Add support for certificate auth.

Corentin ARNOULD · Corentin ARNOULD · commit 3455a0cb0e4e · 2026-04-15T14:15:33.000+02:00
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -30,6 +30,10 @@ opt_param_env_vars:
   - {env_var: "PUBLIC_KEY_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the public key (works with docker secrets)."}
   - {env_var: "PUBLIC_KEY_DIR", env_value: "/path/to/directory/containing/_only_/pubkeys", desc: "Optionally specify a directory containing the public keys (works with docker secrets)."}
   - {env_var: "PUBLIC_KEY_URL", env_value: "https://github.com/username.keys", desc: "Optionally specify a URL containing the public key."}
+  - {env_var: "TRUSTED_CA", env_value: "yourtrustedca", desc: "Optional trusted certificate authority, which will automatically be added to trusted_ca."}
+  - {env_var: "TRUSTED_CA_FILE", env_value: "/path/to/file", desc: "Optionally specify a file containing the trusted certificate authorities (works with docker secrets)."}
+  - {env_var: "TRUSTED_CA_DIR", env_value: "/path/to/directory/containing/_only_/ca", desc: "Optionally specify a directory containing the certificate authorities (works with docker secrets)."}
+  - {env_var: "TRUSTED_CA_URL", env_value: "https://github.com/ca.pub", desc: "Optionally specify a URL containing the certificate authority."}
   - {env_var: "SUDO_ACCESS", env_value: "false", desc: "Set to `true` to allow `linuxserver.io`, the ssh user, sudo access. Without `USER_PASSWORD` set, this will allow passwordless sudo access."}
   - {env_var: "PASSWORD_ACCESS", env_value: "false", desc: "Set to `true` to allow user/password ssh access. You will want to set `USER_PASSWORD` or `USER_PASSWORD_FILE` as well."}
   - {env_var: "USER_PASSWORD", env_value: "password", desc: "Optionally set a sudo password for `linuxserver.io`, the ssh user. If this or `USER_PASSWORD_FILE` are not set but `SUDO_ACCESS` is set to true, the user will have passwordless sudo access."}
@@ -44,6 +48,8 @@ app_setup_block: |
   If `PUBLIC_KEY` or `PUBLIC_KEY_FILE`, or `PUBLIC_KEY_DIR` variables are set, the specified keys will automatically be added to `authorized_keys`. If not, the keys can manually be added to `/config/.ssh/authorized_keys` and the container should be restarted.
   Removing `PUBLIC_KEY` or `PUBLIC_KEY_FILE` variables from docker run environment variables will not remove the keys from `authorized_keys`. `PUBLIC_KEY_FILE` and `PUBLIC_KEY_DIR` can be used with docker secrets.
 
+  If one or more of the `TRUSTED_CA_*` variables are set, the certificates will be concatenated before being passed to `TrustedUserCAKeys`. If a CA is removed from the variables it will be removed from the list at the next container restart.
+
   We provide the ability to set and allow password based access via the `PASSWORD_ACCESS` and `USER_PASSWORD` variables, though we as an organization discourage using password auth for public facing ssh endpoints.
 
   Connect to server via `ssh -i /path/to/private/key -p PORT USER_NAME@SERVERIP`
@@ -117,6 +123,7 @@ init_diagram: |
   "openssh-server:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "15.04.26:", desc: "Add support for certificate auth."}
   - {date: "28.12.25:", desc: "Rebase to Alpine 3.23."}
   - {date: "05.07.25:", desc: "Rebase to Alpine 3.22."}
   - {date: "10.02.25:", desc: "Add support for sshd_config.d"}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run
@@ -128,6 +128,53 @@ if [[ -d "$PUBLIC_KEY_DIR" ]]; then
     done
 fi
 
+# set trusted certificate authority in file
+echo -n "" >/config/sshd/trusted_ca
+
+if [[ -n "$TRUSTED_CA" ]]; then
+    if ! grep -q "${TRUSTED_CA}" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA" >> /config/sshd/trusted_ca
+        echo "Trusted CA from env variable added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_CA_URL" ]]; then
+    TRUSTED_CA_DOWNLOADED=$(curl -s "$TRUSTED_CA_URL")
+    if ! grep -q "$TRUSTED_CA_DOWNLOADED" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA_DOWNLOADED" >> /config/sshd/trusted_ca
+        echo "Trusted CA downloaded from '$TRUSTED_CA_URL' added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_CA_FILE" ]] && [[ -f "$TRUSTED_CA_FILE" ]]; then
+    TRUSTED_CA2=$(cat "$TRUSTED_CA_FILE")
+    if ! grep -q "$TRUSTED_CA2" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA2" >> /config/sshd/trusted_ca
+        echo "Trusted CA from file added"
+    fi
+fi
+
+if [[ -d "$TRUSTED_CA_DIR" ]]; then
+    for F in "${TRUSTED_CA_DIR}"/*; do
+        TRUSTED_CAN=$(cat "$F")
+        if ! grep -q "$TRUSTED_CAN" /config/sshd/trusted_ca; then
+            echo "$TRUSTED_CAN" >> /config/sshd/trusted_ca
+            echo "Trusted CA from file '$F' added"
+        fi
+    done
+fi
+
+if [[ -s /config/sshd/trusted_ca ]]; then
+    sed -i '/^#TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config
+    sed -i '/^TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config
+
+    if ! grep -q "^TrustedUserCAKeys" /config/sshd/sshd_config; then
+        echo "TrustedUserCAKeys /config/sshd/trusted_ca" >>/config/sshd/sshd_config
+    fi
+else
+    sed -i 's/^TrustedUserCAKeys/#TrustedUserCAKeys' /config/sshd/sshd_config
+fi
+
 # back up old log files processed by logrotate
 if [[ -f /config/logs/openssh/openssh.log ]]; then
     mv /config/logs/openssh /config/logs/openssh.old.logs
@@ -148,6 +195,8 @@ chmod 700 \
     /config/.ssh
 chmod 600 \
     /config/.ssh/authorized_keys
+chmod 644 \
+    /config/sshd/trusted_ca
 
 lsiown -R root:"${USER_NAME}" \
     /config/sshd
