Better SSH Keys Management with AuthorizedKeysCommand

Published: | Last Edited:
Category: tech

I usually use authorized_key files to store SSH public keys in order to access my servers . However once I start to have multiple servers, I realize manually managing SSH keys is nightmare.

Recently I found out a better way to manage these SSH keys In /etc/ssh/sshd_config file there are 2 configurations:

AuthorizedKeysCommand /
AuthorizedKeysCommandUser nobody

We can use AuthorizedKeysCommand to point to an script that returns all the SSH keys. In this case, my script is:


Name this file and make it executable: chmod a+x /

The public keys are stored in a Github repo which can be updated any time. The structure of the repo is this:

├── user1
├── user2
├── user3
└── user4

When I login with user1, the server will get user1’s public keys from Github and validates it agaisnt user1’s private key.

There are a few problems with this approach: I rely on an external service to retrieve the public keys. If Github goes offline, I will be unable to login to my servers at all. This also adds latency to the login step as we need to retrieve the keys over the internet. So I should think about some caching mechanism in case this happens.

Next Post: Some Notes on Apache Spark Memory Management
Previous Post: Setup Shell Script for Linux-based Servers