diff --git a/man/userdbctl.xml b/man/userdbctl.xml
index 522c6c665f..6a01e9d179 100644
--- a/man/userdbctl.xml
+++ b/man/userdbctl.xml
@@ -146,6 +146,14 @@
typically preferable, since it runs in a locked down sandbox.
+
+
+
+ When used with the ssh-authorized-keys command, this will allow
+ passing an additional command line after the user name that is chain executed after the lookup
+ completed. This allows chaining multiple tools that show SSH authorized keys.
+
+
@@ -201,8 +209,8 @@
ssh-authorized-keys
- This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick
- up authorized keys from user records, see below.
+ Show SSH authorized keys for this account. This command is intended to be used to
+ allow the SSH daemon to pick up authorized keys from user records, see below.
@@ -301,6 +309,19 @@
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root
…
+
+ Sometimes it's useful to allow chain invocation of another program to list SSH authorized keys. By
+ using the such a tool may be chain executed by userdbctl
+ ssh-authorized-keys once a lookup completes (regardless if an SSH key was found or
+ not). Example:
+
+ …
+AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u --chain /usr/bin/othertool %u
+AuthorizedKeysCommandUser root
+…
+
+ The above will first query the userdb database for SSH keys, and then chain execute
+ /usr/bin/othertool to also be queried.