chore: doc: remove sparse trailing spaces from generated files

doc/sphinx/build-plugins-help.sh

@@ -44,7 +44,7 @@ do
         else
             perl "$pluginfile" '' '' '' '' | perl -e 'undef $/; $_=<>; s/\n+$/\n/; print $_' | perl -ne '
                 if (m{^Usage: (.+)}) { print ".. admonition:: usage\n   :class: cmdusage\n\n   $1\n\n.. program:: '"$name"'\n\n"; }
-                elsif (m{^  (-[- ,a-z|/A-Z"'"'"']+)  (.+)}) { print ".. option:: $1\n\n   $2\n\n"; }
+                elsif (m{^  (-[- ,a-z|/A-Z"'"'"']+)  (.+)}) { ($c,$t)=($1,$2); $c=~s/ +$//; print ".. option:: $c\n\n   $t\n\n"; }
                 elsif ($l++ == 0) { chomp; print "$_\n"."="x(length($_))."\n\n"; }
                 else { print "$_"; }
             '

doc/sphinx/plugins/admin/adminMaintenance.rst

@@ -14,11 +14,11 @@ Manage the bastion maintenance mode
 .. program:: adminMaintenance
 
 
-.. option:: --lock           
+.. option:: --lock
 
    Set maintenance mode: new logins will be disallowed
 
-.. option:: --unlock         
+.. option:: --unlock
 
    Unset maintenance mode: new logins are allowed and the bastion functions normally
 

doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst

@@ -14,7 +14,7 @@ Add an IP or IP block to a group's servers list
 .. program:: groupAddServer
 
 
-.. option:: --group GROUP          
+.. option:: --group GROUP
 
    Specify which group this machine should be added to (it should have the public group key of course)
 
@@ -23,31 +23,31 @@ Add an IP or IP block to a group's servers list
    Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP,
 
                              or a whole network using the NET/CIDR notation
-.. option:: --user USER            
+.. option:: --user USER
 
    Specify which remote user should be allowed (root, run, etc...)
 
-.. option:: --user-any             
+.. option:: --user-any
 
    Allow any remote user (the remote user should still have the public group key in all cases)
 
-.. option:: --port PORT            
+.. option:: --port PORT
 
    Only allow access to this port (e.g. 22)
 
-.. option:: --port-any             
+.. option:: --port-any
 
    Allow access to any port
 
-.. option:: --scpup                
+.. option:: --scpup
 
    Allow SCP upload, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown              
+.. option:: --scpdown
 
    Allow SCP download, you<--bastion--server (omit --user in this case)
 
-.. option:: --force                
+.. option:: --force
 
    Don't try the ssh connection, just add the host to the group blindly
 
@@ -55,15 +55,15 @@ Add an IP or IP block to a group's servers list
 
    Only use the key with the specified fingerprint to connect to the server (cf groupInfo)
 
-.. option:: --force-password HASH  
+.. option:: --force-password HASH
 
    Only use the password with the specified hash to connect to the server (cf groupListPasswords)
 
-.. option:: --ttl SECONDS|DURATION 
+.. option:: --ttl SECONDS|DURATION
 
    Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
 
-.. option:: --comment '"ANY TEXT'" 
+.. option:: --comment '"ANY TEXT'"
 
    Add a comment alongside this server
 

doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst

@@ -14,7 +14,7 @@ Remove an IP or IP block from a group's serrver list
 .. program:: groupDelServer
 
 
-.. option:: --group GROUP          
+.. option:: --group GROUP
 
    Specify which group this machine should be removed from
 
@@ -22,27 +22,27 @@ Remove an IP or IP block from a group's serrver list
 
    Host(s) we want to remove access to
 
-.. option:: --user USER            
+.. option:: --user USER
 
    Remote user that was allowed, if any user was allowed, use --user-any
 
-.. option:: --user-any             
+.. option:: --user-any
 
    Use if any remote login was allowed
 
-.. option:: --port PORT            
+.. option:: --port PORT
 
    Remote SSH port that was allowed, if any port was allowed, use --port-any
 
-.. option:: --port-any             
+.. option:: --port-any
 
    Use if any remote port was allowed
 
-.. option:: --scpup                
+.. option:: --scpup
 
    Remove SCP upload right, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown              
+.. option:: --scpdown
 
    Remove SCP download right, you<--bastion--server (omit --user in this case)
 

doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst

@@ -14,39 +14,39 @@ Add a specific group server access to an account
 .. program:: groupAddGuestAccess
 
 
-.. option:: --group GROUP         
+.. option:: --group GROUP
 
    group to add guest access to
 
-.. option:: --account ACCOUNT     
+.. option:: --account ACCOUNT
 
    name of the other bastion account to add access to, they'll be given access to the GROUP key
 
-.. option:: --host HOST|IP        
+.. option:: --host HOST|IP
 
    add access to this HOST (which must belong to the GROUP)
 
-.. option:: --user USER           
+.. option:: --user USER
 
    allow connecting to HOST only with remote login USER
 
-.. option:: --user-any            
+.. option:: --user-any
 
    allow connecting to HOST with any remote login
 
-.. option:: --port PORT           
+.. option:: --port PORT
 
    allow connecting to HOST only to remote port PORT
 
-.. option:: --port-any            
+.. option:: --port-any
 
    allow connecting to HOST with any remote port
 
-.. option:: --scpup               
+.. option:: --scpup
 
    allow SCP upload, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown             
+.. option:: --scpdown
 
    allow SCP download, you<--bastion--server (omit --user in this case)
 

doc/sphinx/plugins/group-gatekeeper/groupAddMember.rst

@@ -14,7 +14,7 @@ Add an account to the member list
 .. program:: groupAddMember
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as a member of
 

doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst

@@ -14,36 +14,36 @@ Remove a specific group server access from an account
 .. program:: groupDelGuestAccess
 
 
-.. option:: --group GROUP   
+.. option:: --group GROUP
 
    group to remove guest access from
 
   --account ACCOUNT name of the other bastion account to remove access from
-.. option:: --host HOST|IP  
+.. option:: --host HOST|IP
 
    remove access from this HOST (which must belong to the GROUP)
 
-.. option:: --user USER     
+.. option:: --user USER
 
    allow connecting to HOST only with remote login USER
 
-.. option:: --user-any      
+.. option:: --user-any
 
    allow connecting to HOST with any remote login
 
-.. option:: --port PORT     
+.. option:: --port PORT
 
    allow connecting to HOST only to remote port PORT
 
-.. option:: --port-any      
+.. option:: --port-any
 
    allow connecting to HOST with any remote port
 
-.. option:: --scpup         
+.. option:: --scpup
 
    allow SCP upload, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown       
+.. option:: --scpdown
 
    allow SCP download, you<--bastion--server (omit --user in this case)
 

doc/sphinx/plugins/group-gatekeeper/groupDelMember.rst

@@ -14,7 +14,7 @@ Remove an account from the members list
 .. program:: groupDelMember
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to remove ACCOUNT as a member of
 

doc/sphinx/plugins/group-gatekeeper/groupListGuestAccesses.rst

@@ -14,7 +14,7 @@ List the guest accesses to servers of a group specifically granted to an account
 .. program:: groupListGuestAccesses
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    Look for accesses to servers of this GROUP
 
@@ -22,7 +22,7 @@ List the guest accesses to servers of a group specifically granted to an account
 
    Which account to check
 
-.. option:: --reverse-dns    
+.. option:: --reverse-dns
 
    Attempt to resolve the reverse hostnames (SLOW!)
 

doc/sphinx/plugins/group-owner/groupAddAclkeeper.rst

@@ -14,7 +14,7 @@ Add the group aclkeeper role to an account
 .. program:: groupAddAclkeeper
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as an aclkeeper of
 

doc/sphinx/plugins/group-owner/groupAddGatekeeper.rst

@@ -14,7 +14,7 @@ Add the group gatekeeper role to an account
 .. program:: groupAddGatekeeper
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as a gatekeeper of
 

doc/sphinx/plugins/group-owner/groupAddOwner.rst

@@ -14,7 +14,7 @@ Add the group owner role to an account
 .. program:: groupAddOwner
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as an owner of
 

doc/sphinx/plugins/group-owner/groupDelAclkeeper.rst

@@ -14,7 +14,7 @@ Remove the group aclkeeper role from an account
 .. program:: groupDelAclkeeper
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to remove ACCOUNT as an aclkeeper of
 

doc/sphinx/plugins/group-owner/groupDelEgressKey.rst

@@ -18,7 +18,7 @@ Remove a bastion group egress key
 
    Name of the group to delete the egress key from
 
-.. option:: --id ID      
+.. option:: --id ID
 
    Specify the key ID to delete, you can get it with groupInfo
 

doc/sphinx/plugins/group-owner/groupDelGatekeeper.rst

@@ -14,7 +14,7 @@ Remove the group gatekeeper role from an account
 .. program:: groupDelGatekeeper
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to remove ACCOUNT as a gatekeeper of
 

doc/sphinx/plugins/group-owner/groupDelOwner.rst

@@ -14,7 +14,7 @@ Remove the group owner role from an account
 .. program:: groupDelOwner
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as an owner of
 

doc/sphinx/plugins/group-owner/groupDestroy.rst

@@ -18,7 +18,7 @@ Delete a group
 
    Group name to delete
 
-.. option:: --no-confirm 
+.. option:: --no-confirm
 
    Skip group name confirmation, but blame yourself if you deleted the wrong group!
 

doc/sphinx/plugins/group-owner/groupGenerateEgressKey.rst

@@ -19,12 +19,12 @@ Create a new public + private key pair for a group
    Group name to generate a new egress key for.
 
 
-.. option:: --algo ALGO  
+.. option:: --algo ALGO
 
    Specifies the algo of the key, either rsa, ecdsa or ed25519.
 
 
-.. option:: --size SIZE  
+.. option:: --size SIZE
 
    Specifies the size of the key to be generated.
 
@@ -32,7 +32,7 @@ Create a new public + private key pair for a group
                    For ECDSA, choose either 256, 384 or 521.
                    For ED25519, size is always 256.
 
-.. option:: --encrypted  
+.. option:: --encrypted
 
    If specified, a passphrase will be prompted for the new key
 

doc/sphinx/plugins/group-owner/groupGeneratePassword.rst

@@ -18,11 +18,11 @@ Generate a new egress password for the group
 
    Specify which group you want to generate a password for
 
-.. option:: --size  SIZE 
+.. option:: --size  SIZE
 
    Specify the number of characters of the password to generate
 
-.. option:: --do-it      
+.. option:: --do-it
 
    Required for the password to actually be generated, BEWARE: please read the note below
 

doc/sphinx/plugins/group-owner/groupModify.rst

@@ -14,11 +14,11 @@ Modify the configuration of a group
 .. program:: groupModify
 
 
-.. option:: --group             GROUP                  
+.. option:: --group             GROUP
 
    Name of the group to modify
 
-.. option:: --mfa-required      password|totp|any|none 
+.. option:: --mfa-required      password|totp|any|none
 
    Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server of the group
 
@@ -26,7 +26,7 @@ Modify the configuration of a group
                                                  this group. If set to -1, remove this group override and use the global setting instead.
   --idle-kill-timeout DURATION|0|-1            Overrides the global setting (`idleKillTimeout`), to the specified duration. If set to 0, disables `idleKillTimeout` for
                                                  this group. If set to -1, remove this group override and use the global setting instead.
-.. option:: --guest-ttl-limit   DURATION               
+.. option:: --guest-ttl-limit   DURATION
 
    This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION,
 

doc/sphinx/plugins/group-owner/groupTransmitOwnership.rst

@@ -14,7 +14,7 @@ Transmit your group ownership to somebody else
 .. program:: groupTransmitOwnership
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    which group to set ACCOUNT as an owner of
 

doc/sphinx/plugins/open/clush.rst

@@ -14,27 +14,27 @@ Launch a remote command on several machines sequentially (clush-like)
 .. program:: clush
 
 
-.. option:: --list HOSTLIST         
+.. option:: --list HOSTLIST
 
    Comma-separated list of the hosts (hostname or IP) to run the command on
 
-.. option:: --user USER             
+.. option:: --user USER
 
    Specify which remote user should we use to connect (default: BASTION_ACCOUNT)
 
-.. option:: --port PORT             
+.. option:: --port PORT
 
    Specify which port to connect to (default: 22)
 
-.. option:: --step-by-step          
+.. option:: --step-by-step
 
    Pause before running the command on each host
 
-.. option:: --no-pause-on-failure   
+.. option:: --no-pause-on-failure
 
    Don't pause if the remote command failed (returned exit code != 0)
 
-.. option:: --no-confirm            
+.. option:: --no-confirm
 
    Skip confirmation of the host list and command
 

doc/sphinx/plugins/open/groupList.rst

@@ -14,7 +14,7 @@ List the groups available on this bastion
 .. program:: groupList
 
 
-.. option:: --all             
+.. option:: --all
 
    List all groups, even those to which you don't have access
 

doc/sphinx/plugins/open/groupListServers.rst

@@ -14,11 +14,11 @@ List the servers (IPs and IP blocks) pertaining to a group
 .. program:: groupListServers
 
 
-.. option:: --group GROUP    
+.. option:: --group GROUP
 
    List the servers of this group
 
-.. option:: --reverse-dns    
+.. option:: --reverse-dns
 
    Attempt to resolve the reverse hostnames (SLOW!)
 

doc/sphinx/plugins/open/nc.rst

@@ -22,7 +22,7 @@ Check whether a remote TCP port is open
 
    TCP port to attempt to connect to
 
-.. option:: -w SECONDS 
+.. option:: -w SECONDS
 
    Timeout in seconds (default: 3)
 

doc/sphinx/plugins/open/ping.rst

@@ -18,19 +18,19 @@ Ping a remote host from the bastion
 
    Remote host to ping
 
-.. option:: -c COUNT   
+.. option:: -c COUNT
 
    Number of pings to send (default: infinite)
 
-.. option:: -s SIZE    
+.. option:: -s SIZE
 
    Specify the packet size to send
 
-.. option:: -t TTL     
+.. option:: -t TTL
 
    TTL to set in the ICMP packet (default: OS dependent)
 
-.. option:: -w TIMEOUT 
+.. option:: -w TIMEOUT
 
    Exit unconditionally after this amount of seconds (default & max: 86400)
 

doc/sphinx/plugins/open/selfAddIngressKey.rst

@@ -22,7 +22,7 @@ Add a new ingress public key to your account
                       can also pass it through STDIN directly. If the policy of this bastion allows it, you may prefix the key
                       with a 'from="IP1,IP2,..."' snippet, a la authorized_keys. However the policy might force a configured
                       'from' prefix that will override yours, or be used if you don't specify it yourself.
-.. option:: --piv           
+.. option:: --piv
 
    Add a public SSH key from a PIV-compatible hardware token, along with its attestation certificate and key
 

doc/sphinx/plugins/open/selfDelIngressKey.rst

@@ -14,7 +14,7 @@ Remove an ingress public key from your account
 .. program:: selfDelIngressKey
 
 
-.. option:: -l, --id-to-delete ID         
+.. option:: -l, --id-to-delete ID
 
    Directly specify key id to delete (CAUTION!), you can get id with selfListIngressKeys
 

doc/sphinx/plugins/open/selfGeneratePassword.rst

@@ -18,7 +18,7 @@ Generate a new egress password for your account
 
    Specify the number of characters of the password to generate
 
-.. option:: --do-it    
+.. option:: --do-it
 
    Required for the password to actually be generated, BEWARE: please read the note below
 

doc/sphinx/plugins/open/selfGenerateProxyPassword.rst

@@ -18,7 +18,7 @@ Generate a new ingress password to use the bastion HTTPS proxy
 
    Size of the password to generate
 
-.. option:: --do-it    
+.. option:: --do-it
 
    Required for the password to actually be generated, BEWARE: please read the note below
 

doc/sphinx/plugins/open/selfListAccesses.rst

@@ -14,12 +14,12 @@ Show the list of servers you have access to
 .. program:: selfListAccesses
 
 
-.. option:: --hide-groups    
+.. option:: --hide-groups
 
    Don't show the machines you have access to through group rights.
 
                        In other words, list only your personal accesses.
-.. option:: --reverse-dns    
+.. option:: --reverse-dns
 
    Attempt to resolve the reverse hostnames (SLOW!)
 

doc/sphinx/plugins/open/selfListSessions.rst

@@ -14,57 +14,57 @@ List the few past sessions of your account
 .. program:: selfListSessions
 
 
-.. option:: --detailed           
+.. option:: --detailed
 
    Display more information about each session
 
-.. option:: --limit LIMIT        
+.. option:: --limit LIMIT
 
    Limit to LIMIT results
 
-.. option:: --id ID              
+.. option:: --id ID
 
    Only sessions having this ID
 
-.. option:: --type TYPE          
+.. option:: --type TYPE
 
    Only sessions of specified type (ssh, osh, ...)
 
-.. option:: --allowed            
+.. option:: --allowed
 
    Only sessions that have been allowed by the bastion
 
-.. option:: --denied             
+.. option:: --denied
 
    Only sessions that have been denied by the bastion
 
-.. option:: --after WHEN         
+.. option:: --after WHEN
 
    Only sessions that started after WHEN,
 
                            WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS]
-.. option:: --before WHEN        
+.. option:: --before WHEN
 
    Only sessions that started before WHEN,
 
                            WHEN can be a TIMESTAMP, or YYYY-MM-DD[@HH:MM:SS]
-.. option:: --host HOST          
+.. option:: --host HOST
 
    Only sessions connecting to remote HOST
 
-.. option:: --to-port PORT       
+.. option:: --to-port PORT
 
    Only sessions connecting to remote PORT
 
-.. option:: --user USER          
+.. option:: --user USER
 
    Only sessions connecting using remote USER
 
-.. option:: --via HOST           
+.. option:: --via HOST
 
    Only sessions that connected through bastion IP HOST
 
-.. option:: --via-port PORT      
+.. option:: --via-port PORT
 
    Only sessions that connected through bastion PORT
 

doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst

@@ -14,35 +14,35 @@ Add a personal server access to an account
 .. program:: accountAddPersonalAccess
 
 
-.. option:: --account              
+.. option:: --account
 
    Bastion account to add the access to
 
-.. option:: --host IP|HOST|IP/MASK 
+.. option:: --host IP|HOST|IP/MASK
 
    Server to add access to
 
-.. option:: --user USER            
+.. option:: --user USER
 
    Remote login to use, if you want to allow any login, use --user-any
 
-.. option:: --user-any             
+.. option:: --user-any
 
    Allow access with any remote login
 
-.. option:: --port PORT            
+.. option:: --port PORT
 
    Remote SSH port to use, if you want to allow any port, use --port-any
 
-.. option:: --port-any             
+.. option:: --port-any
 
    Allow access to all remote ports
 
-.. option:: --scpup                
+.. option:: --scpup
 
    Allow SCP upload, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown              
+.. option:: --scpdown
 
    Allow SCP download, you<--bastion--server (omit --user in this case)
 
@@ -50,15 +50,15 @@ Add a personal server access to an account
 
    Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
 
-.. option:: --force-password HASH  
+.. option:: --force-password HASH
 
    Only use the password with the specified hash to connect to the server (cf accountListPasswords)
 
-.. option:: --ttl SECONDS|DURATION 
+.. option:: --ttl SECONDS|DURATION
 
    Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
 
-.. option:: --comment "'ANY TEXT'" 
+.. option:: --comment "'ANY TEXT'"
 
    Add a comment alongside this server. Quote it twice as shown if you're under a shell.
 

doc/sphinx/plugins/restricted/accountCreate.rst

@@ -14,24 +14,24 @@ Create a new bastion account
 .. program:: accountCreate
 
 
-.. option:: --account NAME          
+.. option:: --account NAME
 
    Account name to create, NAME must contain only valid UNIX account name characters
 
-.. option:: --uid UID               
+.. option:: --uid UID
 
    Account system UID, also see --uid-auto
 
-.. option:: --uid-auto              
+.. option:: --uid-auto
 
    Auto-select an UID from the allowed range (the upper available one will be used)
 
-.. option:: --always-active         
+.. option:: --always-active
 
    This account's activation won't be challenged on connection, even if the bastion is globally
 
                               configured to check for account activation
-.. option:: --osh-only              
+.. option:: --osh-only
 
    This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
 
@@ -40,24 +40,24 @@ Create a new bastion account
    Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
 
                               setting this option to zero disables account expiration.
-.. option:: --immutable-key         
+.. option:: --immutable-key
 
    Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
 
-.. option:: --comment '"STRING"'    
+.. option:: --comment '"STRING"'
 
    An optional comment when creating the account. Quote it twice as shown if you're under a shell.
 
-.. option:: --public-key '"KEY"'    
+.. option:: --public-key '"KEY"'
 
    Account public SSH key to deposit on the bastion, if not present,
 
                               you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
-.. option:: --no-key                
+.. option:: --no-key
 
    Don't prompt for an SSH key, no ingress public key will be installed
 
-.. option:: --ttl SECONDS|DURATION  
+.. option:: --ttl SECONDS|DURATION
 
    Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
 

doc/sphinx/plugins/restricted/accountDelPersonalAccess.rst

@@ -14,7 +14,7 @@ Remove a personal server access from an account
 .. program:: accountDelPersonalAccess
 
 
-.. option:: --account             
+.. option:: --account
 
    Bastion account to remove access from
 
@@ -22,27 +22,27 @@ Remove a personal server access from an account
 
    Server to remove access from
 
-.. option:: --user USER           
+.. option:: --user USER
 
    Remote user that was allowed, if any user was allowed, use --user-any
 
-.. option:: --user-any            
+.. option:: --user-any
 
    Use if any remote login was allowed
 
-.. option:: --port PORT           
+.. option:: --port PORT
 
    Remote SSH port that was allowed, if any port was allowed, use --port-any
 
-.. option:: --port-any            
+.. option:: --port-any
 
    Use if any remote port was allowed
 
-.. option:: --scpup               
+.. option:: --scpup
 
    Remove SCP upload right, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown             
+.. option:: --scpdown
 
    Remove SCP download right, you<--bastion--server (omit --user in this case)
 

doc/sphinx/plugins/restricted/accountDelete.rst

@@ -18,7 +18,7 @@ Delete an account from the bastion
 
    Account name to delete
 
-.. option:: --no-confirm     
+.. option:: --no-confirm
 
    Don't ask for confirmation, and blame yourself if you deleted the wrong account
 

doc/sphinx/plugins/restricted/accountFreeze.rst

@@ -0,0 +1,25 @@
+==============
+accountFreeze
+==============
+
+Freeze an account, to prevent it from connecting
+================================================
+
+
+.. admonition:: usage
+   :class: cmdusage
+
+   --osh accountFreeze --account ACCOUNT [--reason "'SOME REASON'"]
+
+.. program:: accountFreeze
+
+
+.. option:: --account ACCOUNT
+
+   Account to freeze
+
+.. option:: --reason  "'SOME REASON'"
+
+   Optional reason for the account to be frozen (will be displayed to the user),
+
+                               if you are in a shell (and not in interactive mode), quote it twice as shown.

doc/sphinx/plugins/restricted/accountGeneratePassword.rst

@@ -18,11 +18,11 @@ Generate a new egress password for an account
 
    Specify which account you want to generate a password for
 
-.. option:: --size    SIZE   
+.. option:: --size    SIZE
 
    Specify the number of characters of the password to generate
 
-.. option:: --do-it          
+.. option:: --do-it
 
    Required for the password to actually be generated, BEWARE: please read the note below
 

doc/sphinx/plugins/restricted/accountInfo.rst

@@ -18,7 +18,7 @@ Display some information about an account
 
    The account name to work on
 
-.. option:: --list-groups    
+.. option:: --list-groups
 
    Show which groups the account has a role on
 

doc/sphinx/plugins/restricted/accountList.rst

@@ -14,15 +14,15 @@ List the bastion accounts
 .. program:: accountList
 
 
-.. option:: --account ACCOUNT 
+.. option:: --account ACCOUNT
 
    Only list the specified account. This is an easy way to check whether the account exists
 
-.. option:: --inactive-only   
+.. option:: --inactive-only
 
    Only list inactive accounts
 
-.. option:: --audit           
+.. option:: --audit
 
    Show more verbose information (SLOW!), you need to be a bastion auditor
 
@@ -30,16 +30,16 @@ List the bastion accounts
 
    Don't gather password info in audit mode (makes --audit way faster)
 
-.. option:: --no-output       
+.. option:: --no-output
 
    Don't print human-readable output (faster, use with --json)
 
-.. option:: --include PATTERN 
+.. option:: --include PATTERN
 
    Only show accounts whose name match the given PATTERN (see below)
 
                          This option can be used multiple times to refine results
-.. option:: --exclude PATTERN 
+.. option:: --exclude PATTERN
 
    Omit accounts whose name match the given PATTERN (see below)
 

doc/sphinx/plugins/restricted/accountListAccesses.rst

@@ -18,12 +18,12 @@ View the expanded access list of a given bastion account
 
    The account to work on
 
-.. option:: --hide-groups    
+.. option:: --hide-groups
 
    Don't show the machines the accouns has access to through group rights.
 
                        In other words, list only the account's personal accesses.
-.. option:: --reverse-dns    
+.. option:: --reverse-dns
 
    Attempt to resolve the reverse hostnames (SLOW!)
 

doc/sphinx/plugins/restricted/accountModify.rst

@@ -14,29 +14,29 @@ Modify an account configuration
 .. program:: accountModify
 
 
-.. option:: --account ACCOUNT                        
+.. option:: --account ACCOUNT
 
    Bastion account to work on
 
-.. option:: --pam-auth-bypass yes|no                 
+.. option:: --pam-auth-bypass yes|no
 
    Enable or disable PAM auth bypass for this account in addition to pubkey auth (default is 'no'),
 
                                                in that case sshd will not rely at all on PAM auth and /etc/pam.d/sshd configuration. This
                                                does not change the behaviour of the code, just the PAM auth handled by SSH itself
-.. option:: --mfa-password-required yes|no|bypass    
+.. option:: --mfa-password-required yes|no|bypass
 
    Enable or disable UNIX password requirement for this account in addition to pubkey auth (default is 'no'),
 
                                                this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
                                                no password will ever be asked, even for groups or plugins explicitly requiring it
-.. option:: --mfa-totp-required yes|no|bypass        
+.. option:: --mfa-totp-required yes|no|bypass
 
    Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
 
                                                this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
                                                no OTP will ever be asked, even for groups or plugins explicitly requiring it
-.. option:: --egress-strict-host-key-checking POLICY 
+.. option:: --egress-strict-host-key-checking POLICY
 
    Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
 
@@ -46,30 +46,30 @@ Modify an account configuration
                                                This effectively suppress the host key checking entirely. Please don't enable this blindly.
                                                'default' will remove this account's ``StrictHostKeyChecking`` setting override.
                                                All the other policies carry the same meaning that what is documented in `man ssh_config`.
-.. option:: --personal-egress-mfa-required POLICY    
+.. option:: --personal-egress-mfa-required POLICY
 
    Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
 
                                                using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
-.. option:: --always-active yes|no                   
+.. option:: --always-active yes|no
 
    Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)
 
-.. option:: --idle-ignore yes|no                     
+.. option:: --idle-ignore yes|no
 
    If enabled, this account is immune to the idleLockTimeout and idleKillTimeout bastion-wide policy
 
-.. option:: --max-inactive-days DAYS                 
+.. option:: --max-inactive-days DAYS
 
    Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays'.
 
                                                Setting this option to zero disables account expiration. Setting this option to -1 removes this account
                                                expiration policy, i.e. the global bastion setting will apply.
-.. option:: --osh-only yes|no                        
+.. option:: --osh-only yes|no
 
    If enabled, this account can only use ``--osh`` commands, and can't connect anywhere through the bastion
 
-.. option:: --pubkey-auth-optional yes|no            
+.. option:: --pubkey-auth-optional yes|no
 
    Make the public key optional on ingress for the account (default is 'no').
 

doc/sphinx/plugins/restricted/accountPIV.rst

@@ -14,11 +14,11 @@ Modify the PIV policy for the ingress keys of an account
 .. program:: accountPIV
 
 
-.. option:: --account ACCOUNT     
+.. option:: --account ACCOUNT
 
    Bastion account to work on
 
-.. option:: --policy  POLICY      
+.. option:: --policy  POLICY
 
    Changes the PIV policy of account. See below for a description of available policies.
 

doc/sphinx/plugins/restricted/accountUnfreeze.rst

@@ -0,0 +1,20 @@
+================
+accountUnfreeze
+================
+
+Unfreeze a frozen account
+=========================
+
+
+.. admonition:: usage
+   :class: cmdusage
+
+   --osh accountUnfreeze --account ACCOUNT
+
+.. program:: accountUnfreeze
+
+
+.. option:: --account ACCOUNT
+
+   Account to unfreeze
+

doc/sphinx/plugins/restricted/groupDelete.rst

@@ -18,7 +18,7 @@ Delete a group
 
    Group name to delete
 
-.. option:: --no-confirm 
+.. option:: --no-confirm
 
    Skip group name confirmation, but blame yourself if you deleted the wrong group!
 

doc/sphinx/plugins/restricted/realmCreate.rst

@@ -14,7 +14,7 @@ Declare and create a new trusted realm
 .. program:: realmCreate
 
 
-.. option:: --realm   REALM 
+.. option:: --realm   REALM
 
    Realm name to create
 

doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst

@@ -14,35 +14,35 @@ Add a personal server access on your account
 .. program:: selfAddPersonalAccess
 
 
-.. option:: --host IP|HOST|IP/MASK 
+.. option:: --host IP|HOST|IP/MASK
 
    Server to add access to
 
-.. option:: --user USER            
+.. option:: --user USER
 
    Remote login to use, if you want to allow any login, use --user-any
 
-.. option:: --user-any             
+.. option:: --user-any
 
    Allow access with any remote login
 
-.. option:: --port PORT            
+.. option:: --port PORT
 
    Remote SSH port to use, if you want to allow any port, use --port-any
 
-.. option:: --port-any             
+.. option:: --port-any
 
    Allow access to all remote ports
 
-.. option:: --scpup                
+.. option:: --scpup
 
    Allow SCP upload, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown              
+.. option:: --scpdown
 
    Allow SCP download, you<--bastion--server (omit --user in this case)
 
-.. option:: --force                
+.. option:: --force
 
    Add the access without checking that the public SSH key is properly installed remotely
 
@@ -50,15 +50,15 @@ Add a personal server access on your account
 
    Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
 
-.. option:: --force-password HASH  
+.. option:: --force-password HASH
 
    Only use the password with the specified hash to connect to the server (cf selfListPasswords)
 
-.. option:: --ttl SECONDS|DURATION 
+.. option:: --ttl SECONDS|DURATION
 
    Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
 
-.. option:: --comment "'ANY TEXT'" 
+.. option:: --comment "'ANY TEXT'"
 
    Add a comment alongside this server. Quote it twice as shown if you're under a shell.
 

doc/sphinx/plugins/restricted/selfDelPersonalAccess.rst

@@ -18,27 +18,27 @@ Remove a personal server access from your account
 
    Server to remove access from
 
-.. option:: --user USER           
+.. option:: --user USER
 
    Remote user that was allowed, if any user was allowed, use --user-any
 
-.. option:: --user-any            
+.. option:: --user-any
 
    Use if any remote login was allowed
 
-.. option:: --port PORT           
+.. option:: --port PORT
 
    Remote SSH port that was allowed, if any port was allowed, use --port-any
 
-.. option:: --port-any            
+.. option:: --port-any
 
    Use if any remote port was allowed
 
-.. option:: --scpup               
+.. option:: --scpup
 
    Remove SCP upload right, you--bastion-->server (omit --user in this case)
 
-.. option:: --scpdown             
+.. option:: --scpdown
 
    Remove SCP download right, you<--bastion--server (omit --user in this case)
 

doc/sphinx/plugins/restricted/whoHasAccessTo.rst

@@ -14,19 +14,19 @@ List the accounts that have access to a given server
 .. program:: whoHasAccessTo
 
 
-.. option:: --host SERVER       
+.. option:: --host SERVER
 
    List declared accesses to this server
 
-.. option:: --user USER         
+.. option:: --user USER
 
    Remote user allowed (if not specified, ignore user specifications)
 
-.. option:: --port PORT         
+.. option:: --port PORT
 
    Remote port allowed (if not specified, ignore port specifications)
 
-.. option:: --ignore-personal   
+.. option:: --ignore-personal
 
    Don't check accounts' personal accesses (i.e. only check groups)
 
@@ -35,7 +35,7 @@ List the accounts that have access to a given server
    Ignore accesses by this group, if you know GROUP public key is in fact
 
                           not present on remote server but bastion thinks it is
-.. option:: --show-wildcards    
+.. option:: --show-wildcards
 
    Also list accesses that match because 0.0.0.0/0 is listed in a group or private access,
 

doc/sphinx/using/basics/first_steps.rst

@@ -141,7 +141,7 @@ then use ``<TAB>`` again to show you the required arguments. The complete comman
 
 You'll notice that it didn't work. This is because first, you need to add your *personal egress key* to the
 remote machine's *authorized_keys* file. If this seems strange, here is
-:doc:`how it works <../presentation/principles>`.
+:doc:`how it works </presentation/principles>`.
 To get your *personal egress key*, you can use this command:
 
 .. code-block:: shell
@@ -267,4 +267,4 @@ Let's see what we did exactly during this session:
    ~ Starting from the next line, the Total Recall begins. Press CTRL+C to jolt awake.
 
 Now that you've connected to your first server, using a personal access,
-you may want to learn more about the :doc:`<access_management>`, or directly dive into the **PLUGINS** on the left menu.
+you may want to learn more about the :doc:`access_management`, or directly dive into the **PLUGINS** on the left menu.