'\" t .\" Title: sss_ssh_authorizedkeys .\" Author: The SSSD upstream - https://github.com/SSSD/sssd/ .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 04/09/2024 .\" Manual: SSSD Manual pages .\" Source: SSSD .\" Language: English .\" .TH "SSS_SSH_AUTHORIZEDKE" "1" "04/09/2024" "SSSD" "SSSD Manual pages" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" sss_ssh_authorizedkeys \- get OpenSSH authorized keys .SH "SYNOPSIS" .HP \w'\fBsss_ssh_authorizedkeys\fR\ 'u \fBsss_ssh_authorizedkeys\fR [\fIoptions\fR] \fIUSER\fR .SH "DESCRIPTION" .PP \fBsss_ssh_authorizedkeys\fR acquires SSH public keys for user \fIUSER\fR and outputs them in OpenSSH authorized_keys format (see the \(lqAUTHORIZED_KEYS FILE FORMAT\(rq section of \fBsshd\fR(8) for more information)\&. .PP \fBsshd\fR(8) can be configured to use \fBsss_ssh_authorizedkeys\fR for public key user authentication if it is compiled with support for \(lqAuthorizedKeysCommand\(rq option\&. Please refer to the \fBsshd_config\fR(5) man page for more details about this option\&. .PP If \(lqAuthorizedKeysCommand\(rq is supported, \fBsshd\fR(8) can be configured to use it by putting the following directives in \fBsshd_config\fR(5): .sp .if n \{\ .RS 4 .\} .nf AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody .fi .if n \{\ .RE .\} .sp .SS "KEYS FROM CERTIFICATES" .PP In addition to the public SSH keys for user \fIUSER\fR \fBsss_ssh_authorizedkeys\fR can return public SSH keys derived from the public key of a X\&.509 certificate as well\&. .PP To enable this the \(lqssh_use_certificate_keys\(rq option must be set to true (default) in the [ssh] section of sssd\&.conf\&. If the user entry contains certificates (see \(lqldap_user_certificate\(rq in \fBsssd-ldap\fR(5) for details) or there is a certificate in an override entry for the user (see \fBsss_override\fR(8) or \fBsssd-ipa\fR(5) for details) and the certificate is valid SSSD will extract the public key from the certificate and convert it into the format expected by sshd\&. .PP Besides \(lqssh_use_certificate_keys\(rq the options .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ca_db .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} p11_child_timeout .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} certificate_verification .RE .sp can be used to control how the certificates are validated (see \fBsssd.conf\fR(5) for details)\&. .PP The validation is the benefit of using X\&.509 certificates instead of SSH keys directly because e\&.g\&. it gives a better control of the lifetime of the keys\&. When the ssh client is configured to use the private keys from a Smartcard with the help of a PKCS#11 shared library (see \fBssh\fR(1) for details) it might be irritating that authentication is still working even if the related X\&.509 certificate on the Smartcard is already expired because neither \fBssh\fR nor \fBsshd\fR will look at the certificate at all\&. .PP It has to be noted that the derived public SSH key can still be added to the authorized_keys file of the user to bypass the certificate validation if the \fBsshd\fR configuration permits this\&. .SH "OPTIONS" .PP \fB\-d\fR,\fB\-\-domain\fR \fIDOMAIN\fR .RS 4 Search for user public keys in SSSD domain \fIDOMAIN\fR\&. .RE .PP \fB\-?\fR,\fB\-\-help\fR .RS 4 Display help message and exit\&. .RE .SH "EXIT STATUS" .PP In case of success, an exit value of 0 is returned\&. Otherwise, 1 is returned\&. .SH "SEE ALSO" .PP \fBsssd\fR(8), \fBsssd.conf\fR(5), \fBsssd-ldap\fR(5), \fBsssd-ldap-attributes\fR(5), \fBsssd-krb5\fR(5), \fBsssd-simple\fR(5), \fBsssd-ipa\fR(5), \fBsssd-ad\fR(5), \fBsssd-files\fR(5), \fBsssd-sudo\fR(5), \fBsssd-session-recording\fR(5), \fBsss_cache\fR(8), \fBsss_debuglevel\fR(8), \fBsss_obfuscate\fR(8), \fBsss_seed\fR(8), \fBsssd_krb5_locator_plugin\fR(8), \fBsss_ssh_authorizedkeys\fR(8), \fBsss_ssh_knownhostsproxy\fR(8), \fBsssd-ifp\fR(5), \fBpam_sss\fR(8)\&. \fBsss_rpcidmapd\fR(5) .SH "AUTHORS" .PP \fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR