Skip to main content

Utility to manage SSH public keys stored in LDAP.

Project description

version downloads

This project provides an utility to manage SSH public keys stored in LDAP and also a script for OpenSSH server to load authorized keys from LDAP.


When you have dozen of servers it becomes difficult to manage your authorized keys. You have to copy all your public keys to ~/.ssh/authorized_keys on every server you want to login to. And what if you someday change your keys?

It’s a good practice to use some kind of a centralized user management, usually an LDAP server. There you have user’s login, uid, e-mail, … and password. What if we could also store public SSH keys on LDAP server? With this utility it’s easy as pie.


This utility depends on python-ldap which (unfortunately) requires Python 2.×.

It is available in most distributions as python-ldap package; it should be installed before ssh-ldap-pubkey unless you want to compile it yourself.

Alternatively you can install python-ldap from PyPI, which requires additional system dependencies (OpenLDAP). Refer to Stack Overflow for distribution-specific information.


Install from PyPI:

pip install ssh-ldap-pubkey

…or if you’re using Gentoo (good choice!), then you can use sys-auth/ssh-ldap-pubkey ebuild from the CVUT Overlay.


List SSH public keys stored in LDAP for the current user:

ssh-ldap-pubkey list

List SSH public keys stored in LDAP for the specified user:

ssh-ldap-pubkey list -u flynn

Add the specified SSH public key for the current user to LDAP:

ssh-ldap-pubkey add ~/.ssh/

Remove SSH public key(s) of the current user that matches the specified pattern:

ssh-ldap-pubkey del flynn@grid

Specify LDAP URI and base DN on command line instead of configuration file:

ssh-ldap-pubkey list -b ou=People,dc=encom,dc=com -h ldaps:// -u flynn

Show help for other options:

ssh-ldap-pubkey --help


Configuration is read from /etc/ldap.conf — file used by LDAP nameservice switch library and the LDAP PAM module. An example file is included in etc/ldap.conf. The following subset of parameters are used:

  • uri … URI of the LDAP server to connect to. The URI scheme may be ldap, or ldaps. Default is ldap://localhost.

  • nss_base_passwd … distinguished name (DN) of the search base.

  • base … distinguished name (DN) of the search base. Used when nss_base_passwd is not set.

  • scope … search scope; sub, one, or base (default is sub).

  • pam_filter … filter to use when searching for the user’s entry, additional to the login attribute value assertion (pam_login_attribute=<login>). Default is objectclass=posixAccount.

  • pam_login_attribute … the user ID attribute (default is uid).

  • ldap_version … LDAP version to use (default is 3).

  • binddn … distinguished name (DN) to bind when reading the user’s entry (default is to bind

  • anonymously).
  • bindpw … credentials to bind with when reading the user’s entry (default is none).

  • timelimit … search time limit in seconds (default is 10).

  • bind_timelimit … bind/connect time limit in seconds (default is 10).

  • tls_cacertdir … path of the directory with CA certificates for LDAP server certificate verification.

The only required parameter is nss_base_passwd or base, others have sensitive defaults. You might want to define uri parameter as well. These parameters can be also defined/overriden with --bind and --uri options on command line.

For more information about these parameters refer to ldap.conf man page.

Setup OpenSSH server

To configure OpenSSH server to fetch users’ authorized keys from LDAP server:

  1. Make sure that you have installed ssh-ldap-pubkey and ssh-ldap-pubkey-wrapper in /usr/bin with owner root and mode 0755.

  2. Add these two lines to /etc/ssh/sshd_config:

    AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper
    AuthorizedKeysCommandUser nobody
  3. Restart sshd and check log file if there’s no problem.

Note: This method is supported by OpenSSH since version 6.2-p1 (or 5.3 onRedHat). If you have an older version and can’t upgrade, for whatever weird reason, use openssh-lpk patch instead.

Setup LDAP server

Just add the openssh-lpk.schema to your LDAP server, or add an attribute named sshPublicKey to any existing schema which is already defined in people entries. That’s all.

Note: Presumably, you’ve already setup your LDAP server for centralized unix users management, i.e. you have the NIS schema and users in LDAP.


This project is licensed under MIT license.

Project details

Release history Release notifications

History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


This version
History Node


History Node


History Node


History Node


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
ssh-ldap-pubkey-0.2.3.tar.gz (9.6 kB) Copy SHA256 hash SHA256 Source None Sep 2, 2014

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page