If your SSH server does not support the AuthorizedKeysCommand
directive (< OpenSSH .6.8) you can alternatively set up a periodic synchronization of keys from the JADAPTIVE Key Server.
Each account's public keys are accessible using a public URL on the Key Server. These can be accessed via the scripts installed as part of our Installing Synchronization Scripts article. These scripts can be configured to periodically run and update the authorized_keys
file for an account you want to integrate with the key server.
To understand how to configure an account and how to provide access to Key Server users you should consult the article Configuring Accounts for Access. The remaining content of this article assumes you have set up an account and that some users have been assigned access.
The Synchronization Script
After you have installed the Key Server scripts package you will have access to the keyserver-sync
script. You can manually execute this script for any user to see their authorized keys.
Execute the script passing the home directory and then the username of the user.
keyserver-sync /root root
If you have configured the users' account correctly and assigned some Key Server users executing the script will return the accounts authorized keys. All you need to do is to set this up to execute periodically to synchronize with the users' authorized_keys file.
Please note, that execution of this script alone does not change the users' authorized_keys file. You need to pipe the output of the command into this file when you want to perform the update. This allows you to check that the account is set up correctly before you automate the update.
Automating the Script
You can set up the script to execute periodically with crontab. How often is up to you but normally you would rotate your keys every couple of months, so a daily or twice daily update should suffice.
Edit the users' crontab; if the user is not root you can edit the users' crontab directly from the root account using:
crontab -e -u bob
Or if you are root and are setting up access for root then
crontab -e
Place a new line in the crontab, for example, the following will synchronize keys every 4 hours for root.
0 */4 * * * keyserver-sync /root root > ~/.ssh/authorized_keys
Just change the users' home directory and username to suit the account you are configuring. If you are setting up many accounts then changing the time within the hour it synchronizes to ensure your server does not get a single hit of lots of requests would be advisable. To do this just change the first digit from 0 to 15 to have it synchronize at 15 minutes past every 4th hour. If you want a longer period, for example, */4 to */12 will synchronize every 12 hours.