On 04/16/2014 11:20 AM, Michael Ströder wrote:
It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:
Found this in sshd_config(5):
*------snip------- AuthorizedKeysCommand* Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in sshd(8) http://www.openssh.com/cgi-bin/man.cgi?query=sshd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual *AuthorizedKeysFile* files. By default, no AuthorizedKeysCommand is run ------snip-------
The schema file:
http://code.google.com/p/openssh-lpk/source/browse/trunk/schemas/openssh-lpk...
You would still need a schema like that, though, but at least no patching OpenSSH anymore.
-Stephan