Stephan Fabel wrote:
On 04/16/2014 11:20 AM, Michael Ströder wrote:
It's quite usual nowadays to use this when dealing with SSH keys in LDAP entries:
Found this in sshd_config(5):
*------snip------- AuthorizedKeysCommand* Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in sshd(8) http://www.openssh.com/cgi-bin/man.cgi?query=sshd&sektion=8&arch=&apropos=0&manpath=OpenBSD+Current). If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual *AuthorizedKeysFile* files. By default, no AuthorizedKeysCommand is run ------snip-------
Yes, that would be usable for retrieving authorized keys remotely though I personally prefer to sync SSH authorized keys to a central directory and set AuthorizedKeysFile accordingly.
But I understood the original poster that he wants to generate a known hosts file by retrieving all the *host* keys from LDAP.
Ciao, Michael.