Support AuthorizedKeysCommand
diff --git a/README.rst b/README.rst
index ba51d6b..b83fda0 100644
--- a/README.rst
+++ b/README.rst
@@ -75,6 +75,18 @@
public_keys:
- ${public_keys:newt}
+OpenSSH server for use with FreeIPA
+
+.. code-block:: yaml
+
+ openssh:
+ server:
+ enabled: true
+ public_key_auth: true
+ authorized_keys_command:
+ command: /usr/bin/sss_ssh_authorizedkeys
+ user: nobody
+
Read more
=========
diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index c3b8639..e14af38 100755
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -38,6 +38,11 @@
PubkeyAuthentication {% if server.get('public_key_auth', True) %}yes{% else %}no{% endif %}
AuthorizedKeysFile %h/.ssh/authorized_keys
+{%- if server.authorized_keys_command is defined %}
+AuthorizedKeysCommand {{ server.authorized_keys_command.command }}
+AuthorizedKeysCommandUser {{ server.authorized_keys_command.get('user', 'nobody') }}
+{%- endif %}
+
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
@@ -60,13 +65,21 @@
PasswordAuthentication {% if server.get('password_auth', True) %}yes{% else %}no{% endif %}
# Kerberos options
-#KerberosAuthentication no
+{%- if server.get('kerberos_auth', False) %}
+KerberosAuthentication yes
+{%- else %}
+KerberosAuthentication no
+{%- endif %}
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
-#GSSAPIAuthentication no
+{%- if server.get('gssapi_auth', False) %}
+GSSAPIAuthentication yes
+{%- else %}
+GSSAPIAuthentication no
+{%- endif %}
#GSSAPICleanupCredentials yes
X11Forwarding yes