Users created on AD can login to Linux with a password. I would like to replace this password login with ssh-key. So far, I've made a custom attribute and placed the public key in it and able to fetch it on Linux with a script. I would like to put this key in the /home/user/.ssh/authorised_key whenever a new user is created.
Is there an event or some config file that I can use to trigger my script?
Note: SSSD is creating the user and home directory whenever a user login for the first time.
Rather than copying the public key from your Active Directory to a ~/.ssh/authorized_keys file you can configure openssh to directly validate against AD instead.
OpenSSH supports the AuthorizedKeysCommand directive for your sshd_config that allows you to specify a program to be used to look up the user's public key instead before attempting to reading it from a (local) file. For instance:
AuthorizedKeysCommand /path/to/script %u
where /path/to/script takes a for example username as a commandline argument and which then on standard output must return zero or more lines of authorized_keys output.
