From b5d9f37bb73f77d4daa5af3c0e62ccc7c9a62d9c Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Mon, 26 Jan 2026 00:07:45 -0700
Subject: [PATCH] add ssh authorized keys command

---
 ansible/roles/ldap_client/handlers/main.yaml |  4 ++++
 ansible/roles/ldap_client/tasks/main.yaml    |  1 +
 ansible/roles/ldap_client/tasks/sshd.yaml    | 14 ++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 ansible/roles/ldap_client/tasks/sshd.yaml

diff --git a/ansible/roles/ldap_client/handlers/main.yaml b/ansible/roles/ldap_client/handlers/main.yaml
index 8121eba..9b294fc 100644
--- a/ansible/roles/ldap_client/handlers/main.yaml
+++ b/ansible/roles/ldap_client/handlers/main.yaml
@@ -3,3 +3,7 @@
     name: sssd
     state: restarted
 
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
diff --git a/ansible/roles/ldap_client/tasks/main.yaml b/ansible/roles/ldap_client/tasks/main.yaml
index f1043dd..7f17861 100644
--- a/ansible/roles/ldap_client/tasks/main.yaml
+++ b/ansible/roles/ldap_client/tasks/main.yaml
@@ -1,3 +1,4 @@
 - import_tasks: install.yaml
 - import_tasks: authselect.yaml
 - import_tasks: nsswitch.yaml
+- import_tasks: sshd.yaml
diff --git a/ansible/roles/ldap_client/tasks/sshd.yaml b/ansible/roles/ldap_client/tasks/sshd.yaml
new file mode 100644
index 0000000..bc72022
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/sshd.yaml
@@ -0,0 +1,14 @@
+- name: Ensure sshd has AuthorizedKeysCommand
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^AuthorizedKeysCommand'
+    line: 'AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'
+  notify: restart sshd
+
+- name: Ensure sshd has AuthorizedKeysCommandUser
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^AuthorizedKeysCommandUser'
+    line: 'AuthorizedKeysCommandUser nobody'
+  notify: restart sshd
+