Skip to content
A tool for getting SSH keys out of LDAP
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


authkeys is a tool written in Go that you can use with OpenSSH as an AuthorizedKeysCommand. It'll reach out to LDAP and get keys and display them on stdout.

To learn more about our use of authkeys see our blog post.


You'll need an LDAP server that has a schema installed for storing SSH keys as part of an entry. Also, your LDAP server will need to use STARTTLS over port 389, as opposed to LDAPS.


To build a binary, you can use go get: go get -d

You'll need to put that binary somewhere (we use /usr/sbin because we make a package for it using fpm) and make sure the binary is chmod'ed to 0555.

Then, add to your sshd_config:

AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/sbin/authkeys

Now when you log in, OpenSSH will run (in this example) /usr/sbin/authkeys with the username as the first argument. Authkeys will return the keys from LDAP, and the user should be logged in if there is a match. Of note: OpenSSH will prefer a local ~/.ssh/authorized_keys file over keys returned from AuthorizedKeysCommand, so make sure you test with a user that doesn't have that file.

At Threat Stack, we use Chef to deploy our authkeys package as part of our LDAP client setup -- just using a template and package resource. We leverage the OpenSSH cookbook using a node.override for the authorized_keys_command and authorized_keys_command_user variables.


Authkeys is configured using a JSON file. By default, it'll look in /etc/authkeys.json but you can override this with the AUTHKEYS_CONFIG environment variable for testing.

  "BaseDN": "",
  "DialTimeout": 5,
  "KeyAttribute": "",
  "LDAPServer": "",
  "LDAPPort": 389,
  "RootCAFile": "",
  "UserAttribute": "",
Variable Type Purpose Possible Value
BaseDN String Base DN for your LDAP server dc=spiffy,dc=io
DialTimeout Int A connection timeout if LDAP isnt reachable [Note 1] 5
KeyAttribute String LDAP Attribute for the SSH key sshPublicKey
LDAPServer String Hostname of your LDAP server
LDAPPort Int Port to talk to LDAP on 389
RootCAFile String A path to a file full of trusted root CAs [Note 2] /etc/ssl/certs/ca-certificates.crt
UserAttribute String LDAP Attribute for a User uid


  1. Defaults to 5 seconds
  2. If blank, Go will attempt to use system trust roots.


authkeys [username] will look up the user in LDAP and get their keys. Simple as that.


If you're wondering why this started at version 2.0.0, it's because we've been using this tool internally for a while, and we cleaned it up for external consumption :)

Version 2.1.0 added a quicker TCP timeout. You can set this using the DialTimeout attribute.

Version 2.1.1 adds in error handling for when LDAP returns either no entries or too many (>1) entries.

Version 2.1.2 removes some superfluous os.Exit(1) calls, since log.Fatalf does that for you.


  1. Fork
  2. Create a feature branch
  3. Commit your changes
  4. Rebase your local changes against the master branch
  5. Create a new Pull Request


Patrick Cable (@patcable)

You can’t perform that action at this time.