From 0fd7afb090e683cf4b219e69d6a9905394621ffe Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Mon, 1 Jun 2020 17:54:08 +0200
Subject: users: add support for jumponly users

---
 roles/users/templates/authorized_keys.j2 | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'roles')

diff --git a/roles/users/templates/authorized_keys.j2 b/roles/users/templates/authorized_keys.j2
index 33a30f2..73315aa 100644
--- a/roles/users/templates/authorized_keys.j2
+++ b/roles/users/templates/authorized_keys.j2
@@ -1,3 +1,9 @@
-{% for key in userdata[item].authorized_keys %}
+{% if users[item] == 'jumponly' %}
+{%   for key in userdata[item].authorized_keys %}
+restrict,command="echo 'This account can only be used for ProxyJump (ssh -J)'",port-forwarding {{ key }}
+{%   endfor %}
+{% else %}
+{%   for key in userdata[item].authorized_keys %}
 {{ key }}
-{% endfor %}
+{%   endfor %}
+{% endif %}
-- 
cgit v1.2.1