I forgot we configured or /etc/ssh/sshd_config as well. You need to have the
authorizedkeys command. Here is what ours looks like.
AcceptEnv LANG LC_*
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Banner /etc/issue.net
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
KerberosAuthentication no
KeyRegenerationInterval 3600
LoginGraceTime 120
LogLevel INFO
MaxSessions 50
MaxStartups 50:30:60
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Port 22
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RhostsRSAAuthentication no
RSAAuthentication yes
ServerKeyBits 1024
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes