Merge f9b0b6266f into ed36f1456f

2023-05-06 11:35:30 +02:00 · 2023-05-06 11:35:30 +02:00 · a40d881b45
commit a40d881b45
parent ed36f1456f f9b0b6266f
3 changed files with 22 additions and 1 deletions
--- a/docs/features/authorized-keys.rst
+++ b/docs/features/authorized-keys.rst
@ -13,3 +13,13 @@ If you select this package, add a list of authorized keys to ``site.conf`` like
    ...

 Existing keys in ``/etc/dropbear/authorized_keys`` will be preserved.
+
+If you want to remove specific keys in the future, specify them like this:::
+
+  {
+    unauthorized_keys = { 'ssh-rsa AAA.... user1@host',
+                          'ssh-rsa AAA.... user2@host' },
+    authorized_keys = { 'ssh-rsa AAA.... user3@host',
+                        'ssh-rsa AAA.... user4@host' },
+    hostname_prefix = ...
+    ...
--- a/package/gluon-authorized-keys/check_site.lua
+++ b/package/gluon-authorized-keys/check_site.lua
@ -1 +1,2 @@
 need_string_array(in_site({'authorized_keys'}))
+need_string_array(in_site({'unauthorized_keys'}), false)
--- a/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys
+++ b/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys
@ -4,6 +4,7 @@ local site = require 'gluon.site'
 local file = '/etc/dropbear/authorized_keys'

 local keys = {}
+local rm_keys = {}

 local function load_keys()
 	for line in io.lines(file) do
@ -11,12 +12,21 @@ local function load_keys()
 	end
 end

+for _, key in ipairs(site.unauthorized_keys({})) do
+	rm_keys[key] = true
+end
+
 pcall(load_keys)

-local f = io.open(file, 'a')
+local f = io.open(file, 'w')
 for _, key in ipairs(site.authorized_keys()) do
 	if not keys[key] then
 		f:write(key .. '\n')
 	end
 end
+for key, _ in pairs(keys) do
+	if not rm_keys[key] then
+		f:write(key .. '\n')
+	end
+end
 f:close()