linuxserver · Koalab99 · Apr 16, 2026
diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml
@@ -12,8 +12,8 @@ on:
 env:
   GITHUB_REPO: "linuxserver/docker-mods" #don't modify
   ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "openssh-server" #replace
+  MODNAME: "trusted-ca" #replace
   MOD_VERSION: ${{ inputs.mod_version }} #don't modify
   MULTI_ARCH: "true" #set to false if not needed
 

diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@
 
 FROM scratch
 
-LABEL maintainer="username"
+LABEL maintainer="Koalab99"
 
 # copy local files
 COPY root/ /
diff --git a/Dockerfile.complex b/Dockerfile.complex
diff --git a/README.md b/README.md
@@ -1,25 +1,59 @@
-# Rsync - Docker mod for openssh-server
-
-This mod adds rsync to openssh-server, to be installed/updated during container start.
-
-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
-
-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
-
-# Mod creation instructions
-
-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* After all init scripts and services are created, run `find ./  -path "./.git" -prune -o \( -name "run" -o -name "finish" -o -name "check" \) -not -perm -u=x,g=x,o=x -print -exec chmod +x {} +` to fix permissions.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the vars for `BASEIMAGE` and `MODNAME`. Set the versioning logic and `MULTI_ARCH` if needed.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
-
-
-## Tips and tricks
-
-* Some images have helpers built in, these images are currently:
-    * [Openvscode-server](https://github.com/linuxserver/docker-openvscode-server/pull/10/files)
-    * [Code-server](https://github.com/linuxserver/docker-code-server/pull/95)
+# Trusted CA - Docker mod for openssh-server
+
+This mod allow the configuration of the `TrustedUserCAKeys` directive, which allows ssh authentication using certificates.
+
+In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca`
+
+If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca|linuxserver/mods:openssh-server-mod2`
+
+## Mod environment variables
+In order to add a certificate authority, you can add your CA's public keys in one or multiple environment variables:
+* `TRUSTED_CA="your_ca_pubkey"` to add one CA to the TrustedCA file from text.
+* `TRUSTED_CA_URL="https://example.com/trusted_ca.key"` to retrieve one or more trusted CA from a URL.
+* `TRUSTED_CA_FILE="/mounted_file"` to add one or more CA from a file (inside the container's tree).
+* `TRUSTED_CA_DIR="/mounted_dir"` to add CAs from the content of a directory (inside the container's tree).
+
+You can use multiple environment variables at the same time to add different CAs.
+
+Certificates are added/removed from the server when the container is starting, so you will need to restart your container for your change to take effect.
+
+# Example
+If you want to build your own CA:
+```
+# Create temp directory and cd there
+cd $(mktemp -d)
+
+# Generate key pairs (x and x.pub)
+ssh-keygen -b 4096 -t ed25519 -f myca
+ssh-keygen -b 4096 -t ed25519 -f userkey
+
+# Sign users pubkeys (x-cert.pub)
+ssh-keygen -s myca -I my_user_certificate_id -n myuser userkey.pub
+```
+
+Notes: `-n` parameter gives the username principals, it must match the target user (see `man 1 ssh-keygen`).
+
+```
+services:
+  openssh-server:
+    image: linuxserver/openssh-server
+    environment:
+      - DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - USER_NAME=myuser
+      - TRUSTED_CA_FILE=/pubkey
+    volumes:
+      - ./myca.pub:/pubkey:ro,z
+    ports:
+      - 2222:2222
+```
+
+You can then connect using:
+```
+ssh -p 2222 -i ./userkey myuser@127.0.0.1
+
+# Or specify the certificate explicitly:
+ssh -o CertificateFile=./userkey-cert.pub -p 2222 -i ./userkey myuser@127.0.0.1
+```
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/type b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/type
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/up b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/up
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/type b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/type
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/up b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/up
diff --git a/...name-add-package/dependencies.d/init-mods → ...usted-ca-install/dependencies.d/init-mods b/...name-add-package/dependencies.d/init-mods → ...usted-ca-install/dependencies.d/init-mods
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run
@@ -0,0 +1,54 @@
+#!/usr/bin/with-contenv bash
+
+# set trusted certificate authority in file
+
+# Reset the content of the file
+echo -n "" >/config/sshd/trusted_ca
+
+if [[ -n "$TRUSTED_CA" ]]; then
+    if ! grep -q "${TRUSTED_CA}" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA" >> /config/sshd/trusted_ca
+        echo "Trusted CA from env variable added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_CA_URL" ]]; then
+    TRUSTED_CA_DOWNLOADED=$(curl -s "$TRUSTED_CA_URL")
+    if ! grep -q "$TRUSTED_CA_DOWNLOADED" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA_DOWNLOADED" >> /config/sshd/trusted_ca
+        echo "Trusted CA downloaded from '$TRUSTED_CA_URL' added"
+    fi
+fi
+
+if [[ -n "$TRUSTED_CA_FILE" ]] && [[ -f "$TRUSTED_CA_FILE" ]]; then
+    TRUSTED_CA2=$(cat "$TRUSTED_CA_FILE")
+    if ! grep -q "$TRUSTED_CA2" /config/sshd/trusted_ca; then
+        echo "$TRUSTED_CA2" >> /config/sshd/trusted_ca
+        echo "Trusted CA from file added"
+    fi
+fi
+
+if [[ -d "$TRUSTED_CA_DIR" ]]; then
+    for F in "${TRUSTED_CA_DIR}"/*; do
+        TRUSTED_CAN=$(cat "$F")
+        if ! grep -q "$TRUSTED_CAN" /config/sshd/trusted_ca; then
+            echo "$TRUSTED_CAN" >> /config/sshd/trusted_ca
+            echo "Trusted CA from file '$F' added"
+        fi
+    done
+fi
+
+if [[ -s /config/sshd/trusted_ca ]]; then
+    # Trusted CA exists and is not empty
+    sed -i '/^TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config
+    sed -i '/^#TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config
+
+    if ! grep -q "^TrustedUserCAKeys" /config/sshd/sshd_config; then
+        # TrustedUserCAKeys is not in the file, adding it at the end of the file
+        echo "TrustedUserCAKeys /config/sshd/trusted_ca" >>/config/sshd/sshd_config
+    fi
+else
+    # Trusted CA is empty, commenting parameter
+    sed -i 's/^TrustedUserCAKeys/#TrustedUserCAKeys' /config/sshd/sshd_config
+fi
+
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/type b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/type
@@ -0,0 +1 @@
+oneshot
diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/up b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run
diff --git a/.../dependencies.d/init-mods-package-install → ...nit-mod-openssh-server-trusted-ca-install b/.../dependencies.d/init-mods-package-install → ...nit-mod-openssh-server-trusted-ca-install
diff --git a/...y/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-imagename-modname-add-package b/...y/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-imagename-modname-add-package
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/dependencies.d/init-services
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/run b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/run
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/type b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/type
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-add-package b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-add-package
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-install b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-install
diff --git a/...cies.d/init-mod-imagename-modname-install → ...nit-mod-openssh-server-trusted-ca-install b/...cies.d/init-mod-imagename-modname-install → ...nit-mod-openssh-server-trusted-ca-install
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-mod-imagename-modname b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-mod-imagename-modname
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run