3 \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
8 .TH sshsvc-mkauthkeys 1 "23 April 2015" "distorted.org.uk" "Utilities"
10 sshsvc-mkauthkeys \- build authorized_keys files for SSH services
28 script constructs an OpenSSH
31 from a collection of SSH public keys
32 and some configuration in the form of shell variable and function
34 The script expects to be run from a makefile
38 and reads and writes files with fixed relative pathnames by default.
39 These can be overridden using command-line options.
40 .SS "Command line options"
43 Source configuration from
45 instead of the default
49 Collect user keys from
51 instead of the default
57 instead of the default
61 Read initial raw entries from
64 instead of the default
65 .BR sshsvc-authkeys.head .
68 Read final raw entries from
71 instead of the default
72 .BR sshsvc-authkeys.tail .
73 .SS "Overall operation"
79 is constructed as follows.
81 A comment is written to
84 explaining that it was generated by
85 .BR sshsvc-mkauthkeys .
90 .RB ( sshsvc-authkeys.head
92 exists then its contents are written unchanged to the output.
95 .IB keysdir / user\fR[ ! label\fR] .pub
98 in ascending lexicographic order
99 to make a single-line entry
109 .RB ( sshsvc-authkeys.tail
111 exists then its contents are written unchanged to the output.
113 A commend is written to
116 explaining that it was generated by
117 .BR sshsvc-mkauthkeys .
120 for a particular SSH service
124 in the current working directory,
125 though it needn't have any content
126 since all configurable parameters have sensible
127 (though not necessarily useful)
129 .SS "The make_full_key_line function"
130 The most general configuration hook
131 (and therefore the one requiring most effort from the user)
133 .B make_full_key_line
135 It is given the key file's
137 name as an argument and
143 entry to standard output.
145 The default implementation is likely to be suitable
146 for almost all services. It calls
150 environment variable settings
151 and other per-user configuration settings,
152 and attaches general policy settings.
154 It uses the following variables.
156 .B allow_port_forwarding
159 then forbid port forwarding
161 .B no-port-forwarding
166 .B allow_x11_forwarding
169 then forbid X11 connection forwarding
176 .B allow_agent_forwarding
179 then forbid SSH agent forwarding
181 .B no-agent-forwarding
185 It's probably not a good idea to enable this.
190 then forbid pty allocation
196 This is usually what you want
197 unless your service needs an interactive terminal
198 (e.g., a console for a virtual machine).
204 doesn't already contain a
209 (with the service user's shell)
210 rather than using the client's requested command line,
212 .B SSH_ORIGINAL_COMMAND
214 .BI command="" cmd ""
218 .SS "The make_key_line function"
221 function is called with
224 name as its only argument,
225 and is expected to write any per-user
227 options to standard output.
228 Mostly it will be sufficient to generate an
229 .RB ` environment= ...'
231 and leave the rest to
232 .BR make_full_key_line .
236 function is suitable for simple cases.
242 placeholders with the key's
246 .BI environment= env\fR.
251 which may be good enough for services
252 explicitly written to work with it.
256 Read for configuration
257 (shell variable and function definitions).
259 .BI keys/ user\fR[ ! label\fR] .pub
260 Input public keys to process.
262 .B sshsvc-authkeys.head
265 entries to write at the top of the output.
267 .B sshsvc-authkeys.tail
270 entries to write at the bottom of the output.
275 Perfection guaranteed.
276 Satisfaction, or your money back.
281 Mark Wooding, <mdw@distorted.org.uk>