From 9f4833d5b07e3a647d67a2343cd92bad5973e4a2 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 8 Sep 2019 01:21:27 +0200
Subject: [PATCH] staticsync requires a pty

---
 modules/roles/manifests/static_base.pp      | 1 +
 modules/ssh/manifests/authorized_key_add.pp | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/roles/manifests/static_base.pp b/modules/roles/manifests/static_base.pp
index 7527387ad..e598a6e09 100644
--- a/modules/roles/manifests/static_base.pp
+++ b/modules/roles/manifests/static_base.pp
@@ -5,6 +5,7 @@ class roles::static_base {
     target_user => 'staticsync',
     command     => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}",
     key         => $facts['staticsync_key'],
+    restrict    => 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc',
     collect_tag => 'staticsync',
   }
   ssh::authorized_key_collect { 'staticsync':
diff --git a/modules/ssh/manifests/authorized_key_add.pp b/modules/ssh/manifests/authorized_key_add.pp
index 24a89d9bc..c1fdae3ec 100644
--- a/modules/ssh/manifests/authorized_key_add.pp
+++ b/modules/ssh/manifests/authorized_key_add.pp
@@ -6,6 +6,7 @@ define ssh::authorized_key_add(
   String $command,
   String $key,
   String $collect_tag,
+  String $restrict = 'restrict',
   Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
 ) {
   $from = $from_hosts.join(',')
@@ -29,7 +30,7 @@ define ssh::authorized_key_add(
       order   => '200',
       content => @("EOF"),
                  # from ${::fqdn}
-                 command="${command}",from="${from}",restrict ${key}
+                 command="${command}",from="${from}",${restrict} ${key}
                  | EOF
     }
   } else {
-- 
2.20.1