#!/bin/sh
# Lists all authorized public keys from $AUTHORIZED_KEYS_DIR for sshd.
#
# sshd invokes this script via AuthorizedKeysCommand on every auth attempt,
# so adding/removing a *.pub file is picked up live — no container restart.
#
# Exit 0 with no output if there are no keys (sshd treats this the same
# as "no AuthorizedKeysCommand matches" and falls through to AuthorizedKeysFile,
# which we keep for the boot-time-merged file from AUTHORIZED_KEYS_HOST/_REPO).
DIR="${AUTHORIZED_KEYS_DIR:-/etc/bastion/users.d}"
for f in "$DIR"/*.pub; do
    [ -f "$f" ] || continue
    cat "$f"
    # ensure newline between keys (most .pub files end with one anyway)
    echo
done
exit 0