SSHd and AuthorizedKeysCommand

In 2012 I wrote a short piece on retrieving SSH public keys from a DNS-based FUSE pseudo file system, and I’ve been meaning to address that since about a year later, because SSH then got a configurable program to provide public keys for users. Peter reminded me to mention this, hence this post.

The program specified as AuthorizedKeysCommand in the SSH server configuration must belong to root and it should produce zero or more lines of authorized_keys output on standard output; think “cat ~/.ssh/authorized_keys”.

So I can use the AuthorizedKeysCommand to obtain a user’s public keys from almost any source, such as an LDAP directory, some special database, from a particular directory just like AuthorizedKeysFile, or by almost any other means.

The server configuration (sshd.conf) will contain:

AuthorizedKeysCommand /etc/skeys/keylist %u
AuthorizedKeysCommandUser uucp

We can test whether that works by using a trivial prototype shell script (which will probably remain in production until the cows come home …) as the appropriate command.

#!/bin/sh

[ $# -ne 1 ] && { echo "Usage: $0 userid" >&2; exit 1; }

case "$1" in 
    jjolie)
	# this is just a joke; don't take this seriously, and if you
	# do, make sure you have some sort of cache in case your
	# internet goes kaputt
        curl -sf https://api.github.com/users/jjolie/keys |
	jq -r '.[].key'
        ;;
    *)
        keyfile="/var/lib/keys/$1.pub"
        [ -f $keyfile ] && cat $keyfile
	;;
esac

I install this program in its own directory, and ensure the files belong to root and are neither writeable by group or others. I’ll bump sshd’s logging up to DEBUG and if I try and login as user jjolie, I see:

sshd[21454]: debug1: temporarily_use_uid: 10/10 (e=0/0)
sshd[21454]: debug1: matching key found: file /etc/skeys/keylist %u, line 1 ECDSA SHA256:+fb1q4teO3....0Pio
sshd[21454]: debug1: restore_uid: 0/0
sshd[21454]: debug1: do_pam_account: called
sshd[21454]: Accepted publickey for jjolie from 192.168.33.1 port 60346 ssh2: ECDSA SHA256:+fb1q4teO3....0Pio
sshd[21454]: debug1: monitor_child_preauth: jjolie has been authenticated by privileged process

When user jjolie logs in, our program gets her public keys via the Github API, and otherwise we see if we have a .pub file for the user in /var/lib/keys/.

Using, say, an LDAP or other directory, we can ensure users’ keys are centrally managed, and in particular, it will be easier, when a user leaves, to ensure she’s no longer permitted to login to our servers.

See also:

<Earlier Later>
ssh :: 02 Mar 2019 :: e-mail