In a previous blog post we discussed how we can allow users to store their keys in Active Directory and automatically deploy those keys. Now, we will explore how we can allow users to manage SSH keys stored in this manor.

First, we need to allow users to update their own sshPublicKeys attribute.

Allowing self-write to sshPublicKeys

First off, open ADUC and right click the top level OU for your company, then select “Delegate Control…”.

When presented with the wizard, immediately hit Next. On the next page, select the “Add” button under the User / Group selection. Input ‘SELF’ then ‘Check Names’.

On the next page, select the option to delegate a custom task

Next, we’ll delegate this permission to User objects only

Under permissions, we’ll select “Property Specific” then both read and write for sshPublicKeys

On the last page, verify your settings and complete the wizard.

Now, head over to our Github and download our mangagement scripts. These scripts are designed to allow your end users to manage their SSH keys on either *NIX based systems or Windows. Their usage is fairly simple:

OS X & Linux

1. You will need to install python-ldap as that is a requirement

pip install python-ldap

2. Now run the script and enter your log in info, keeping in mind that your
username should be your userPrincipleName ($
Config items you will be asked for will be stored in ~/.ssh-keyman. The can be cleared later on by using the –clear switch.

$ python
LDAP Server URI - The AD Server IP or FQDN
BASE DN - The top level OU where your user is located
SSH Key Attribute Name - The name of the attribute that holds your SSH keys in AD


This script requires an Administrator PowerShell prompt to execute. Please note
that it will run under whatever user you are logged in as.

1. Run the script


and provide the SSH Key Attribute Name, SSH Host and key to be added.

That’s it! Your users should now have everything they need to manage their SSH keys!