From 1228de7ce31aa2df057d55f27a13332b7a5b7d9e Mon Sep 17 00:00:00 2001
From: Ivan Tkachev <itkachev@hyperad.tech>
Date: Tue, 11 Nov 2025 16:52:55 +0300
Subject: [PATCH 1/5] Add an option to automatically verify SSH keys from LDAP

---
 cmd/admin_auth_ldap.go                           |  7 +++++++
 models/asymkey/ssh_key.go                        | 11 ++++++-----
 options/locale/locale_cs-CZ.ini                  |  1 +
 options/locale/locale_de-DE.ini                  |  1 +
 options/locale/locale_el-GR.ini                  |  1 +
 options/locale/locale_en-US.ini                  |  1 +
 options/locale/locale_es-ES.ini                  |  1 +
 options/locale/locale_fa-IR.ini                  |  1 +
 options/locale/locale_fr-FR.ini                  |  1 +
 options/locale/locale_ga-IE.ini                  |  1 +
 options/locale/locale_it-IT.ini                  |  1 +
 options/locale/locale_ja-JP.ini                  |  1 +
 options/locale/locale_ko-KR.ini                  |  1 +
 options/locale/locale_lv-LV.ini                  |  1 +
 options/locale/locale_nl-NL.ini                  |  1 +
 options/locale/locale_pl-PL.ini                  |  1 +
 options/locale/locale_pt-BR.ini                  |  1 +
 options/locale/locale_pt-PT.ini                  |  1 +
 options/locale/locale_ru-RU.ini                  |  1 +
 options/locale/locale_si-LK.ini                  |  1 +
 options/locale/locale_sv-SE.ini                  |  1 +
 options/locale/locale_tr-TR.ini                  |  1 +
 options/locale/locale_uk-UA.ini                  |  1 +
 options/locale/locale_zh-CN.ini                  |  1 +
 options/locale/locale_zh-TW.ini                  |  1 +
 routers/api/v1/user/key.go                       |  2 +-
 routers/web/admin/auths.go                       |  1 +
 routers/web/auth/oauth_signin_sync.go            |  2 +-
 routers/web/user/setting/keys.go                 |  2 +-
 services/asymkey/commit_test.go                  |  2 +-
 services/asymkey/ssh_key_test.go                 |  2 +-
 services/auth/source/ldap/source.go              |  1 +
 services/auth/source/ldap/source_authenticate.go |  4 ++--
 services/auth/source/ldap/source_sync.go         |  4 ++--
 services/forms/auth_form.go                      |  1 +
 templates/admin/auth/edit.tmpl                   |  6 ++++++
 templates/admin/auth/source/ldap.tmpl            |  6 ++++++
 37 files changed, 60 insertions(+), 14 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 069ad6600c7e8..3a36cdb7a9043 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -94,6 +94,10 @@ func commonLdapCLIFlags() []cli.Flag {
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+                &cli.BoolFlag{
+                        Name:  "ssh-keys-are-verified",
+                        Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
+                },
 		&cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
@@ -294,6 +298,9 @@ func parseLdapConfig(c *cli.Command, config *ldap.Source) error {
 	if c.IsSet("public-ssh-key-attribute") {
 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
 	}
+	if c.IsSet("ssh-keys-are-verified") {
+		config.SSHKeysAreVerified = c.Bool("ssh-keys-are-verified")
+	}
 	if c.IsSet("avatar-attribute") {
 		config.AttributeAvatar = c.String("avatar-attribute")
 	}
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
index d77b5d46a76b1..45f95b09490f0 100644
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -84,7 +84,7 @@ func addKey(ctx context.Context, key *PublicKey) (err error) {
 }
 
 // AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64) (*PublicKey, error) {
+func AddPublicKey(ctx context.Context, ownerID int64, name, content string, authSourceID int64, verified bool) (*PublicKey, error) {
 	log.Trace(content)
 
 	fingerprint, err := CalcFingerprint(content)
@@ -115,6 +115,7 @@ func AddPublicKey(ctx context.Context, ownerID int64, name, content string, auth
 			Mode:          perm.AccessModeWrite,
 			Type:          KeyTypeUser,
 			LoginSourceID: authSourceID,
+                        Verified:      verified,
 		}
 		if err = addKey(ctx, key); err != nil {
 			return nil, fmt.Errorf("addKey: %w", err)
@@ -298,7 +299,7 @@ func deleteKeysMarkedForDeletion(ctx context.Context, keys []string) (bool, erro
 }
 
 // AddPublicKeysBySource add a users public keys. Returns true if there are changes.
-func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
+func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
 	var sshKeysNeedUpdate bool
 	for _, sshKey := range sshPublicKeys {
 		var err error
@@ -317,7 +318,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 			marshalled = marshalled[:len(marshalled)-1]
 			sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out))
 
-			if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID); err != nil {
+			if _, err := AddPublicKey(ctx, usr.ID, sshKeyName, marshalled, s.ID, verified); err != nil {
 				if IsErrKeyAlreadyExist(err) {
 					log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name)
 				} else {
@@ -336,7 +337,7 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 }
 
 // SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
-func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
+func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string, verified bool) bool {
 	var sshKeysNeedUpdate bool
 
 	log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
@@ -381,7 +382,7 @@ func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.So
 			newKeys = append(newKeys, key)
 		}
 	}
-	if AddPublicKeysBySource(ctx, usr, s, newKeys) {
+	if AddPublicKeysBySource(ctx, usr, s, newKeys, verified) {
 		sshKeysNeedUpdate = true
 	}
 
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index 384c65005427e..d1f4b8da6fbc1 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -2950,6 +2950,7 @@ auths.attribute_surname=Atribut příjmení
 auths.attribute_mail=Atribut e-mailové adresy
 auths.attribute_ssh_public_key=Atribut veřejného SSH klíče
 auths.attribute_avatar=Atributy avataru
+auths.ssh_keys_are_verified=SSH klíče v LDAP jsou automaticky ověřovány. 
 auths.attributes_in_bind=Získat atributy v kontextu Bind DN
 auths.allow_deactivate_all=Povolit prázdný výsledek hledání pro deaktivaci všech uživatelů
 auths.use_paged_search=Použijte vyhledávání ve stránce
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index a4ff1e8a08b45..0f0734845d966 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -3000,6 +3000,7 @@ auths.attribute_surname=Nachnamensattribut
 auths.attribute_mail=E-Mail-Attribut
 auths.attribute_ssh_public_key=Öffentlicher-SSH-Schlüssel-Attribut
 auths.attribute_avatar=Avatar-Attribut
+auths.ssh_keys_are_verified=SSH-Schlüssel in LDAP werden automatisch überprüft
 auths.attributes_in_bind=Hole Attribute im Bind-Kontext
 auths.allow_deactivate_all=Erlaube ein leeres Suchergebnis, um alle Benutzer zu deaktivieren
 auths.use_paged_search=Seitensuche verwenden
diff --git a/options/locale/locale_el-GR.ini b/options/locale/locale_el-GR.ini
index 86397138a326f..22985245f7700 100644
--- a/options/locale/locale_el-GR.ini
+++ b/options/locale/locale_el-GR.ini
@@ -2692,6 +2692,7 @@ auths.attribute_surname=Χαρακτηριστικό Επωνύμου
 auths.attribute_mail=Χαρακτηριστικό Email
 auths.attribute_ssh_public_key=Χαρακτηριστικό Δημόσιου Κλειδιού SSH
 auths.attribute_avatar=Χαρακτηριστικό Εικόνας
+auths.ssh_keys_are_verified=Οι κλειδιά SSH στο LDAP ελέγχονται αυτόματα
 auths.attributes_in_bind=Λήψη χαρακτηριστικών μέσα στο πλαίσιο του Bind DN
 auths.allow_deactivate_all=Επιτρέψτε σε ένα κενό αποτέλεσμα αναζήτησης να απενεργοποιήσει όλους τους χρήστες
 auths.use_paged_search=Χρήση Σελιδοποιημένης Αναζήτησης
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index ddc12aefaaaf9..eaf15065b6eb8 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname = Surname Attribute
 auths.attribute_mail = Email Attribute
 auths.attribute_ssh_public_key = Public SSH Key Attribute
 auths.attribute_avatar = Avatar Attribute
+auths.ssh_keys_are_verified = SSH keys in LDAP are automatically verified
 auths.attributes_in_bind = Fetch Attributes in Bind DN Context
 auths.allow_deactivate_all = Allow an empty search result to deactivate all users
 auths.use_paged_search = Use Paged Search
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index cf87084f3bdc0..ddc325df58f8d 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -2672,6 +2672,7 @@ auths.attribute_surname=Atributo apellido
 auths.attribute_mail=Atributo correo electrónico
 auths.attribute_ssh_public_key=Atributo Clave Pública SSH
 auths.attribute_avatar=Atributo del avatar
+auths.ssh_keys_are_verified=Las claves SSH en LDAP se verifican automáticamente
 auths.attributes_in_bind=Obtener atributos en el contexto de Bind DN
 auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desactivar todos los usuarios
 auths.use_paged_search=Usar búsqueda paginada
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
index b0a6cc799f654..b971a47f79152 100644
--- a/options/locale/locale_fa-IR.ini
+++ b/options/locale/locale_fa-IR.ini
@@ -2111,6 +2111,7 @@ auths.attribute_surname=ویژگی نام خانوادگی
 auths.attribute_mail=ویژگی ایمیل
 auths.attribute_ssh_public_key=ویژگی های کلید SSH عمومی
 auths.attribute_avatar=ویژگی آواتار
+auths.ssh_keys_are_verified=کلیدهای SSH در LDAP به صورت خودکار تأیید می‌شوند. 
 auths.attributes_in_bind=واکشی ویژگی های DN متصل شده در متن زمینه
 auths.allow_deactivate_all=به یک نتیجه جستجوی خالی اجازه دهید تا همه کاربران را غیرفعال کند
 auths.use_paged_search=استفاده از جستجو ثبت شده
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
index 4ee11f3b5dcac..e957cf1e75283 100644
--- a/options/locale/locale_fr-FR.ini
+++ b/options/locale/locale_fr-FR.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Attribut nom de famille
 auths.attribute_mail=Attribut courriel
 auths.attribute_ssh_public_key=Attribut clé SSH publique
 auths.attribute_avatar=Attribut de l'avatar
+auths.ssh_keys_are_verified=Les clés SSH dans LDAP sont vérifiées automatiquement
 auths.attributes_in_bind=Aller chercher les attributs dans le contexte de liaison DN
 auths.allow_deactivate_all=Permettre à un résultat de recherche vide de désactiver tous les utilisateurs
 auths.use_paged_search=Utiliser la recherche paginée
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
index 045fb14f8b317..fbea36763795b 100644
--- a/options/locale/locale_ga-IE.ini
+++ b/options/locale/locale_ga-IE.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Tréith Sloinne
 auths.attribute_mail=Tréith ríomhphoist
 auths.attribute_ssh_public_key=Tréith Eochair SSH Phoiblí
 auths.attribute_avatar=Tréith Avatar
+auths.ssh_keys_are_verified=Tá eochracha SSH i LDAP agus déantar díriú orthu go huathoibríoch
 auths.attributes_in_bind=Faigh tréithe i gComhthéacs Bind DN
 auths.allow_deactivate_all=Lig do thoradh cuardaigh folamh gach úsáideoir a dhíghníomhachtú
 auths.use_paged_search=Úsáid Cuardach Leathanaigh
diff --git a/options/locale/locale_it-IT.ini b/options/locale/locale_it-IT.ini
index fff612a89618f..df1ee0253a39d 100644
--- a/options/locale/locale_it-IT.ini
+++ b/options/locale/locale_it-IT.ini
@@ -2278,6 +2278,7 @@ auths.attribute_surname=Attributo cognome
 auths.attribute_mail=Attributo email
 auths.attribute_ssh_public_key=Attributo chiave SSH pubblica
 auths.attribute_avatar=Attributo Avatar
+auths.ssh_keys_are_verified=Le chiavi SSH in LDAP vengono verificate automaticamente
 auths.attributes_in_bind=Estrai Attributi dal Contesto Bind DN
 auths.allow_deactivate_all=Consenti un risultato di ricerca vuoto per disattivare tutti gli utenti
 auths.use_paged_search=Utilizza ricerca per pagina
diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 0d7df0647b19b..9444f4a92562c 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=姓
 auths.attribute_mail=メールアドレス
 auths.attribute_ssh_public_key=SSH公開鍵
 auths.attribute_avatar=アバター
+auths.ssh_keys_are_verified=LDAP内のSSHキーは自動的に検証されます
 auths.attributes_in_bind=バインドDNのコンテクストから属性を取得する
 auths.allow_deactivate_all=サーチ結果が空のときは全ユーザーを非アクティブ化
 auths.use_paged_search=ページ分割検索を使用
diff --git a/options/locale/locale_ko-KR.ini b/options/locale/locale_ko-KR.ini
index 405bcdd98be5c..6646835eeadb6 100644
--- a/options/locale/locale_ko-KR.ini
+++ b/options/locale/locale_ko-KR.ini
@@ -1306,6 +1306,7 @@ auths.attribute_name=이름 속성
 auths.attribute_surname=성 속성
 auths.attribute_mail=이메일 속성
 auths.attribute_ssh_public_key=SSH 공개 키 속성
+auths.ssh_keys_are_verified=LDAP의 SSH 키는 자동으로 검증됩니다
 auths.use_paged_search=페이지 검색 사용
 auths.search_page_size=페이지 크기
 auths.filter=사용자 필터
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
index 81f8aaaf28eaa..55e435703bdc8 100644
--- a/options/locale/locale_lv-LV.ini
+++ b/options/locale/locale_lv-LV.ini
@@ -2693,6 +2693,7 @@ auths.attribute_surname=Uzvārda atribūts
 auths.attribute_mail=E-pasta atribūts
 auths.attribute_ssh_public_key=Publiskās SSH atslēgas atribūts
 auths.attribute_avatar=Profila attēla atribūts
+auths.ssh_keys_are_verified=SSH atslēgas LDAP tiek automātiski pārbaudītas
 auths.attributes_in_bind=Nolasīt atribūtus no saistīšanas DN konteksta
 auths.allow_deactivate_all=Atļaut tukšam datu izgūšanas rezultātam deaktivizēt visus lietotājus
 auths.use_paged_search=Izmantot, dalīto pa lapām, meklēšanu
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
index 7a0c2b3f5af4f..f574b99c0416c 100644
--- a/options/locale/locale_nl-NL.ini
+++ b/options/locale/locale_nl-NL.ini
@@ -2160,6 +2160,7 @@ auths.attribute_name=Voornaam attribuut
 auths.attribute_surname=Achternaam attribuut
 auths.attribute_mail=E-mail attribuut
 auths.attribute_ssh_public_key=Publieke SSH sleutel attribuut
+auths.ssh_keys_are_verified=SSH-sleutels in LDAP worden automatisch geverifieerd
 auths.attributes_in_bind=Verkrijg attributes van de Bind DN context
 auths.allow_deactivate_all=Laat een leeg zoekresultaat toe om alle gebruikers te deactiveren
 auths.use_paged_search=Gebruik Paged Search
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
index 540f5ee629db2..9465ee7cdb3e2 100644
--- a/options/locale/locale_pl-PL.ini
+++ b/options/locale/locale_pl-PL.ini
@@ -2044,6 +2044,7 @@ auths.attribute_name=Atrybut imienia
 auths.attribute_surname=Atrybut nazwiska
 auths.attribute_mail=Atrybut adresu e-mail
 auths.attribute_ssh_public_key=Atrybut publicznego klucza SSH
+auths.ssh_keys_are_verified=Klucze SSH w LDAP są automatycznie weryfikowane
 auths.attributes_in_bind=Pobierz atrybuty w kontekście Bind DN
 auths.allow_deactivate_all=Zezwól na pusty wynik wyszukiwania, aby zdezaktywować wszystkich użytkowników
 auths.use_paged_search=Użyj wyszukiwania paginowanego
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index d5bd3175f8bd6..67c81f76ea25f 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -2992,6 +2992,7 @@ auths.attribute_mail=Atributo do E-mail
 auths.attribute_ssh_public_key=Atributo da Chave SSH Pública
 auths.attribute_avatar=Atributo do Avatar
 auths.attributes_in_bind=Buscar os atributos no contexto de Bind DN
+auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio para desativar todos os usuários
 auths.use_paged_search=Usar a Pesquisa Paginada
 auths.search_page_size=Tamanho da Página
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index 95ac1fb5a464a..e1ea967a58df5 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -3226,6 +3226,7 @@ auths.attribute_surname=Atributo do Sobrenome
 auths.attribute_mail=Atributo do email
 auths.attribute_ssh_public_key=Atributo da chave pública SSH
 auths.attribute_avatar=Atributo do avatar
+auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.attributes_in_bind=Buscar atributos no contexto do Bind DN
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio desabilite todos os utilizadores
 auths.use_paged_search=Usar pesquisa paginada
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index 2625b4382b3ba..ec9749925779c 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -2646,6 +2646,7 @@ auths.attribute_surname=Атрибут Surname
 auths.attribute_mail=Атрибут электронной почты
 auths.attribute_ssh_public_key=Атрибут Открытый ключ SSH
 auths.attribute_avatar=Характеристики аватара
+auths.ssh_keys_are_verified=Ключи SSH автоматически верифицированы
 auths.attributes_in_bind=Извлекать атрибуты в контексте Bind DN
 auths.allow_deactivate_all=Разрешить пустой результат поиска для отключения всех пользователей
 auths.use_paged_search=Использовать постраничный поиск
diff --git a/options/locale/locale_si-LK.ini b/options/locale/locale_si-LK.ini
index 49ca5b042e8ea..15ee17c329161 100644
--- a/options/locale/locale_si-LK.ini
+++ b/options/locale/locale_si-LK.ini
@@ -2074,6 +2074,7 @@ auths.attribute_surname=වාසගම ගුණාංග
 auths.attribute_mail=ඊ-තැපැල් ගුණාංග
 auths.attribute_ssh_public_key=රාජ්ය SSH කී ගුණාංගය
 auths.attribute_avatar=අවතාර් ගුණාංග
+auths.ssh_keys_are_verified=LDAP හි SSH යතුරු ස්වයංක්‍රීයව සත්‍යාපනය කරනු ලැබේ
 auths.attributes_in_bind=ඩී. එන් සන්දර්භය තුළ ඇති ගුණාංග
 auths.allow_deactivate_all=සියලුම පරිශීලකයින් අක්රිය කිරීමට හිස් සෙවුම් ප්රති result ලයකට ඉඩ දෙන්න
 auths.use_paged_search=භාවිතා කරන්න paged සොයන්න
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index 79abdce4ab03c..b5eef8f84b7b3 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -1697,6 +1697,7 @@ auths.attribute_name=Förnamnsattribut
 auths.attribute_surname=Efternamnsattribut
 auths.attribute_mail=Mejlattribut
 auths.attribute_ssh_public_key=Attribut för offentlig SSH-nyckel
+auths.ssh_keys_are_verified=SSH-nycklar i LDAP verifieras automatiskt
 auths.attributes_in_bind=Hämta attribut ur Bind DN Context
 auths.use_paged_search=Använd paginerad sökning
 auths.search_page_size=Sidstorlek
diff --git a/options/locale/locale_tr-TR.ini b/options/locale/locale_tr-TR.ini
index 8be6a587fb2ce..dc1cfeda6a346 100644
--- a/options/locale/locale_tr-TR.ini
+++ b/options/locale/locale_tr-TR.ini
@@ -3220,6 +3220,7 @@ auths.attribute_surname=Soyad Özelliği
 auths.attribute_mail=E-posta Özelliği
 auths.attribute_ssh_public_key=Açık SSH Anahtarı Özelliği
 auths.attribute_avatar=Avatar Özelliği
+auths.ssh_keys_are_verified=LDAP'teki SSH anahtarları otomatik olarak doğrulanır. 
 auths.attributes_in_bind=Bağlı DN tabanındaki özellikleri çek
 auths.allow_deactivate_all=Boş bir arama sonucunun tüm kullanıcıları devre dışı bırakmasına izin ver
 auths.use_paged_search=Sayfalı Aramayı Kullan
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index b3d0c37cbef44..1b9e6636821d1 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -2842,6 +2842,7 @@ auths.attribute_surname=Властивості прізвища
 auths.attribute_mail=Властивості електронної пошти
 auths.attribute_ssh_public_key=Властивості публічного ключа SSH
 auths.attribute_avatar=Властивості аватару
+auths.ssh_keys_are_verified=SSH-ключі в LDAP автоматично перевіряються
 auths.attributes_in_bind=Витягувати атрибути в контексті Bind DN
 auths.allow_deactivate_all=Дозволити порожній результат пошуку, щоб деактивувати всіх користувачів
 auths.use_paged_search=Використовувати посторінковий пошук
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index 9db58e71acd32..42bdb71cdc107 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -3224,6 +3224,7 @@ auths.attribute_surname=姓氏属性
 auths.attribute_mail=电子邮箱属性
 auths.attribute_ssh_public_key=SSH公钥属性
 auths.attribute_avatar=头像属性
+auths.ssh_keys_are_verified=LDAP 中的 SSH 密钥会自动验证
 auths.attributes_in_bind=从 Bind DN 中拉取属性信息
 auths.allow_deactivate_all=允许在搜索结果为空时停用所有用户
 auths.use_paged_search=使用分页搜索
diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini
index 74356c6cde327..e3be1f3b6c5ed 100644
--- a/options/locale/locale_zh-TW.ini
+++ b/options/locale/locale_zh-TW.ini
@@ -2927,6 +2927,7 @@ auths.attribute_surname=姓氏屬性
 auths.attribute_mail=電子郵件屬性
 auths.attribute_ssh_public_key=SSH 公鑰屬性
 auths.attribute_avatar=大頭貼屬性
+auths.ssh_keys_are_verified=LDAP 中的 SSH 密鑰會自動驗證
 auths.attributes_in_bind=從 Bind DN 中取得屬性資訊
 auths.allow_deactivate_all=允許在搜尋結果為空白時停用所有使用者帳戶
 auths.use_paged_search=使用分頁查詢
diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go
index aa69245e4999d..08aa182ca19ec 100644
--- a/routers/api/v1/user/key.go
+++ b/routers/api/v1/user/key.go
@@ -211,7 +211,7 @@ func CreateUserPublicKey(ctx *context.APIContext, form api.CreateKeyOption, uid
 		return
 	}
 
-	key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0)
+	key, err := asymkey_model.AddPublicKey(ctx, uid, form.Title, content, 0, false)
 	if err != nil {
 		repo.HandleAddKeyError(ctx, err)
 		return
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index fb1a7d95240c2..7f72dd59316c8 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -136,6 +136,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		AttributesInBind:      form.AttributesInBind,
 		AttributeSSHPublicKey: form.AttributeSSHPublicKey,
 		AttributeAvatar:       form.AttributeAvatar,
+                SSHKeysAreVerified:    form.SSHKeysAreVerified,
 		SearchPageSize:        pageSize,
 		Filter:                form.Filter,
 		GroupsEnabled:         form.GroupsEnabled,
diff --git a/routers/web/auth/oauth_signin_sync.go b/routers/web/auth/oauth_signin_sync.go
index 86d196602452a..2f7a8eab58090 100644
--- a/routers/web/auth/oauth_signin_sync.go
+++ b/routers/web/auth/oauth_signin_sync.go
@@ -86,7 +86,7 @@ func oauth2UpdateSSHPubIfNeed(ctx *context.Context, authSource *auth.Source, got
 	if err != nil {
 		return err
 	}
-	if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys) {
+	if !asymkey_model.SynchronizePublicKeys(ctx, user, authSource, sshKeys, false) {
 		return nil
 	}
 	return asymkey_service.RewriteAllPublicKeys(ctx)
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 6b5a7a2e2a0bd..ef7ef47c51957 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -187,7 +187,7 @@ func KeysPost(ctx *context.Context) {
 			return
 		}
 
-		if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0); err != nil {
+		if _, err = asymkey_model.AddPublicKey(ctx, ctx.Doer.ID, form.Title, content, 0, false); err != nil {
 			ctx.Data["HasSSHError"] = true
 			switch {
 			case asymkey_model.IsErrKeyAlreadyExist(err):
diff --git a/services/asymkey/commit_test.go b/services/asymkey/commit_test.go
index 6edba1e90aff3..2dd08b5dd4cff 100644
--- a/services/asymkey/commit_test.go
+++ b/services/asymkey/commit_test.go
@@ -31,7 +31,7 @@ func TestParseCommitWithSSHSignature(t *testing.T) {
 	// AAAEDWqPHTH51xb4hy1y1f1VeWL/2A9Q0b6atOyv5fx8x5prpPrMXSg9qTx04jPNPWRcHs
 	// utyxWjThIpzcaO68yWVnAAAAEXVzZXIyQGV4YW1wbGUuY29tAQIDBA==
 	// -----END OPENSSH PRIVATE KEY-----
-	sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0)
+	sshPubKey, err := asymkey_model.AddPublicKey(t.Context(), 999, "user-ssh-key-any-name", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpPrMXSg9qTx04jPNPWRcHsutyxWjThIpzcaO68yWVn", 0, false)
 	require.NoError(t, err)
 	_, err = db.GetEngine(t.Context()).ID(sshPubKey.ID).Cols("verified").Update(&asymkey_model.PublicKey{Verified: true})
 	require.NoError(t, err)
diff --git a/services/asymkey/ssh_key_test.go b/services/asymkey/ssh_key_test.go
index 3605bd1e64c82..b052050dc6b18 100644
--- a/services/asymkey/ssh_key_test.go
+++ b/services/asymkey/ssh_key_test.go
@@ -66,7 +66,7 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOChCC7lf6Uo9n7BmZ6M8St19PZf4Tn59NriyboW2x/DZuYAz3ib
 
 	for i, kase := range testCases {
 		s.ID = int64(i) + 20
-		asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString})
+		asymkey_model.AddPublicKeysBySource(t.Context(), user, s, []string{kase.keyString}, false)
 		keys, err := db.Find[asymkey_model.PublicKey](t.Context(), asymkey_model.FindPublicKeyOptions{
 			OwnerID:       user.ID,
 			LoginSourceID: s.ID,
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
index 2362cad8aae7a..2fa85af23b59c 100644
--- a/services/auth/source/ldap/source.go
+++ b/services/auth/source/ldap/source.go
@@ -44,6 +44,7 @@ type Source struct {
 	AttributesInBind      bool   // fetch attributes in bind context (not user)
 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
 	AttributeAvatar       string
+        SSHKeysAreVerified    bool   // true if SSH keys in LDAP are verified
 	SearchPageSize        uint32 // Search with paging page size
 	Filter                string // Query filter to validate entry
 	AdminFilter           string // Query filter to check if user is admin
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
index 4463bcc05446c..582841aebec5f 100644
--- a/services/auth/source/ldap/source_authenticate.go
+++ b/services/auth/source/ldap/source_authenticate.go
@@ -73,7 +73,7 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
 	}
 
 	if user != nil {
-		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, user, source.AuthSource, sr.SSHPublicKey) {
+		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, user, source.AuthSource, sr.SSHPublicKey, source.SSHKeysAreVerified) {
 			if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {
 				return user, err
 			}
@@ -99,7 +99,7 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
 			return user, err
 		}
 
-		if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(ctx, user, source.AuthSource, sr.SSHPublicKey) {
+		if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(ctx, user, source.AuthSource, sr.SSHPublicKey, source.SSHKeysAreVerified) {
 			if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {
 				return user, err
 			}
diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go
index 7b401c5c96b92..0c5fdac674a24 100644
--- a/services/auth/source/ldap/source_sync.go
+++ b/services/auth/source/ldap/source_sync.go
@@ -135,7 +135,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 
 			if err == nil && isAttributeSSHPublicKeySet {
 				log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.AuthSource.Name, usr.Name)
-				if asymkey_model.AddPublicKeysBySource(ctx, usr, source.AuthSource, su.SSHPublicKey) {
+				if asymkey_model.AddPublicKeysBySource(ctx, usr, source.AuthSource, su.SSHPublicKey, source.SSHKeysAreVerified) {
 					sshKeysNeedUpdate = true
 				}
 			}
@@ -145,7 +145,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 			}
 		} else if updateExisting {
 			// Synchronize SSH Public Key if that attribute is set
-			if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, usr, source.AuthSource, su.SSHPublicKey) {
+			if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, usr, source.AuthSource, su.SSHPublicKey, source.SSHKeysAreVerified) {
 				sshKeysNeedUpdate = true
 			}
 
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index 886110236c29b..e56bfd7538cff 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -34,6 +34,7 @@ type AuthenticationForm struct {
 	AttributeMail         string
 	AttributeSSHPublicKey string
 	AttributeAvatar       string
+        SSHKeysAreVerified    bool
 	AttributesInBind      bool
 	UsePagedSearch        bool
 	SearchPageSize        int
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 7b96b4e94fd2b..2d22dfb9da410 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -113,6 +113,12 @@
 						<input id="attribute_avatar" name="attribute_avatar" value="{{$cfg.AttributeAvatar}}" placeholder="jpegPhoto">
 					</div>
 
+                                        <div class="inline field">
+                                                <div class="ui checkbox">
+                                                        <label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
+                                                        <input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if $cfg.SSHKeysAreVerified}}checked{{end}}>
+                                                </div>
+                                        </div>
 					<!-- ldap group begin -->
 					<div class="inline field">
 						<div class="ui checkbox">
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
index 9754aed55a5d2..b91bede0029da 100644
--- a/templates/admin/auth/source/ldap.tmpl
+++ b/templates/admin/auth/source/ldap.tmpl
@@ -80,6 +80,12 @@
 		<input id="attribute_avatar" name="attribute_avatar" value="{{.attribute_avatar}}" placeholder="jpegPhoto">
 	</div>
 
+        <div class="inline field">
+                <div class="ui checkbox">
+                        <label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
+                        <input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if .ssh_keys_are_verified}}checked{{end}}>
+                </div>
+        </div>
 	<!-- ldap group begin -->
 	<div class="inline field">
 		<div class="ui checkbox">

From 692007602c6d4fae4ca0817d005cbc4f709be502 Mon Sep 17 00:00:00 2001
From: Ivan Tkachev <itkachev@hyperad.tech>
Date: Tue, 11 Nov 2025 17:00:57 +0300
Subject: [PATCH 2/5] Fix formatting

---
 cmd/admin_auth_ldap.go              | 8 ++++----
 models/asymkey/ssh_key.go           | 2 +-
 routers/web/admin/auths.go          | 2 +-
 services/auth/source/ldap/source.go | 2 +-
 services/forms/auth_form.go         | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
index 3a36cdb7a9043..c9be5abb379b0 100644
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@@ -94,10 +94,10 @@ func commonLdapCLIFlags() []cli.Flag {
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
-                &cli.BoolFlag{
-                        Name:  "ssh-keys-are-verified",
-                        Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
-                },
+		&cli.BoolFlag{
+			Name:  "ssh-keys-are-verified",
+			Usage: "Set to true to automatically flag SSH keys in LDAP as verified.",
+		},
 		&cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
index 45f95b09490f0..98784b36bd3fe 100644
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -115,7 +115,7 @@ func AddPublicKey(ctx context.Context, ownerID int64, name, content string, auth
 			Mode:          perm.AccessModeWrite,
 			Type:          KeyTypeUser,
 			LoginSourceID: authSourceID,
-                        Verified:      verified,
+			Verified:      verified,
 		}
 		if err = addKey(ctx, key); err != nil {
 			return nil, fmt.Errorf("addKey: %w", err)
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 7f72dd59316c8..3407789f2f951 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -136,7 +136,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		AttributesInBind:      form.AttributesInBind,
 		AttributeSSHPublicKey: form.AttributeSSHPublicKey,
 		AttributeAvatar:       form.AttributeAvatar,
-                SSHKeysAreVerified:    form.SSHKeysAreVerified,
+		SSHKeysAreVerified:    form.SSHKeysAreVerified,
 		SearchPageSize:        pageSize,
 		Filter:                form.Filter,
 		GroupsEnabled:         form.GroupsEnabled,
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
index 2fa85af23b59c..81d4b5446bd4a 100644
--- a/services/auth/source/ldap/source.go
+++ b/services/auth/source/ldap/source.go
@@ -44,7 +44,7 @@ type Source struct {
 	AttributesInBind      bool   // fetch attributes in bind context (not user)
 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
 	AttributeAvatar       string
-        SSHKeysAreVerified    bool   // true if SSH keys in LDAP are verified
+	SSHKeysAreVerified    bool   // true if SSH keys in LDAP are verified
 	SearchPageSize        uint32 // Search with paging page size
 	Filter                string // Query filter to validate entry
 	AdminFilter           string // Query filter to check if user is admin
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index e56bfd7538cff..95965b5f29a94 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -34,7 +34,7 @@ type AuthenticationForm struct {
 	AttributeMail         string
 	AttributeSSHPublicKey string
 	AttributeAvatar       string
-        SSHKeysAreVerified    bool
+	SSHKeysAreVerified    bool
 	AttributesInBind      bool
 	UsePagedSearch        bool
 	SearchPageSize        int

From 45db8297305c2c6f757082a9b9f6960f7024eb90 Mon Sep 17 00:00:00 2001
From: Ivan Tkachev <itkachev@hyperad.tech>
Date: Tue, 11 Nov 2025 17:05:09 +0300
Subject: [PATCH 3/5] Remove translations

---
 options/locale/locale_cs-CZ.ini | 1 -
 options/locale/locale_de-DE.ini | 1 -
 options/locale/locale_el-GR.ini | 1 -
 options/locale/locale_es-ES.ini | 1 -
 options/locale/locale_fa-IR.ini | 1 -
 options/locale/locale_fr-FR.ini | 1 -
 options/locale/locale_ga-IE.ini | 1 -
 options/locale/locale_it-IT.ini | 1 -
 options/locale/locale_ja-JP.ini | 1 -
 options/locale/locale_ko-KR.ini | 1 -
 options/locale/locale_lv-LV.ini | 1 -
 options/locale/locale_nl-NL.ini | 1 -
 options/locale/locale_pl-PL.ini | 1 -
 options/locale/locale_pt-BR.ini | 1 -
 options/locale/locale_pt-PT.ini | 1 -
 options/locale/locale_ru-RU.ini | 1 -
 options/locale/locale_si-LK.ini | 1 -
 options/locale/locale_sv-SE.ini | 1 -
 options/locale/locale_tr-TR.ini | 1 -
 options/locale/locale_uk-UA.ini | 1 -
 options/locale/locale_zh-CN.ini | 1 -
 options/locale/locale_zh-TW.ini | 1 -
 22 files changed, 22 deletions(-)

diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index d1f4b8da6fbc1..384c65005427e 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -2950,7 +2950,6 @@ auths.attribute_surname=Atribut příjmení
 auths.attribute_mail=Atribut e-mailové adresy
 auths.attribute_ssh_public_key=Atribut veřejného SSH klíče
 auths.attribute_avatar=Atributy avataru
-auths.ssh_keys_are_verified=SSH klíče v LDAP jsou automaticky ověřovány. 
 auths.attributes_in_bind=Získat atributy v kontextu Bind DN
 auths.allow_deactivate_all=Povolit prázdný výsledek hledání pro deaktivaci všech uživatelů
 auths.use_paged_search=Použijte vyhledávání ve stránce
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index 0f0734845d966..a4ff1e8a08b45 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -3000,7 +3000,6 @@ auths.attribute_surname=Nachnamensattribut
 auths.attribute_mail=E-Mail-Attribut
 auths.attribute_ssh_public_key=Öffentlicher-SSH-Schlüssel-Attribut
 auths.attribute_avatar=Avatar-Attribut
-auths.ssh_keys_are_verified=SSH-Schlüssel in LDAP werden automatisch überprüft
 auths.attributes_in_bind=Hole Attribute im Bind-Kontext
 auths.allow_deactivate_all=Erlaube ein leeres Suchergebnis, um alle Benutzer zu deaktivieren
 auths.use_paged_search=Seitensuche verwenden
diff --git a/options/locale/locale_el-GR.ini b/options/locale/locale_el-GR.ini
index 22985245f7700..86397138a326f 100644
--- a/options/locale/locale_el-GR.ini
+++ b/options/locale/locale_el-GR.ini
@@ -2692,7 +2692,6 @@ auths.attribute_surname=Χαρακτηριστικό Επωνύμου
 auths.attribute_mail=Χαρακτηριστικό Email
 auths.attribute_ssh_public_key=Χαρακτηριστικό Δημόσιου Κλειδιού SSH
 auths.attribute_avatar=Χαρακτηριστικό Εικόνας
-auths.ssh_keys_are_verified=Οι κλειδιά SSH στο LDAP ελέγχονται αυτόματα
 auths.attributes_in_bind=Λήψη χαρακτηριστικών μέσα στο πλαίσιο του Bind DN
 auths.allow_deactivate_all=Επιτρέψτε σε ένα κενό αποτέλεσμα αναζήτησης να απενεργοποιήσει όλους τους χρήστες
 auths.use_paged_search=Χρήση Σελιδοποιημένης Αναζήτησης
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index ddc325df58f8d..cf87084f3bdc0 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -2672,7 +2672,6 @@ auths.attribute_surname=Atributo apellido
 auths.attribute_mail=Atributo correo electrónico
 auths.attribute_ssh_public_key=Atributo Clave Pública SSH
 auths.attribute_avatar=Atributo del avatar
-auths.ssh_keys_are_verified=Las claves SSH en LDAP se verifican automáticamente
 auths.attributes_in_bind=Obtener atributos en el contexto de Bind DN
 auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desactivar todos los usuarios
 auths.use_paged_search=Usar búsqueda paginada
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
index b971a47f79152..b0a6cc799f654 100644
--- a/options/locale/locale_fa-IR.ini
+++ b/options/locale/locale_fa-IR.ini
@@ -2111,7 +2111,6 @@ auths.attribute_surname=ویژگی نام خانوادگی
 auths.attribute_mail=ویژگی ایمیل
 auths.attribute_ssh_public_key=ویژگی های کلید SSH عمومی
 auths.attribute_avatar=ویژگی آواتار
-auths.ssh_keys_are_verified=کلیدهای SSH در LDAP به صورت خودکار تأیید می‌شوند. 
 auths.attributes_in_bind=واکشی ویژگی های DN متصل شده در متن زمینه
 auths.allow_deactivate_all=به یک نتیجه جستجوی خالی اجازه دهید تا همه کاربران را غیرفعال کند
 auths.use_paged_search=استفاده از جستجو ثبت شده
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
index e957cf1e75283..4ee11f3b5dcac 100644
--- a/options/locale/locale_fr-FR.ini
+++ b/options/locale/locale_fr-FR.ini
@@ -3226,7 +3226,6 @@ auths.attribute_surname=Attribut nom de famille
 auths.attribute_mail=Attribut courriel
 auths.attribute_ssh_public_key=Attribut clé SSH publique
 auths.attribute_avatar=Attribut de l'avatar
-auths.ssh_keys_are_verified=Les clés SSH dans LDAP sont vérifiées automatiquement
 auths.attributes_in_bind=Aller chercher les attributs dans le contexte de liaison DN
 auths.allow_deactivate_all=Permettre à un résultat de recherche vide de désactiver tous les utilisateurs
 auths.use_paged_search=Utiliser la recherche paginée
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
index fbea36763795b..045fb14f8b317 100644
--- a/options/locale/locale_ga-IE.ini
+++ b/options/locale/locale_ga-IE.ini
@@ -3226,7 +3226,6 @@ auths.attribute_surname=Tréith Sloinne
 auths.attribute_mail=Tréith ríomhphoist
 auths.attribute_ssh_public_key=Tréith Eochair SSH Phoiblí
 auths.attribute_avatar=Tréith Avatar
-auths.ssh_keys_are_verified=Tá eochracha SSH i LDAP agus déantar díriú orthu go huathoibríoch
 auths.attributes_in_bind=Faigh tréithe i gComhthéacs Bind DN
 auths.allow_deactivate_all=Lig do thoradh cuardaigh folamh gach úsáideoir a dhíghníomhachtú
 auths.use_paged_search=Úsáid Cuardach Leathanaigh
diff --git a/options/locale/locale_it-IT.ini b/options/locale/locale_it-IT.ini
index df1ee0253a39d..fff612a89618f 100644
--- a/options/locale/locale_it-IT.ini
+++ b/options/locale/locale_it-IT.ini
@@ -2278,7 +2278,6 @@ auths.attribute_surname=Attributo cognome
 auths.attribute_mail=Attributo email
 auths.attribute_ssh_public_key=Attributo chiave SSH pubblica
 auths.attribute_avatar=Attributo Avatar
-auths.ssh_keys_are_verified=Le chiavi SSH in LDAP vengono verificate automaticamente
 auths.attributes_in_bind=Estrai Attributi dal Contesto Bind DN
 auths.allow_deactivate_all=Consenti un risultato di ricerca vuoto per disattivare tutti gli utenti
 auths.use_paged_search=Utilizza ricerca per pagina
diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 9444f4a92562c..0d7df0647b19b 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -3226,7 +3226,6 @@ auths.attribute_surname=姓
 auths.attribute_mail=メールアドレス
 auths.attribute_ssh_public_key=SSH公開鍵
 auths.attribute_avatar=アバター
-auths.ssh_keys_are_verified=LDAP内のSSHキーは自動的に検証されます
 auths.attributes_in_bind=バインドDNのコンテクストから属性を取得する
 auths.allow_deactivate_all=サーチ結果が空のときは全ユーザーを非アクティブ化
 auths.use_paged_search=ページ分割検索を使用
diff --git a/options/locale/locale_ko-KR.ini b/options/locale/locale_ko-KR.ini
index 6646835eeadb6..405bcdd98be5c 100644
--- a/options/locale/locale_ko-KR.ini
+++ b/options/locale/locale_ko-KR.ini
@@ -1306,7 +1306,6 @@ auths.attribute_name=이름 속성
 auths.attribute_surname=성 속성
 auths.attribute_mail=이메일 속성
 auths.attribute_ssh_public_key=SSH 공개 키 속성
-auths.ssh_keys_are_verified=LDAP의 SSH 키는 자동으로 검증됩니다
 auths.use_paged_search=페이지 검색 사용
 auths.search_page_size=페이지 크기
 auths.filter=사용자 필터
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
index 55e435703bdc8..81f8aaaf28eaa 100644
--- a/options/locale/locale_lv-LV.ini
+++ b/options/locale/locale_lv-LV.ini
@@ -2693,7 +2693,6 @@ auths.attribute_surname=Uzvārda atribūts
 auths.attribute_mail=E-pasta atribūts
 auths.attribute_ssh_public_key=Publiskās SSH atslēgas atribūts
 auths.attribute_avatar=Profila attēla atribūts
-auths.ssh_keys_are_verified=SSH atslēgas LDAP tiek automātiski pārbaudītas
 auths.attributes_in_bind=Nolasīt atribūtus no saistīšanas DN konteksta
 auths.allow_deactivate_all=Atļaut tukšam datu izgūšanas rezultātam deaktivizēt visus lietotājus
 auths.use_paged_search=Izmantot, dalīto pa lapām, meklēšanu
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
index f574b99c0416c..7a0c2b3f5af4f 100644
--- a/options/locale/locale_nl-NL.ini
+++ b/options/locale/locale_nl-NL.ini
@@ -2160,7 +2160,6 @@ auths.attribute_name=Voornaam attribuut
 auths.attribute_surname=Achternaam attribuut
 auths.attribute_mail=E-mail attribuut
 auths.attribute_ssh_public_key=Publieke SSH sleutel attribuut
-auths.ssh_keys_are_verified=SSH-sleutels in LDAP worden automatisch geverifieerd
 auths.attributes_in_bind=Verkrijg attributes van de Bind DN context
 auths.allow_deactivate_all=Laat een leeg zoekresultaat toe om alle gebruikers te deactiveren
 auths.use_paged_search=Gebruik Paged Search
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
index 9465ee7cdb3e2..540f5ee629db2 100644
--- a/options/locale/locale_pl-PL.ini
+++ b/options/locale/locale_pl-PL.ini
@@ -2044,7 +2044,6 @@ auths.attribute_name=Atrybut imienia
 auths.attribute_surname=Atrybut nazwiska
 auths.attribute_mail=Atrybut adresu e-mail
 auths.attribute_ssh_public_key=Atrybut publicznego klucza SSH
-auths.ssh_keys_are_verified=Klucze SSH w LDAP są automatycznie weryfikowane
 auths.attributes_in_bind=Pobierz atrybuty w kontekście Bind DN
 auths.allow_deactivate_all=Zezwól na pusty wynik wyszukiwania, aby zdezaktywować wszystkich użytkowników
 auths.use_paged_search=Użyj wyszukiwania paginowanego
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index 67c81f76ea25f..d5bd3175f8bd6 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -2992,7 +2992,6 @@ auths.attribute_mail=Atributo do E-mail
 auths.attribute_ssh_public_key=Atributo da Chave SSH Pública
 auths.attribute_avatar=Atributo do Avatar
 auths.attributes_in_bind=Buscar os atributos no contexto de Bind DN
-auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio para desativar todos os usuários
 auths.use_paged_search=Usar a Pesquisa Paginada
 auths.search_page_size=Tamanho da Página
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index e1ea967a58df5..95ac1fb5a464a 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -3226,7 +3226,6 @@ auths.attribute_surname=Atributo do Sobrenome
 auths.attribute_mail=Atributo do email
 auths.attribute_ssh_public_key=Atributo da chave pública SSH
 auths.attribute_avatar=Atributo do avatar
-auths.ssh_keys_are_verified=As chaves SSH no LDAP são verificadas automaticamente
 auths.attributes_in_bind=Buscar atributos no contexto do Bind DN
 auths.allow_deactivate_all=Permitir que um resultado de pesquisa vazio desabilite todos os utilizadores
 auths.use_paged_search=Usar pesquisa paginada
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index ec9749925779c..2625b4382b3ba 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -2646,7 +2646,6 @@ auths.attribute_surname=Атрибут Surname
 auths.attribute_mail=Атрибут электронной почты
 auths.attribute_ssh_public_key=Атрибут Открытый ключ SSH
 auths.attribute_avatar=Характеристики аватара
-auths.ssh_keys_are_verified=Ключи SSH автоматически верифицированы
 auths.attributes_in_bind=Извлекать атрибуты в контексте Bind DN
 auths.allow_deactivate_all=Разрешить пустой результат поиска для отключения всех пользователей
 auths.use_paged_search=Использовать постраничный поиск
diff --git a/options/locale/locale_si-LK.ini b/options/locale/locale_si-LK.ini
index 15ee17c329161..49ca5b042e8ea 100644
--- a/options/locale/locale_si-LK.ini
+++ b/options/locale/locale_si-LK.ini
@@ -2074,7 +2074,6 @@ auths.attribute_surname=වාසගම ගුණාංග
 auths.attribute_mail=ඊ-තැපැල් ගුණාංග
 auths.attribute_ssh_public_key=රාජ්ය SSH කී ගුණාංගය
 auths.attribute_avatar=අවතාර් ගුණාංග
-auths.ssh_keys_are_verified=LDAP හි SSH යතුරු ස්වයංක්‍රීයව සත්‍යාපනය කරනු ලැබේ
 auths.attributes_in_bind=ඩී. එන් සන්දර්භය තුළ ඇති ගුණාංග
 auths.allow_deactivate_all=සියලුම පරිශීලකයින් අක්රිය කිරීමට හිස් සෙවුම් ප්රති result ලයකට ඉඩ දෙන්න
 auths.use_paged_search=භාවිතා කරන්න paged සොයන්න
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index b5eef8f84b7b3..79abdce4ab03c 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -1697,7 +1697,6 @@ auths.attribute_name=Förnamnsattribut
 auths.attribute_surname=Efternamnsattribut
 auths.attribute_mail=Mejlattribut
 auths.attribute_ssh_public_key=Attribut för offentlig SSH-nyckel
-auths.ssh_keys_are_verified=SSH-nycklar i LDAP verifieras automatiskt
 auths.attributes_in_bind=Hämta attribut ur Bind DN Context
 auths.use_paged_search=Använd paginerad sökning
 auths.search_page_size=Sidstorlek
diff --git a/options/locale/locale_tr-TR.ini b/options/locale/locale_tr-TR.ini
index dc1cfeda6a346..8be6a587fb2ce 100644
--- a/options/locale/locale_tr-TR.ini
+++ b/options/locale/locale_tr-TR.ini
@@ -3220,7 +3220,6 @@ auths.attribute_surname=Soyad Özelliği
 auths.attribute_mail=E-posta Özelliği
 auths.attribute_ssh_public_key=Açık SSH Anahtarı Özelliği
 auths.attribute_avatar=Avatar Özelliği
-auths.ssh_keys_are_verified=LDAP'teki SSH anahtarları otomatik olarak doğrulanır. 
 auths.attributes_in_bind=Bağlı DN tabanındaki özellikleri çek
 auths.allow_deactivate_all=Boş bir arama sonucunun tüm kullanıcıları devre dışı bırakmasına izin ver
 auths.use_paged_search=Sayfalı Aramayı Kullan
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index 1b9e6636821d1..b3d0c37cbef44 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -2842,7 +2842,6 @@ auths.attribute_surname=Властивості прізвища
 auths.attribute_mail=Властивості електронної пошти
 auths.attribute_ssh_public_key=Властивості публічного ключа SSH
 auths.attribute_avatar=Властивості аватару
-auths.ssh_keys_are_verified=SSH-ключі в LDAP автоматично перевіряються
 auths.attributes_in_bind=Витягувати атрибути в контексті Bind DN
 auths.allow_deactivate_all=Дозволити порожній результат пошуку, щоб деактивувати всіх користувачів
 auths.use_paged_search=Використовувати посторінковий пошук
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index 42bdb71cdc107..9db58e71acd32 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -3224,7 +3224,6 @@ auths.attribute_surname=姓氏属性
 auths.attribute_mail=电子邮箱属性
 auths.attribute_ssh_public_key=SSH公钥属性
 auths.attribute_avatar=头像属性
-auths.ssh_keys_are_verified=LDAP 中的 SSH 密钥会自动验证
 auths.attributes_in_bind=从 Bind DN 中拉取属性信息
 auths.allow_deactivate_all=允许在搜索结果为空时停用所有用户
 auths.use_paged_search=使用分页搜索
diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini
index e3be1f3b6c5ed..74356c6cde327 100644
--- a/options/locale/locale_zh-TW.ini
+++ b/options/locale/locale_zh-TW.ini
@@ -2927,7 +2927,6 @@ auths.attribute_surname=姓氏屬性
 auths.attribute_mail=電子郵件屬性
 auths.attribute_ssh_public_key=SSH 公鑰屬性
 auths.attribute_avatar=大頭貼屬性
-auths.ssh_keys_are_verified=LDAP 中的 SSH 密鑰會自動驗證
 auths.attributes_in_bind=從 Bind DN 中取得屬性資訊
 auths.allow_deactivate_all=允許在搜尋結果為空白時停用所有使用者帳戶
 auths.use_paged_search=使用分頁查詢

From 12f81975cfa3226fb63a0fd40b959ac874195dc6 Mon Sep 17 00:00:00 2001
From: Ivan Tkachev <itkachev@hyperad.tech>
Date: Tue, 11 Nov 2025 17:26:31 +0300
Subject: [PATCH 4/5] Fix whitespace

---
 templates/admin/auth/edit.tmpl        | 12 ++++++------
 templates/admin/auth/source/ldap.tmpl | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 2d22dfb9da410..c5cd2e3e290ed 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -113,12 +113,12 @@
 						<input id="attribute_avatar" name="attribute_avatar" value="{{$cfg.AttributeAvatar}}" placeholder="jpegPhoto">
 					</div>
 
-                                        <div class="inline field">
-                                                <div class="ui checkbox">
-                                                        <label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
-                                                        <input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if $cfg.SSHKeysAreVerified}}checked{{end}}>
-                                                </div>
-                                        </div>
+					<div class="inline field">
+						<div class="ui checkbox">
+							<label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
+							<input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if $cfg.SSHKeysAreVerified}}checked{{end}}>
+						</div>
+					</div>
 					<!-- ldap group begin -->
 					<div class="inline field">
 						<div class="ui checkbox">
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
index b91bede0029da..e5852daa3d4e7 100644
--- a/templates/admin/auth/source/ldap.tmpl
+++ b/templates/admin/auth/source/ldap.tmpl
@@ -80,12 +80,12 @@
 		<input id="attribute_avatar" name="attribute_avatar" value="{{.attribute_avatar}}" placeholder="jpegPhoto">
 	</div>
 
-        <div class="inline field">
-                <div class="ui checkbox">
-                        <label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
-                        <input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if .ssh_keys_are_verified}}checked{{end}}>
-                </div>
-        </div>
+	<div class="inline field">
+		<div class="ui checkbox">
+			<label for="ssh_keys_are_verified"><strong>{{ctx.Locale.Tr "admin.auths.ssh_keys_are_verified"}}</strong></label>
+			<input id="ssh_keys_are_verified" name="ssh_keys_are_verified" type="checkbox" {{if .ssh_keys_are_verified}}checked{{end}}>
+		</div>
+	</div>
 	<!-- ldap group begin -->
 	<div class="inline field">
 		<div class="ui checkbox">

From 50c1d5f3660fb4d489e91cced304195efbb3b623 Mon Sep 17 00:00:00 2001
From: Ivan Tkachev <itkachev@hyperad.tech>
Date: Thu, 4 Dec 2025 18:59:00 +0300
Subject: [PATCH 5/5]  #35927 Fix commit message following review suggestions

---
 options/locale/locale_en-US.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index eaf15065b6eb8..548fc4430231f 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3226,7 +3226,7 @@ auths.attribute_surname = Surname Attribute
 auths.attribute_mail = Email Attribute
 auths.attribute_ssh_public_key = Public SSH Key Attribute
 auths.attribute_avatar = Avatar Attribute
-auths.ssh_keys_are_verified = SSH keys in LDAP are automatically verified
+auths.ssh_keys_are_verified = SSH keys in LDAP are considered as verified
 auths.attributes_in_bind = Fetch Attributes in Bind DN Context
 auths.allow_deactivate_all = Allow an empty search result to deactivate all users
 auths.use_paged_search = Use Paged Search