to create any kind of authentication method for OpenSSH, including LDAP authentication, and therefore patches like the LPK patch for OpenSSH are not required anymore.
The only thing the script needs to do is return either an empty string or the public key of the user.

In our example below, we have created an extra check which will verify if a user is in a certain group.
The script is a very simple Bash script and can be rewritten to any kind of script or program, important is what it returns to STDOUT.


OpenSSH 6.2.x and LDAP authentication — 11 Comments

  1. Hi,

    What prerequisites are required for this to work, I assume I need some kind of ldap application installing for the queries to the LDAP server to work?


  2. Pingback: Arch LinuxでAuthorizedKeysCommandにLDAPに登録されている公開鍵を回答するスクリプトを設定する |

    • Really? I have it like this:

      Works fine …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.