Add an option to automatically verify SSH keys from LDAP

Ivan Tkachev · Ivan Tkachev · commit 1228de7ce31a · 2025-11-11T16:52:55.000+03:00
diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
@@ -94,6 +94,10 @@ func commonLdapCLIFlags() []cli.Flag {
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+                &cli.BoolFlag{
+                        Name:  "ssh-keys-are-verified",
+                        Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
+                },
 		&cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
@@ -294,6 +298,9 @@ func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
 	if c.IsSet("public-ssh-key-attribute") {
 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
 	}
+	if c.IsSet("ssh-keys-are-verified") {
+		config.SSHKeysAreVerified = c.Bool("ssh-keys-are-verified")
+	}
 	if c.IsSet("avatar-attribute") {
 		config.AttributeAvatar = c.String("avatar-attribute")
 	}
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
@@ -84,7 +84,7 @@ func addKey(ctx context.Context, key *PublicKey) (err error) {
 }
 
 // AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64) (*PublicKey, error) {
+func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64, verified bool) (*PublicKey, error) {
 	log.Trace(content)
 
 	fingerprint, err := CalcFingerprint(content)
@@ -115,6 +115,7 @@ func AddPublicKey(ctx context.Context, ownerID int64, name, content string, auth
 			Mode:          perm.AccessModeWrite,
 			Type:          KeyTypeUser,
 			LoginSourceID: authSourceID,
+                        Verified:      verified,
 		}
 		if err = addKey(ctx, key); err != nil {
 			return nil, fmt.Errorf("addKey: %w", err)
@@ -298,7 +299,7 @@ func deleteKeysMarkedForDeletion(ctx context.Context, keys []string) (bool, erro
 }
 
 // AddPublicKeysBySource add a users public keys. Returns true if there are changes.
-func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
+func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
 	var sshKeysNeedUpdate bool
 	for _, sshKey := range sshPublicKeys {
 		var err error
@@ -317,7 +318,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 			marshalled = marshalled[:len(marshalled)-1]
 			sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out))
 
-			if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID); err != nil {
+			if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID, verified); err != nil {
 				if IsErrKeyAlreadyExist(err) {
 					log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name)
 				} else {
@@ -336,7 +337,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 }
 
 // SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
-func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
+func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
 	var sshKeysNeedUpdate bool
 
 	log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
@@ -381,7 +382,7 @@ func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.So
 			newKeys = append(newKeys, key)
 		}
 	}
-	if AddPublicKeysBySource(ctx, usr, s, newKeys) {
+	if AddPublicKeysBySource(ctx, usr, s, newKeys, verified) {
 		sshKeysNeedUpdate = true
 	}
 
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
@@ -2950,6 +2950,7 @@ auths.attribute_surname=Atribut příjmení
 auths.attribute_mail=Atribut e-mailové adresy
 auths.attribute_ssh_public_key=Atribut veřejného SSH klíče
 auths.attribute_avatar=Atributy avataru
+auths.ssh_keys_are_verified=SSH klíče v LDAP jsou automaticky ověřovány. 
 auths.attributes_in_bind=Získat atributy v kontextu Bind DN
 auths.allow_deactivate_all=Povolit prázdný výsledek hledání pro deaktivaci všech uživatelů
 auths.use_paged_search=Použijte vyhledávání ve stránce
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
@@ -3000,6 +3000,7 @@ auths.attribute_surname=Nachnamensattribut
 auths.attribute_mail=E-Mail-Attribut
 auths.attribute_ssh_public_key=Öffentlicher-SSH-Schlüssel-Attribut
 auths.attribute_avatar=Avatar-Attribut
+auths.ssh_keys_are_verified=SSH-Schlüssel in LDAP werden automatisch überprüft
 auths.attributes_in_bind=Hole Attribute im Bind-Kontext
 auths.allow_deactivate_all=Erlaube ein leeres Suchergebnis, um alle Benutzer zu deaktivieren
 auths.use_paged_search=Seitensuche verwenden
diff --git a/options/locale/locale_el-GR.ini b/options/locale/locale_el-GR.ini
@@ -2692,6 +2692,7 @@ auths.attribute_surname=Χαρακτηριστικό Επωνύμου
 auths.attribute_mail=Χαρακτηριστικό Email
 auths.attribute_ssh_public_key=Χαρακτηριστικό Δημόσιου Κλειδιού SSH
 auths.attribute_avatar=Χαρακτηριστικό Εικόνας
+auths.ssh_keys_are_verified=Οι κλειδιά SSH στο LDAP ελέγχονται αυτόματα
 auths.attributes_in_bind=Λήψη χαρακτηριστικών μέσα στο πλαίσιο του Bind DN
 auths.allow_deactivate_all=Επιτρέψτε σε ένα κενό αποτέλεσμα αναζήτησης να απενεργοποιήσει όλους τους χρήστες
 auths.use_paged_search=Χρήση Σελιδοποιημένης Αναζήτησης
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname = Surname Attribute
 auths.attribute_mail = Email Attribute
 auths.attribute_ssh_public_key = Public SSH Key Attribute
 auths.attribute_avatar = Avatar Attribute
+auths.ssh_keys_are_verified = SSH keys in LDAP are automatically verified
 auths.attributes_in_bind = Fetch Attributes in Bind DN Context
 auths.allow_deactivate_all = Allow an empty search result to deactivate all users
 auths.use_paged_search = Use Paged Search
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
@@ -2672,6 +2672,7 @@ auths.attribute_surname=Atributo apellido
 auths.attribute_mail=Atributo correo electrónico
 auths.attribute_ssh_public_key=Atributo Clave Pública SSH
 auths.attribute_avatar=Atributo del avatar
+auths.ssh_keys_are_verified=Las claves SSH en LDAP se verifican automáticamente
 auths.attributes_in_bind=Obtener atributos en el contexto de Bind DN
 auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desactivar todos los usuarios
 auths.use_paged_search=Usar búsqueda paginada
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
@@ -2111,6 +2111,7 @@ auths.attribute_surname=ویژگی نام خانوادگی
 auths.attribute_mail=ویژگی ایمیل
 auths.attribute_ssh_public_key=ویژگی های کلید SSH عمومی
 auths.attribute_avatar=ویژگی آواتار
+auths.ssh_keys_are_verified=کلیدهای SSH در LDAP به صورت خودکار تأیید می‌شوند. 
 auths.attributes_in_bind=واکشی ویژگی های DN متصل شده در متن زمینه
 auths.allow_deactivate_all=به یک نتیجه جستجوی خالی اجازه دهید تا همه کاربران را غیرفعال کند
 auths.use_paged_search=استفاده از جستجو ثبت شده
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Attribut nom de famille
 auths.attribute_mail=Attribut courriel
 auths.attribute_ssh_public_key=Attribut clé SSH publique
 auths.attribute_avatar=Attribut de l'avatar
+auths.ssh_keys_are_verified=Les clés SSH dans LDAP sont vérifiées automatiquement
 auths.attributes_in_bind=Aller chercher les attributs dans le contexte de liaison DN
 auths.allow_deactivate_all=Permettre à un résultat de recherche vide de désactiver tous les utilisateurs
 auths.use_paged_search=Utiliser la recherche paginée
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Tréith Sloinne
 auths.attribute_mail=Tréith ríomhphoist
 auths.attribute_ssh_public_key=Tréith Eochair SSH Phoiblí
 auths.attribute_avatar=Tréith Avatar
+auths.ssh_keys_are_verified=Tá eochracha SSH i LDAP agus déantar díriú orthu go huathoibríoch
 auths.attributes_in_bind=Faigh tréithe i gComhthéacs Bind DN
 auths.allow_deactivate_all=Lig do thoradh cuardaigh folamh gach úsáideoir a dhíghníomhachtú
 auths.use_paged_search=Úsáid Cuardach Leathanaigh
diff --git a/options/locale/locale_it-IT.ini b/options/locale/locale_it-IT.ini
@@ -2278,6 +2278,7 @@ auths.attribute_surname=Attributo cognome
 auths.attribute_mail=Attributo email
 auths.attribute_ssh_public_key=Attributo chiave SSH pubblica
 auths.attribute_avatar=Attributo Avatar
+auths.ssh_keys_are_verified=Le chiavi SSH in LDAP vengono verificate automaticamente
 auths.attributes_in_bind=Estrai Attributi dal Contesto Bind DN
 auths.allow_deactivate_all=Consenti un risultato di ricerca vuoto per disattivare tutti gli utenti
 auths.use_paged_search=Utilizza ricerca per pagina
diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=姓
 auths.attribute_mail=メールアドレス
 auths.attribute_ssh_public_key=SSH公開鍵
 auths.attribute_avatar=アバター
+auths.ssh_keys_are_verified=LDAP内のSSHキーは自動的に検証されます
 auths.attributes_in_bind=バインドDNのコンテクストから属性を取得する
 auths.allow_deactivate_all=サーチ結果が空のときは全ユーザーを非アクティブ化
 auths.use_paged_search=ページ分割検索を使用
diff --git a/options/locale/locale_ko-KR.ini b/options/locale/locale_ko-KR.ini
@@ -1306,6 +1306,7 @@ auths.attribute_name=이름 속성
 auths.attribute_surname=성 속성
 auths.attribute_mail=이메일 속성
 auths.attribute_ssh_public_key=SSH 공개 키 속성
+auths.ssh_keys_are_verified=LDAP의 SSH 키는 자동으로 검증됩니다
 auths.use_paged_search=페이지 검색 사용
 auths.search_page_size=페이지 크기
 auths.filter=사용자 필터
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
@@ -2693,6 +2693,7 @@ auths.attribute_surname=Uzvārda atribūts
 auths.attribute_mail=E-pasta atribūts
 auths.attribute_ssh_public_key=Publiskās SSH atslēgas atribūts
 auths.attribute_avatar=Profila attēla atribūts
+auths.ssh_keys_are_verified=SSH atslēgas LDAP tiek automātiski pārbaudītas
 auths.attributes_in_bind=Nolasīt atribūtus no saistīšanas DN konteksta
 auths.allow_deactivate_all=Atļaut tukšam datu izgūšanas rezultātam deaktivizēt visus lietotājus
 auths.use_paged_search=Izmantot, dalīto pa lapām, meklēšanu
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
@@ -2160,6 +2160,7 @@ auths.attribute_name=Voornaam attribuut
 auths.attribute_surname=Achternaam attribuut
 auths.attribute_mail=E-mail attribuut
 auths.attribute_ssh_public_key=Publieke SSH sleutel attribuut
+auths.ssh_keys_are_verified=SSH-sleutels in LDAP worden automatisch geverifieerd
 auths.attributes_in_bind=Verkrijg attributes van de Bind DN context
 auths.allow_deactivate_all=Laat een leeg zoekresultaat toe om alle gebruikers te deactiveren
 auths.use_paged_search=Gebruik Paged Search
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
@@ -2044,6 +2044,7 @@ auths.attribute_name=Atrybut imienia
 auths.attribute_surname=Atrybut nazwiska
 auths.attribute_mail=Atrybut adresu e-mail
 auths.attribute_ssh_public_key=Atrybut publicznego klucza SSH
+auths.ssh_keys_are_verified=Klucze SSH w LDAP są automatycznie weryfikowane
 auths.attributes_in_bind=Pobierz atrybuty w kontekście Bind DN
 auths.allow_deactivate_all=Zezwól na pusty wynik wyszukiwania, aby zdezaktywować wszystkich użytkowników
 auths.use_paged_search=Użyj wyszukiwania paginowanego
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
@@ -2992,6 +2992,7 @@ auths.attribute_mail=Atributo do E-mail
 auths.attribute_ssh_public_key=Atributo da Chave SSH Pública
 auths.attribute_avatar=Atributo do Avatar
 auths.attributes_in_bind=Buscar os atributos no contexto de Bind DN
+auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio para desativar todos os usuários
 auths.use_paged_search=Usar a Pesquisa Paginada
 auths.search_page_size=Tamanho da Página
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Atributo do Sobrenome
 auths.attribute_mail=Atributo do email
 auths.attribute_ssh_public_key=Atributo da chave pública SSH
 auths.attribute_avatar=Atributo do avatar
+auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.attributes_in_bind=Buscar atributos no contexto do Bind DN
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio desabilite todos os utilizadores
 auths.use_paged_search=Usar pesquisa paginada
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
@@ -2646,6 +2646,7 @@ auths.attribute_surname=Атрибут Surname
 auths.attribute_mail=Атрибут электронной почты
 auths.attribute_ssh_public_key=Атрибут Открытый ключ SSH
 auths.attribute_avatar=Характеристики аватара
+auths.ssh_keys_are_verified=Ключи SSH автоматически верифицированы
 auths.attributes_in_bind=Извлекать атрибуты в контексте Bind DN
 auths.allow_deactivate_all=Разрешить пустой результат поиска для отключения всех пользователей
 auths.use_paged_search=Использовать постраничный поиск
diff --git a/options/locale/locale_si-LK.ini b/options/locale/locale_si-LK.ini
@@ -2074,6 +2074,7 @@ auths.attribute_surname=වාසගම ගුණාංග
 auths.attribute_mail=ඊ-තැපැල් ගුණාංග
 auths.attribute_ssh_public_key=රාජ්ය SSH කී ගුණාංගය
 auths.attribute_avatar=අවතාර් ගුණාංග
+auths.ssh_keys_are_verified=LDAP හි SSH යතුරු ස්වයංක්‍රීයව සත්‍යාපනය කරනු ලැබේ
 auths.attributes_in_bind=ඩී. එන් සන්දර්භය තුළ ඇති ගුණාංග
 auths.allow_deactivate_all=සියලුම පරිශීලකයින් අක්රිය කිරීමට හිස් සෙවුම් ප්රති result ලයකට ඉඩ දෙන්න
 auths.use_paged_search=භාවිතා කරන්න paged සොයන්න
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
@@ -1697,6 +1697,7 @@ auths.attribute_name=Förnamnsattribut
 auths.attribute_surname=Efternamnsattribut
 auths.attribute_mail=Mejlattribut
 auths.attribute_ssh_public_key=Attribut för offentlig SSH-nyckel
+auths.ssh_keys_are_verified=SSH-nycklar i LDAP verifieras automatiskt
 auths.attributes_in_bind=Hämta attribut ur Bind DN Context
 auths.use_paged_search=Använd paginerad sökning
 auths.search_page_size=Sidstorlek
diff --git a/options/locale/locale_tr-TR.ini b/options/locale/locale_tr-TR.ini
@@ -3220,6 +3220,7 @@ auths.attribute_surname=Soyad Özelliği
 auths.attribute_mail=E-posta Özelliği
 auths.attribute_ssh_public_key=Açık SSH Anahtarı Özelliği
 auths.attribute_avatar=Avatar Özelliği
+auths.ssh_keys_are_verified=LDAP'teki SSH anahtarları otomatik olarak doğrulanır. 
 auths.attributes_in_bind=Bağlı DN tabanındaki özellikleri çek
 auths.allow_deactivate_all=Boş bir arama sonucunun tüm kullanıcıları devre dışı bırakmasına izin ver
 auths.use_paged_search=Sayfalı Aramayı Kullan
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
@@ -2842,6 +2842,7 @@ auths.attribute_surname=Властивості прізвища
 auths.attribute_mail=Властивості електронної пошти
 auths.attribute_ssh_public_key=Властивості публічного ключа SSH
 auths.attribute_avatar=Властивості аватару
+auths.ssh_keys_are_verified=SSH-ключі в LDAP автоматично перевіряються
 auths.attributes_in_bind=Витягувати атрибути в контексті Bind DN
 auths.allow_deactivate_all=Дозволити порожній результат пошуку, щоб деактивувати всіх користувачів
 auths.use_paged_search=Використовувати посторінковий пошук
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
@@ -3224,6 +3224,7 @@ auths.attribute_surname=姓氏属性
 auths.attribute_mail=电子邮箱属性
 auths.attribute_ssh_public_key=SSH公钥属性
 auths.attribute_avatar=头像属性
+auths.ssh_keys_are_verified=LDAP 中的 SSH 密钥会自动验证
 auths.attributes_in_bind=从 Bind DN 中拉取属性信息
 auths.allow_deactivate_all=允许在搜索结果为空时停用所有用户
 auths.use_paged_search=使用分页搜索
diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini
@@ -2927,6 +2927,7 @@ auths.attribute_surname=姓氏屬性
 auths.attribute_mail=電子郵件屬性
 auths.attribute_ssh_public_key=SSH 公鑰屬性
 auths.attribute_avatar=大頭貼屬性
+auths.ssh_keys_are_verified=LDAP 中的 SSH 密鑰會自動驗證
 auths.attributes_in_bind=從 Bind DN 中取得屬性資訊
 auths.allow_deactivate_all=允許在搜尋結果為空白時停用所有使用者帳戶
 auths.use_paged_search=使用分頁查詢
diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go
@@ -211,7 +211,7 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
 		return
 	}
 
-	key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0)
+	key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0, false)
 	if err != nil {
 		repo.HandleAddKeyError(ctx, err)
 		return
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
@@ -136,6 +136,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		AttributesInBind:      form.AttributesInBind,
 		AttributeSSHPublicKey: form.AttributeSSHPublicKey,
 		AttributeAvatar:       form.AttributeAvatar,
+                SSHKeysAreVerified:    form.SSHKeysAreVerified,
 		SearchPageSize:        pageSize,
 		Filter:                form.Filter,
 		GroupsEnabled:         form.GroupsEnabled,
diff --git a/routers/web/auth/oauth_signin_sync.go b/routers/web/auth/oauth_signin_sync.go
@@ -86,7 +86,7 @@ func oauth2UpdateSSHPubIfNeed(ctx *context.Context, authSource *auth.Source, got
 	if err != nil {
 		return err
 	}
-	if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys) {
+	if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys, false) {
 		return nil
 	}
 	return asymkey_service.RewriteAllPublicKeys(ctx)
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
@@ -187,7 +187,7 @@ func KeysPost(ctx *context.Context) {
 			return
 		}
 
-		if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0); err != nil {
+		if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0, false); err != nil {
 			ctx.Data["HasSSHError"] = true
 			switch {
 			case asymkey_model.IsErrKeyAlreadyExist(err):
diff --git a/services/asymkey/commit_test.go b/services/asymkey/commit_test.go
@@ -31,7 +31,7 @@ func TestParseCommitWithSSHSignature(t *testing.T) {
 	// AAAEDWqPHTH51xb4hy1y1f1VeWL/2A9Q0b6atOyv5fx8x5prpPrMXSg9qTx04jPNPWRcHs
 	// utyxWjThIpzcaO68yWVnAAAAEXVzZXIyQGV4YW1wbGUuY29tAQIDBA==
 	// -----END OPENSSH PRIVATE KEY-----
-	sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0)
+	sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0, false)
 	require.NoError(t, err)
 	_, err = db.GetEngine(t.Context()).ID(sshPubKey.ID).Cols("verified").Update(&asymkey_model.PublicKey{Verified: true})
 	require.NoError(t, err)
diff --git a/services/asymkey/ssh_key_test.go b/services/asymkey/ssh_key_test.go
@@ -66,7 +66,7 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOChCC7lf6Uo9n7BmZ6M8St19PZf4Tn59NriyboW2x/DZuYAz3ib
 
 	for i, kase := range testCases {
 		s.ID = int64(i) + 20
-		asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString})
+		asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString}, false)
 		keys, err := db.Find[asymkey_model.PublicKey](t.Context(), asymkey_model.FindPublicKeyOptions{
 			OwnerID:       user.ID,
 			LoginSourceID: s.ID,
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
@@ -44,6 +44,7 @@ type Source struct {
 	AttributesInBind      bool   // fetch attributes in bind context (not user)
 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
 	AttributeAvatar       string
+        SSHKeysAreVerified    bool   // true if SSH keys in LDAP are verified
 	SearchPageSize        uint32 // Search with paging page size
 	Filter                string // Query filter to validate entry
 	AdminFilter           string // Query filter to check if user is admin
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
