Authorization in SSH Using Keys from an External Source
It happens that you need to somehow forward public keys to the server.
OpenSSH has an interesting mechanism - executing an application to obtain a key for a specific user - AuthorizedKeysCommand
But there is a small caveat here - the user must already be logged in.
In general, add the following to /etc/ssh/sshd_config
:
AuthorizedKeysCommand /usr/local/sbin/iam-ssh-auth
AuthorizedKeysCommandUser nobody
I ended up with this strange script:
#!/bin/bash
if [ $# -ne 1 ]; then
echo "Usage: $0 userid" >&2
exit 1
fi
if [ -f /etc/default/iam-ssh-auth ]; then
. /etc/default/iam-ssh-auth
else
echo "Could not find config file" >&2
exit 1
fi
userid=$1
if [ "$IAM_SSH_LOCAL_KEYS" = "YES" ]; then
keyfile="/var/lib/keys/${userid}.pub"
if [ -f $keyfile ]; then
cat $keyfile
fi
fi
if [ "$IAM_SSH_API_KEYS" = "YES" ]; then
if [ ! -z "$IAM_SSH_API_ADDR" ]; then
curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/$(hostname -f)/${userid}
curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/global/${userid}
fi
fi
Actually, here you can use authorization through local files and/or go to the API to get what you need.