users: add support for jumponly users

1 files changed, 8 insertions, 2 deletions

diff --git a/roles/users/templates/authorized_keys.j2 b/roles/users/templates/authorized_keys.j2
index 33a30f2..73315aa 100644
--- a/roles/users/templates/authorized_keys.j2
+++ b/roles/users/templates/authorized_keys.j2
@@ -1,3 +1,9 @@
-{% for key in userdata[item].authorized_keys %}
+{% if users[item] == 'jumponly' %}
+{%   for key in userdata[item].authorized_keys %}
+restrict,command="echo 'This account can only be used for ProxyJump (ssh -J)'",port-forwarding {{ key }}
+{%   endfor %}
+{% else %}
+{%   for key in userdata[item].authorized_keys %}
 {{ key }}
-{% endfor %}
+{%   endfor %}
+{% endif %}