Support AuthorizedKeysCommand
diff --git a/README.rst b/README.rst
index ba51d6b..b83fda0 100644
--- a/README.rst
+++ b/README.rst
@@ -75,6 +75,18 @@
             public_keys:
             - ${public_keys:newt}
 
+OpenSSH server for use with FreeIPA
+
+.. code-block:: yaml
+
+    openssh:
+      server:
+        enabled: true
+        public_key_auth: true
+        authorized_keys_command:
+          command: /usr/bin/sss_ssh_authorizedkeys
+          user: nobody
+
 Read more
 =========
 
diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index c3b8639..e14af38 100755
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -38,6 +38,11 @@
 PubkeyAuthentication {% if server.get('public_key_auth', True) %}yes{% else %}no{% endif %}
 AuthorizedKeysFile     %h/.ssh/authorized_keys
 
+{%- if server.authorized_keys_command is defined %}
+AuthorizedKeysCommand {{ server.authorized_keys_command.command }}
+AuthorizedKeysCommandUser {{ server.authorized_keys_command.get('user', 'nobody') }}
+{%- endif %}
+
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
@@ -60,13 +65,21 @@
 PasswordAuthentication {% if server.get('password_auth', True) %}yes{% else %}no{% endif %}
 
 # Kerberos options
-#KerberosAuthentication no
+{%- if server.get('kerberos_auth', False) %}
+KerberosAuthentication yes
+{%- else %}
+KerberosAuthentication no
+{%- endif %}
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 
 # GSSAPI options
-#GSSAPIAuthentication no
+{%- if server.get('gssapi_auth', False) %}
+GSSAPIAuthentication yes
+{%- else %}
+GSSAPIAuthentication no
+{%- endif %}
 #GSSAPICleanupCredentials yes
 
 X11Forwarding yes