NAME
ssssshauthorizedkeys - get OpenSSH authorized keys SYNOPSIS ssssshauthorizedkeys [options] USER DESCRIPTION ssssshauthorizedkeys acquires SSH public keys for user USER and outputs them in OpenSSH authorizedkeys format (see the “AUTHORIZEDKEYS FILE FORMAT” section of sshd(8) for more information). sshd(8) can be configured to use ssssshauthorizedkeys for public key user authentication if it is compiled with support for “AuthorizedKeysCommand” option. Please refer to the sshdconfig(5) man page for more details about this option. If “AuthorizedKeysCommand” is supported, sshd(8) can be configured to use it by putting the following directives in sshdconfig(5): AuthorizedKeysCommand /usr/bin/ssssshauthorizedkeys AuthorizedKeysCommandUser nobody KEYS FROM CERTIFICATES In addition to the public SSH keys for user USERssssshauthorizedkeys can return public SSH keys derived from the public key of a X.509 certificate as well. To enable this the “sshusecertificatekeys” option must be set to true (default) in the [ssh] section of sssd.conf. If the user entry
contains certificates (see “ldapusercertificate” in sssd-ldap(5) for details) or there is a certificate in an override entry for the user
(see sssoverride(8) or sssd-ipa(5) for details) and the certificate is valid SSSD will extract the public key from the certificate and convert it into the format expected by sshd. Besides “sshusecertificatekeys” the options · cadb · p11childtimeout · certificateverification can be used to control how the certificates are validated (see sssd.conf(5) for details). The validation is the benefit of using X.509 certificates instead of SSH keys directly because e.g. it gives a better control of the lifetime of the keys. When the ssh client is configured to use the
private keys from a Smartcard with the help of a PKCS#11 shared library (see ssh(1) for details) it might be irritating that authentication is still working even if the related X.509 certificate on the Smartcard is already expired because neither ssh nor sshd will look at the certificate at all. It has to be noted that the derived public SSH key can still be added to the authorizedkeys file of the user to bypass the certificate validation if the sshd configuration permits this. OPTIONS
-d,domain DOMAIN Search for user public keys in SSSD domain DOMAIN.
-?,help Display help message and exit. EXIT STATUS In case of success, an exit value of 0 is returned. Otherwise, 1 is returned. SEE ALSO
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sssd-secrets(5),sssd-session- recording(5), ssscache(8), sssdebuglevel(8), sssgroupadd(8), sssgroupdel(8), sssgroupshow(8), sssgroupmod(8), sssuseradd(8), sssuserdel(8), sssusermod(8), sssobfuscate(8), sssseed(8), sssdkrb5locatorplugin(8), ssssshauthorizedkeys(8),
ssssshknownhostsproxy(8),sssd-ifp(5),pamsss(8).
sssrpcidmapd(5)sssd-systemtap(5) AUTHORS
The SSSD upstream - https://pagure.io/SSSD/sssd/ SSSD 10/30/2018 SSSSSHAUTHORIZEDKE(1)