From 8e612e071b8c0fc99ebf91673f53ca5f0d6bdd11 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 20 Feb 2021 19:56:15 +0100
Subject: Document `lacme-accountd --stdio`.

It's an internal flag, but can be useful for authorized_keys(5)
restrictions.
---
 lacme.8.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'lacme.8.md')

diff --git a/lacme.8.md b/lacme.8.md
index aab448f..9a14d75 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -493,8 +493,10 @@ following in the [`[accountd]` section](#accountd-section):
 If the user running `lacme` can connect to `lacme@account.example.net`
 using (passwordless) key authentication, this setting will spawn a
 remote [`lacme-accountd`(1)] and use it to sign [ACME] requests.
-Further hardening can be achieved my means of [`authorized_keys`(5)]
-restrictions.
+Further hardening can be achieved by means of [`authorized_keys`(5)]
+restrictions:
+
+    restrict,from="…",command="/usr/bin/lacme-accountd --stdio" ssh-rsa …
 
 See also
 ========
-- 
cgit v1.2.3