- Reads standard PosixAccount and PosixGroup object classes
- Uses GoSa authorization scheme (trustModel and accessTo attributes)
- Can read authorization not only from user entries but from groups too
- Support NIS netgroups in accessTo attributes with sudo-compatible syntax, netgroups are distinguished by prepending 'plus' sign (accessTo: hostname, accessTo: +netgroup)
- Netgroups are received via libnss (you can back it to ldap by libnss-ldap or sssd)
- Keyreader can ignore keys without "from" option
- keyreader is launched by sshd with user login in argv[1]
- keyreader looks for PosixGroup objects where user is member
- keyreader validates if found posix groups have this host in accessTo
- keyreader gets all netgroups which found posix groups have in accessTo
- keyreader checks if any netgroup has this host in members
- if keyreader founds granted access, it looks for user with uid same as login and print their ssh pubkeys to stdout, otherwise it does 3-5 steps, but for PosixAccount instead of PosixGroup
- sshd reads ssh keys (if there're any) and uses them to authenticate user