upstream commit

add %-escapes to AuthorizedPrincipalsCommand to match those
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
few more to provide access to the certificate's CA key; 'looks ok' dtucker@

Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb

1 files changed, 14 insertions, 5 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index a4d1ca000..9e96acf39 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.231 2016/09/07 18:39:24 jmc Exp $
-.Dd $Mdocdate: September 7 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $
+.Dd $Mdocdate: September 14 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -304,9 +304,18 @@ specified by an absolute path.
 Arguments to
 .Cm AuthorizedPrincipalsCommand
 may be provided using the following tokens, which will be expanded
-at runtime: %% is replaced by a literal '%', %u is replaced by the
-username being authenticated and %h is replaced by the home directory
-of the user being authenticated.
+at runtime:
+%% is replaced by a literal '%',
+%u is replaced by the username being authenticated,
+%h is replaced by the home directory of the user being authenticated,
+%t is replaced with type of the certificate being offered,
+%T with the type of the CA key,
+%f is replaced with certificate fingerprint,
+%F with the fingerprint of the CA key,
+%k is replaced with the full base-64 encoded certificate and
+%K is replaced with the base-64 encoded CA key.
+If no arguments are specified then the username of the target user
+will be supplied.
 .Pp
 The program should produce on standard output zero or
 more lines of