diff --git a/host_vars/oxygen.binary-kitchen.net b/host_vars/oxygen.binary-kitchen.net
index 195942d..afeea6c 100644
--- a/host_vars/oxygen.binary-kitchen.net
+++ b/host_vars/oxygen.binary-kitchen.net
@@ -1,4 +1,4 @@
 ---
 
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
 sshd_password_authentication: "yes"
-uau_reboot: "false"
diff --git a/host_vars/sulis.binary.kitchen b/host_vars/sulis.binary.kitchen
index b98fe23..afeea6c 100644
--- a/host_vars/sulis.binary.kitchen
+++ b/host_vars/sulis.binary.kitchen
@@ -1,3 +1,4 @@
 ---
 
+sshd_authkeys_command: "/usr/bin/sss_ssh_authorizedkeys"
 sshd_password_authentication: "yes"
diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2
index 3c122a1..e74eb43 100644
--- a/roles/common/templates/sshd_config.j2
+++ b/roles/common/templates/sshd_config.j2
@@ -43,8 +43,17 @@ PermitRootLogin {{ sshd_permit_root_login }}
 
 #AuthorizedPrincipalsFile none
 
+{% if sshd_authkeys_command is defined and sshd_authkeys_command %}
+AuthorizedKeysCommand {{ sshd_authkeys_command }}
+{%   if sshd_authkeys_user is defined and sshd_authkeys_user %}
+AuthorizedKeysCommandUser {{ sshd_authkeys_user }}
+{%   else %}
+AuthorizedKeysCommandUser nobody
+{%   endif %}
+{% else %}
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
+{% endif %}
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no