add doc

README.md

@@ -171,6 +171,11 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PASSWORD_ACCESS=false` | Set to `true` to allow user/password ssh access. You will want to set `USER_PASSWORD` or `USER_PASSWORD_FILE` as well. |
 | `-e USER_PASSWORD=password` | Optionally set a sudo password for `linuxserver.io`, the ssh user. If this or `USER_PASSWORD_FILE` are not set but `SUDO_ACCESS` is set to true, the user will have passwordless sudo access. |
 | `-e USER_PASSWORD_FILE=/path/to/file` | Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets). |
+| `-e TRUSTED_USER_CA_KEYS=yourtrustedcakeys` | Optionally trusted user CA keys, which will automatically be added to trusted user CA keys. |
+| `-e TRUSTED_USER_CA_KEYS_FILE=/path/to/file` | Optionally specify a file containing the trusted user CA keys (works with docker secrets). |
+| `-e AUTHORIZED_PRINCIPALS=` | Optionally specify a list of authorized principals. Space-separated list. |
+| `-e AUTHORIZED_PRINCIPALS_FILE=/path/to/file` | Optionally specify a file containing a list of authorized principals. |
+| `-e ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS=false` | Set to `true` to add the default user to the list of authorized principals. |
 | `-e USER_NAME=linuxserver.io` | Optionally specify a user name (Default:`linuxserver.io`) |
 | `-e LOG_STDOUT=` | Set to `true` to log to stdout instead of file. |
 | `-v /config` | Contains all relevant configuration files. |

readme-vars.yml

@@ -36,6 +36,11 @@ opt_param_env_vars:
   - {env_var: "USER_PASSWORD_FILE", env_value: "/path/to/file", desc: "Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets)."}
   - {env_var: "USER_NAME", env_value: "linuxserver.io", desc: "Optionally specify a user name (Default:`linuxserver.io`)"}
   - {env_var: "LOG_STDOUT", env_value: "", desc: "Set to `true` to log to stdout instead of file."}
+  - {env_var: "TRUSTED_USER_CA_KEYS", env_value: "", desc: "Optionally trusted user CA keys, which will automatically be added to trusted user CA keys."}
+  - {env_var: "TRUSTED_USER_CA_KEYS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the trusted user CA keys (works with docker secrets)."}
+  - {env_var: "AUTHORIZED_PRINCIPALS", env_value: "", desc: "Optionally specify a list of authorized principals. space separated list."}
+  - {env_var: "AUTHORIZED_PRINCIPALS_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing a list of authorized principals."}
+  - {env_var: "ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS", env_value: "false", desc: "Set to `true` to add the default user to the list of authorized principals."}
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |

root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run

@@ -142,19 +142,17 @@ fi
 # set authorized principals
 if [[ -n "$AUTHORIZED_PRINCIPALS" ]]; then
     touch /config/.ssh/authorized_principals
-    if ! grep -q "${AUTHORIZED_PRINCIPALS}" /config/.ssh/authorized_principals; then
-        echo "$AUTHORIZED_PRINCIPALS" >> /config/.ssh/authorized_principals
-        echo "Authorized principals added"
-    fi
+
+    for principal in $AUTHORIZED_PRINCIPALS; do
+        echo "$principal" >> /config/.ssh/authorized_principals
+        echo "add $principal Authorized principals added"
+    done
 fi
 
 if [[ -n "$AUTHORIZED_PRINCIPALS_FILE" ]] && [[ -f "$AUTHORIZED_PRINCIPALS_FILE" ]]; then
     touch /config/.ssh/authorized_principals
-    AUTHORIZED_PRINCIPALS2=$(cat "$AUTHORIZED_PRINCIPALS_FILE")
-    if ! grep -q "$AUTHORIZED_PRINCIPALS2" /config/.ssh/authorized_principals; then
-        echo "$AUTHORIZED_PRINCIPALS2" >> /config/.ssh/authorized_principals
-        echo "Authorized principals from file added"
-    fi
+    cat $AUTHORIZED_PRINCIPALS_FILE >> /config/.ssh/authorized_principals
+    echo "Authorized principals from file added"
 fi
 
 if [[ "$ADD_DEFAULT_USER_TO_AUTHORIZED_PRINCIPALS" == "true" ]]; then