[erikvanzijst]

> would be super curious to see and hear more about their patch to SSHD

It's based on this patch: https://github.com/wuputahllc/openssh-for-git

[noselasd]

Note that since openssh 6.2 you can plug in to sshd for the keys without patching it with the AuthorizedKeysCommand , and there's several utilities around for pulling the authorized keys from LDAP or similar services.

[belak]

Unfortunately, this doesn't scale, as with the AuthorizedKeysCommand, you are required to output all the keys for that user on stdout. Outputing all of the "git" user's authorized keys lines would be an extremely expensive operation.

From the sshd_config man page: "Specifies a program to be used for lookup of the user's public keys. The program will be invoked with its first argument the name of the user being authorized, and should produce on standard output AuthorizedKeys lines"

[nodesocket]

Thanks for the link, but the fact it is 6 years old, and comes with warnings such as we’re not expert C hackers makes me very nervous.

[erikvanzijst]

That's just the original it is based off. There are a few more recently updated forks floating around also. We maintain ours in house.

Either way, if you want to tinker with opensshd I can recommend it as a starting point. It's very small, readable and easily tweaked.