- $user[keys].each |$key| {
- ssh_authorized_key { "${user[username]}@${key[host]}":
- name => "${user[username]}@${key[host]}",
- user => $user[username],
- type => $key[key_type],
- key => $key[key],
+ if has_key($user, "keys") {
+ $user[keys].each |$key| {
+ if has_key($key, "command") {
+ ssh_authorized_key { "${user[username]}@${key[host]}":
+ name => "${user[username]}@${key[host]}",
+ user => $user[username],
+ type => $key[key_type],
+ key => $key[key],
+ options => [
+ "command=\"${key[command]}\"",
+ "no-port-forwarding",
+ "no-X11-forwarding",
+ "no-pty",
+ ],
+ }
+ } else {
+ ssh_authorized_key { "${user[username]}@${key[host]}":
+ name => "${user[username]}@${key[host]}",
+ user => $user[username],
+ type => $key[key_type],
+ key => $key[key],
+ }
+ }