Skip to main content Skip to sidebar

Authorization in SSH Using Keys from an External Source

configuration linux openssh security

It happens that you need to somehow forward public keys to the server.

OpenSSH has an interesting mechanism - executing an application to obtain a key for a specific user - AuthorizedKeysCommand

But there is a small caveat here - the user must already be logged in.

In general, add the following to /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/local/sbin/iam-ssh-auth
AuthorizedKeysCommandUser nobody

I ended up with this strange script:

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Usage: $0 userid" >&2
    exit 1
fi

if [ -f /etc/default/iam-ssh-auth ]; then
    . /etc/default/iam-ssh-auth
else
    echo "Could not find config file" >&2 
    exit 1
fi

userid=$1

if [ "$IAM_SSH_LOCAL_KEYS" = "YES" ]; then
    keyfile="/var/lib/keys/${userid}.pub"

    if [ -f $keyfile ]; then
        cat $keyfile
    fi
fi

if [ "$IAM_SSH_API_KEYS" = "YES" ]; then
    if [ ! -z "$IAM_SSH_API_ADDR" ]; then
        curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/$(hostname -f)/${userid}
        curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/global/${userid}
    fi
fi

Actually, here you can use authorization through local files and/or go to the API to get what you need.