.de hP .IP \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c .. .ie t .ds o \(bu .el .ds o o . .TH sshsvc-mkauthkeys 1 "23 April 2015" "distorted.org.uk" "Utilities" .SH NAME sshsvc-mkauthkeys \- build authorized_keys files for SSH services .SH SYNOPSIS .B sshsvc-mkauthkeys .RB [ \-c .IR config ] .RB [ \-k .IR keysdir ] .RB [ \-o .IR output ] .br \&\h'8n' .RB [ \-H .IR head ] .RB [ \-T .IR tail ] .SH DESCRIPTION The .B sshsvc-mkauthkeys script constructs an OpenSSH .B authorized_keys file from a collection of SSH public keys and some configuration in the form of shell variable and function definitions. The script expects to be run from a makefile within a .B .ssh/ directory and reads and writes files with fixed relative pathnames by default. These can be overridden using command-line options. .SS "Command line options" .TP .BI \-c " config" Source configuration from .I config instead of the default .BR sshsvc.conf . .TP .BI \-k " keysdir" Collect user keys from .I keysdir instead of the default .BR keys/ . .TP .BI \-o " output" Write the output to .I output instead of the default .BR authorized_keys . .TP .BI \-H " head" Read initial raw entries from .I head (if it exists) instead of the default .BR sshsvc-authkeys.head . .TP .BI \-T " tail" Read final raw entries from .I tail (if it exists) instead of the default .BR sshsvc-authkeys.tail . .SS "Overall operation" The .I output file .RB ( authorized_keys by default) is constructed as follows. .hP 0. A comment is written to the very top of the output file explaining that it was generated by .BR sshsvc-mkauthkeys . .hP 1. If the .I head file .RB ( sshsvc-authkeys.head by default) exists then its contents are written unchanged to the output. .hP 2. Each of the files .IB keysdir / user\fR[ ! label\fR] .pub is processed in turn (see below) in ascending lexicographic order to make a single-line entry in the output file. The default .I keysdir is .BR keys/ . .hP 3. If the .I tail file .RB ( sshsvc-authkeys.tail by default) exists then its contents are written unchanged to the output. .hP 4. A commend is written to the very bottom of the output file explaining that it was generated by .BR sshsvc-mkauthkeys . .SS "Configuration" The configuration for a particular SSH service is read from .BR sshsvc.conf . This file must exist in the current working directory, though it needn't have any content since all configurable parameters have sensible (though not necessarily useful) defaults. .SS "The make_full_key_line function" The most general configuration hook (and therefore the one requiring most effort from the user) is the .B make_full_key_line function. It is given the key file's .I user name as an argument and expected to write the .I options portion of an .B authorized_keys entry to standard output. .PP The default implementation is likely to be suitable for almost all services. It calls .B make_key_line (see below) to construct environment variable settings and other per-user configuration settings, and attaches general policy settings. .PP It uses the following variables. .TP .B allow_port_forwarding If not .B yes then forbid port forwarding (include .B no-port-forwarding in the line). The default is .BR no . .TP .B allow_x11_forwarding If not .B yes then forbid X11 connection forwarding (include .B no-X11-forwarding in the line). The default is .BR no . .TP .B allow_agent_forwarding If not .B yes then forbid SSH agent forwarding (include .B no-agent-forwarding in the line). The default is .BR no . It's probably not a good idea to enable this. .TP .B allow_pty If not .B yes then forbid pty allocation (include .B no-pty in the line). The default is .BR no . This is usually what you want unless your service needs an interactive terminal (e.g., a console for a virtual machine). .TP .B cmd If set to any value and the line from .B make_key_line doesn't already contain a .RB ` command= ...' option, then always run .I cmd (with the service user's shell) rather than using the client's requested command line, which is left in .B SSH_ORIGINAL_COMMAND (include .BI command="" cmd "" in the line). The default is .BR bin/sshsvc . .SS "The make_key_line function" The .B make_key_line function is called with the key file's .I user name as its only argument, and is expected to write any per-user (and unusual) options to standard output. Mostly it will be sufficient to generate an .RB ` environment= ...' option and leave the rest to .BR make_full_key_line . .PP The default .B make_key_line function is suitable for simple cases. It examines the .B env variable, replacing .B @user placeholders with the key's .I user name, and emits the line .BI environment= env\fR. The default value of .B env is .B SSHSVC_USER=@user which may be good enough for services explicitly written to work with it. .SH FILES .TP .BR sshsvc.conf Read for configuration (shell variable and function definitions). .TP .BI keys/ user\fR[ ! label\fR] .pub Input public keys to process. .TP .B sshsvc-authkeys.head Pre-cooked .B authorized_keys entries to write at the top of the output. .TP .B sshsvc-authkeys.tail Pre-cooked .B authorized_keys entries to write at the bottom of the output. .TP .B authorized_keys Output file. .SH BUGS Perfection guaranteed. Satisfaction, or your money back. .SH "SEE ALSO" .BR ssh (1), .BR sshd (8). .SH AUTHOR Mark Wooding,