Add support for trusted user CA keys and authorized principals in OpenSSH config

README.md

@@ -171,6 +171,11 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PASSWORD_ACCESS=false` | Set to `true` to allow user/password ssh access. You will want to set `USER_PASSWORD` or `USER_PASSWORD_FILE` as well. |
 | `-e USER_PASSWORD=password` | Optionally set a sudo password for `linuxserver.io`, the ssh user. If this or `USER_PASSWORD_FILE` are not set but `SUDO_ACCESS` is set to true, the user will have passwordless sudo access. |
 | `-e USER_PASSWORD_FILE=/path/to/file` | Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets). |
+| `-e TRUSTED_USER_CA_KEYS=yourtrustedcakeys` | Optionally trusted user CA keys, which will automatically be added to trusted user CA keys. |
+| `-e TRUSTED_USER_CA_KEYS_FILE=/path/to/file` | Optionally specify a file containing the trusted user CA keys (works with docker secrets). |
+| `-e AUTHORIZED_PRINCIPALS=` | Optionally specify a list of authorized principals. Space-separated list. |
+| `-e AUTHORIZED_PRINCIPALS_FILE=/path/to/file` | Optionally specify a file containing a list of authorized principals. |
+| `-e ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS=false` | Set to `true` to add the default user to the list of authorized principals. |
 | `-e USER_NAME=linuxserver.io` | Optionally specify a user name (Default:`linuxserver.io`) |
 | `-e LOG_STDOUT=` | Set to `true` to log to stdout instead of file. |
 | `-v /config` | Contains all relevant configuration files. |

readme-vars.yml

@@ -36,6 +36,11 @@ opt_param_env_vars:
   - {env_var: "USER_PASSWORD_FILE", env_value: "/path/to/file", desc: "Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets)."}
   - {env_var: "USER_NAME", env_value: "linuxserver.io", desc: "Optionally specify a user name (Default:`linuxserver.io`)"}
   - {env_var: "LOG_STDOUT", env_value: "", desc: "Set to `true` to log to stdout instead of file."}
+  - {env_var: "TRUSTED_USER_CA_KEYS", env_value: "", desc: "Optionally trusted user CA keys, which will automatically be added to trusted user CA keys."}
+  - {env_var: "TRUSTED_USER_CA_KEYS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the trusted user CA keys (works with docker secrets)."}
+  - {env_var: "AUTHORIZED_PRINCIPALS", env_value: "", desc: "Optionally specify a list of authorized principals. space separated list."}
+  - {env_var: "AUTHORIZED_PRINCIPALS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing a list of authorized principals."}
+  - {env_var: "ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS", env_value: "false", desc: "Set to `true` to add the default user to the list of authorized principals."}
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |

root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run

@@ -112,6 +112,64 @@ if [[ -d "$PUBLIC_KEY_DIR" ]]; then
     done
 fi
 
+# set trusted user CA keys
+if [[ -n "$TRUSTED_USER_CA_KEYS" ]]; then
+    touch /config/.ssh/trusted_user_ca_keys
+    if ! grep -q "${TRUSTED_USER_CA_KEYS}" /config/.ssh/trusted_user_ca_keys; then
+        echo "$TRUSTED_USER_CA_KEYS" >> /config/.ssh/trusted_user_ca_keys
+        echo "Trusted user CA keys added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_USER_CA_KEYS_FILE" ]] && [[ -f "$TRUSTED_USER_CA_KEYS_FILE" ]]; then
+    touch /config/.ssh/trusted_user_ca_keys
+    TRUSTED_USER_CA_KEYS2=$(cat "$TRUSTED_USER_CA_KEYS_FILE")
+    if ! grep -q "$TRUSTED_USER_CA_KEYS2" /config/.ssh/trusted_user_ca_keys; then
+        echo "$TRUSTED_USER_CA_KEYS2" >> /config/.ssh/trusted_user_ca_keys
+        echo "Trusted user CA keys from file added"
+    fi
+fi
+
+if [[ -f /config/.ssh/trusted_user_ca_keys ]]; then
+    if ! grep -q "^TrustedUserCAKeys" /etc/ssh/sshd_config; then
+        echo "TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys" >> /etc/ssh/sshd_config
+    else
+        sed -i '/^#TrustedUserCAKeys/c\TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys' /etc/ssh/sshd_config
+        sed -i '/^TrustedUserCAKeys/c\TrustedUserCAKeys /config/.ssh/trusted_user_ca_keys' /etc/ssh/sshd_config
+    fi
+fi
+
+# set authorized principals
+if [[ -n "$AUTHORIZED_PRINCIPALS" ]]; then
+    touch /config/.ssh/authorized_principals
+
+    for principal in $AUTHORIZED_PRINCIPALS; do
+        echo "$principal" >> /config/.ssh/authorized_principals
+        echo "add $principal Authorized principals added"
+    done
+fi
+
+if [[ -n "$AUTHORIZED_PRINCIPALS_FILE" ]] && [[ -f "$AUTHORIZED_PRINCIPALS_FILE" ]]; then
+    touch /config/.ssh/authorized_principals
+    cat $AUTHORIZED_PRINCIPALS_FILE >> /config/.ssh/authorized_principals
+    echo "Authorized principals from file added"
+fi
+
+if [[ "$ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS" == "true" ]]; then
+    touch /config/.ssh/authorized_principals
+    echo "$USER_NAME" > /config/.ssh/authorized_principals
+    echo "$USER_NAME added to Authorized principals"
+fi
+
+if [[ -f /config/.ssh/authorized_principals ]]; then
+    if ! grep -q "^AuthorizedPrincipalsFile" /etc/ssh/sshd_config; then
+        echo "AuthorizedPrincipalsFile /config/.ssh/authorized_principals" >> /etc/ssh/sshd_config
+    else
+        sed -i '/^#AuthorizedPrincipalsFile/c\AuthorizedPrincipalsFile /config/.ssh/authorized_principals' /etc/ssh/sshd_config
+        sed -i '/^AuthorizedPrincipalsFile/c\AuthorizedPrincipalsFile /config/.ssh/authorized_principals' /etc/ssh/sshd_config
+    fi
+fi
+
 # back up old log files processed by logrotate
 if [[ -f /config/logs/openssh/openssh.log ]]; then
     mv /config/logs/openssh /config/logs/openssh.old.logs