diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index 471e031..a45f9b9 100644
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -81,6 +81,8 @@
 {{ option_default_uncommented('RSAAuthentication', 'yes') }}
 {{ option_default_uncommented('PubkeyAuthentication', 'yes') }}
 {{ option('AuthorizedKeysFile', '%h/.ssh/authorized_keys') }}
+{{ option('AuthorizedKeysCommand', 'none') }}
+{{ option('AuthorizedKeysCommandUser', 'nobody') }}
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 {{ option_default_uncommented('IgnoreRhosts', 'yes') }}
diff --git a/pillar.example b/pillar.example
index e22873a..81c54ab 100644
--- a/pillar.example
+++ b/pillar.example
@@ -21,6 +21,8 @@ sshd_config:
   MaxSessions: 10
   RSAAuthentication: 'yes'
   PubkeyAuthentication: 'yes'
+  AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
+  AuthorizedKeysCommandUser: 'nobody'
   IgnoreRhosts: 'yes'
   RhostsRSAAuthentication: 'no'
   HostbasedAuthentication: 'no'