## allow admin users to request a recovery key, this is really not
## sufficient, but the real check is done on the
## ``ssh-admin-cmd-validate`` side.

%rsync ALL=(root) NOPASSWD: /usr/local/sbin/request-recovery-key *
%rsync ALL=(root) NOPASSWD: /bin/touch /etc/rsync/keys/recover/*
%rsync ALL=(root) NOPASSWD: /usr/local/sbin/ssh-update-keys