Home

AuthorizedKeysCommand

AuthorizedKeysCommand is a setting in the OpenSSH sshd_config file that specifies an external command to retrieve public keys for a user during a key-based authentication attempt. When a connection is attempted, sshd runs the configured command and uses its output as the set of authorized keys for the user. The command is executed with the privileges defined by AuthorizedKeysCommandUser and is typically invoked with the remote username passed as the first argument. The command should print valid OpenSSH public keys in the authorized_keys format, one per line, to standard output. If keys are returned, they are considered for authentication; if none are returned or the command fails, sshd may rely on other configured sources or deny access if no keys are available.

Configuration and usage:

- AuthorizedKeysCommand /path/to/command

- AuthorizedKeysCommandUser nobody

Notes:

- The external command is typically used to fetch keys from centralized stores (for example, LDAP, Active

- The command is executed for each authentication attempt, and its runtime characteristics should be stable and

- Security considerations include ensuring the command returns only valid keys, does not leak sensitive data, and

See also:

- AuthorizedKeysFile

- AuthorizedKeysCommandUser

- SSH authentication methods and related directives.

Directory,
or
a
local
key
database)
and
can
be
used
in
combination
with
or
instead
of
a
local
AuthorizedKeysFile.
reasonably
fast
to
avoid
introducing
latency.
runs
with
a
minimal,
appropriate
privilege
level.