sshd now consults /etc/bastion/users.d/*.pub on every authentication
attempt via AuthorizedKeysCommand, so adding or removing a user
takes effect immediately without restarting the container — just
drop `alice.pub` (or any *.pub file) into the host-bound dir,
sshd picks it up on the next login.
Implementation:
- /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that
cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per
AuthorizedKeysCommandUser), reads world-readable pubkeys.
- sshd_config: AuthorizedKeysCommand alongside the existing
AuthorizedKeysFile — both checked, so the boot-merged
file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX.
- start-container: 'zero key sources' is now a WARN, not a fatal.
Bastion comes up empty; SSH attempts fail with 'publickey denied'
until you drop a key. Lets users `docker compose up` first and
add keys later.
Bug fix on the way through: `grep -c` exits non-zero when no
lines match, which under `set -eu` killed the boot script
silently after '[2/5] Authorized keys...'. Switched to
`awk … | wc -l` which exits 0 cleanly on empty input.
README updated with the new source priority and env var.
