diff --git a/docs/features/authorized-keys.rst b/docs/features/authorized-keys.rst index 2f23ded5..7cee7943 100644 --- a/docs/features/authorized-keys.rst +++ b/docs/features/authorized-keys.rst @@ -13,3 +13,13 @@ If you select this package, add a list of authorized keys to ``site.conf`` like ... Existing keys in ``/etc/dropbear/authorized_keys`` will be preserved. + +If you want to remove specific keys in the future, specify them like this::: + + { + unauthorized_keys = { 'ssh-rsa AAA.... user1@host', + 'ssh-rsa AAA.... user2@host' }, + authorized_keys = { 'ssh-rsa AAA.... user3@host', + 'ssh-rsa AAA.... user4@host' }, + hostname_prefix = ... + ... diff --git a/package/gluon-authorized-keys/check_site.lua b/package/gluon-authorized-keys/check_site.lua index 7daf2115..c92fc3e9 100644 --- a/package/gluon-authorized-keys/check_site.lua +++ b/package/gluon-authorized-keys/check_site.lua @@ -1 +1,2 @@ need_string_array(in_site({'authorized_keys'})) +need_string_array(in_site({'unauthorized_keys'}), false) diff --git a/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys b/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys index 9eb00dec..90e38614 100755 --- a/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys +++ b/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys @@ -4,6 +4,7 @@ local site = require 'gluon.site' local file = '/etc/dropbear/authorized_keys' local keys = {} +local rm_keys = {} local function load_keys() for line in io.lines(file) do @@ -11,12 +12,21 @@ local function load_keys() end end +for _, key in ipairs(site.unauthorized_keys({})) do + rm_keys[key] = true +end + pcall(load_keys) -local f = io.open(file, 'a') +local f = io.open(file, 'w') for _, key in ipairs(site.authorized_keys()) do if not keys[key] then f:write(key .. '\n') end end +for key, _ in pairs(keys) do + if not rm_keys[key] then + f:write(key .. '\n') + end +end f:close()