From: Lennart Poettering Date: Thu, 11 Nov 2021 09:04:31 +0000 (+0100) Subject: man: document new --chain switch to userdbctl X-Git-Tag: v250-rc1~306^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F21304%2Fhead;p=thirdparty%2Fsystemd.git man: document new --chain switch to userdbctl And while we are at it, make 'ssh-authorized-keys' verb properly documented. Given that OpenSSH documents the interface in its man page it's fine to just document our implementation of it too. --- diff --git a/man/userdbctl.xml b/man/userdbctl.xml index 522c6c665ff..6a01e9d1791 100644 --- a/man/userdbctl.xml +++ b/man/userdbctl.xml @@ -146,6 +146,14 @@ typically preferable, since it runs in a locked down sandbox. + + + + When used with the ssh-authorized-keys command, this will allow + passing an additional command line after the user name that is chain executed after the lookup + completed. This allows chaining multiple tools that show SSH authorized keys. + + @@ -201,8 +209,8 @@ ssh-authorized-keys - This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick - up authorized keys from user records, see below. + Show SSH authorized keys for this account. This command is intended to be used to + allow the SSH daemon to pick up authorized keys from user records, see below. @@ -301,6 +309,19 @@ AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u AuthorizedKeysCommandUser root … + + Sometimes it's useful to allow chain invocation of another program to list SSH authorized keys. By + using the such a tool may be chain executed by userdbctl + ssh-authorized-keys once a lookup completes (regardless if an SSH key was found or + not). Example: + + … +AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u --chain /usr/bin/othertool %u +AuthorizedKeysCommandUser root +… + + The above will first query the userdb database for SSH keys, and then chain execute + /usr/bin/othertool to also be queried.