• Contact Us
  • Home
  • Reference

Using LDAP as an SSH Public Key Store

Learn how to utilize LDAP as an SSH public key store by creating a custom schema for streamlined user authentication and access management.

Written by Maryanne Normann

Updated at December 11th, 2025

  • Quick Start
  • Installation
    Best Practices Configuration Troubleshooting Design Performance Platform
  • Maintenance
    Releases Upgrade
  • Reference
+ More

Table of Contents

Create a Custom Schema Update Slapd.conf Update Database Create LDAP Query Script Update SSH_Config

This article explains how to use OpenLDAP on a machine with the ssh daemon (sshd) to that ssh can look up public keys for users while logging in. 

Create a Custom Schema

In the schema directory (/opt/symas/etc/openldap/schema) create a file called openssh-lpk.schema.

vi custom-schema/openssh-lpk.schema

Insert the following:

 attributetype: ( 1.3.6.1.4.1.24552.500.1.1.1.13
      NAME 'sshPublicKey'
      DESC 'MANDATORY: OpenSSH Public key'
      EQUALITY octetStringMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
      )
    objectClass: ( 1.3.6.1.4.1.24552.500.1.1.2.0
      NAME 'ldapPublicKey'
      SUP top AUXILIARY
      DESC 'MANDATORY: OpenSSH LPK objectclass'
      MAY ( sshPublicKey $ uid )
      )

Update Slapd.conf

Add the custom schema to slapd.conf:

vi slapd.conf
# Schema files. Note that not all of these schemas co-exist peacefully.
# Use only those you need and leave the rest commented out.
include /opt/symas/etc/openldap/schema/core.schema 
iclude /opt/symas/etc/openldap/schema/cosine.schema 
include /opt/symas/etc/openldap/schema/inetorgperson.schema 
include /opt/symas/etc/openldap/openssh-lpk.schema

Restart slapd;

service slapd restart

Update Database

Add the ldapPublicKey objectClass to each user and then add the sshPublicKey attribute with the public key as the value for each user. This can be accomplished from the command line or by using an ldif.

ldapadd -x -H ldap://<producer's FQDN> -D <rootDN> -w <rootPW> 
dn: cn=example user,ou=users,dc=example,dc=com 
objectClass: ldapPublicKey

sshPublicKey: <public key>

Create LDAP Query Script

Create a script containing an ldapsearch that will output the public keys for any user. You may need to tweak this command to get the desired result. 

vi /opt/symas/ssh/openssh-lpk
#!/bin/bash
set -eou pipefail
IFS=$'nt'

result=$(ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey')
attrLine=$(sed -n '/^ /{H;d};/ sshPublicKey:/x;$g;s/\n *//g;/sshPublicKey:/p' <<< "$result")

if [[ "$attrLine" == sshPublicKey::* ]]; then 
	echo "$attrLine" | sed 's/sshPublicKey:: //' | base64 -d 
elif [[ "$attrLine" == sshPublicKey:* ]]; then 
	echo "$attrLine" | sed 's/sshPublicKey: //'
else
    exit 1
fi

Update SSH_Config

Add the following to /etc/ssh/sshd_config:

vi /etc/ssh/sshd_config
AuthorizedKeysCommand /opt/symas/ssh/openssh-lpk
AuthorizedKeysCommandUser nobody

Restart the ssh service:

service ssh restart

Test connectivity.

Copyright © 2020-2024 Symas Corporation. All rights reserved.
ssl key store

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • OpenLDAP and LMDB Sizing Guide
  • Symas Blog RSS Feed
  • Symas on Facebook
  • Symas on Twitter
  • Symas Blog
  • Symas on LinkedIn
  • Symas YouTube Channel

Copyright © 2025, Symas Corporation. All rights reserved. Privacy Statement (updated July 31, 2023)

Phone:

Main Office: +1.650.963.7601
Fax: +1.650.390.6284

Email:

Sales: sales@symas.com
Support: support@symas.com

Office Hours:

8:00 AM - 5:00 PM ET

Office Location:

Symas Corporation
PO Box 391
Grand Junction, CO 81507 USA

Expand