Unleash your inner root



Portability: Should work on any distribution using sssd rather than traditional ldap-client packages.

So if you have recently joined the Cool Kids Club of the server admin world, you may now have an awesome LDAP server of your own to handle all your authentication needs. Now, you may be sitting there thinking, “As awesome as LDAP is, I wish it was just a little more awesome.” To which I’d say “how much more awesome do you want it?” and you’d reply “awesome enough to handle ssh pub/private key authentication” to which i’d say “HOLD ONTO YOUR SOCKS TIMMY!”(also in this scenario your name is timmy) ” BECAUSE IT DOES!”

Now on the Server side, you’ll need to add in an additional schema, this is usually pretty simple, but depending on how you initial configuration went, you’ll have to look up that method on your own, in my case I use Fusion directory, which is as simple as:

# ON the LDAP server
yum install fusiondirectory-plugin-ssh fusiondirectory-plugin-ssh-schema
fusiondirectory-insert-schema -i /etc/openldap/schema/fusiondirectory/openssh-lpk.schema

Now on the client, you’ll need to make a couple quick adjustments to your configurations. These are simple, and take no effort at all. Do note that the client adjustments will be the same regardless of what type of ldap server you are using. The only thing that matters is that you are using sssd as your client connection to that server.

First up edit /etc/ssh/sshd_config with your favorite editor, mine is vim

PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandRunAs nobody

then edit /etc/sssd/sssd.conf
and add “ssh” to your services line, like so:

services = nss, sudo, ssh, pam, autofs
config_file_version = 2
enumerate = true

now simply restart your services

service sssd restart
service sshd restart

and you should be in good shape!
As an additional note, you can look up the public key’s tied to an account by issuing:

/usr/bin/sss_ssh_authorizedkeys <username>
LDAPSSH keysssd

Brandon.Graves • January 14, 2016

Previous Post

Next Post


  1. Eric Lin September 11, 2018 - 6:44 am Reply

    Your article is so helpful!
    But I have a problem now that is I am running OpenLdap + Fusiondirectory on debian which doesn’t have sssd. Now I’ve installed “fusiondirectory-plugin-ssh fusiondirectory-plugin-ssh-schema” and I am quite confused about what is next step. Could you show me some hints?


    • Brandon.Graves September 22, 2018 - 10:33 am Reply

      Hi Eric,
      Sorry for the long delay. I don’t get many legitimate comments so I’m out of the habit of checking them. Have you found a solution to your problem? If not, what are you using in lieu of sssd? I’m not too familiar with Debian systems, so I’m not sure what its primary authentication handler is these day’s.

Leave a Reply

Your email address will not be published / Required fields are marked *

%d bloggers like this: