--- a/refresh-auth	Fri May 02 17:33:39 2008 +0100
+++ b/refresh-auth	Fri May 02 18:03:42 2008 +0100
@@ -11,12 +11,22 @@
 import ruleset
 import subprocess
 
-if len(sys.argv) != 2:
+if len(sys.argv) != 3:
     sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv)
     sys.exit(-1)
 
-wrappercommand = sys.argv[1]
-akeyfile = os.path.expanduser("~/.ssh/authorized_keys")
+akeyfile = sys.argv[1]
+wrappercommand = sys.argv[2]
+prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
+
+if os.path.exists(akeyfile):
+    f = open(akeyfile)
+    try:
+        for l in f:
+            if not l.startswith(prefix):
+                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
+    finally:
+        f.close()
 
 akeys = open(akeyfile + "_new", "w")
 for root, dirs, files in os.walk("keys"):
@@ -26,8 +36,6 @@
             # ignore any path that contains dodgy characters
             continue
         keyname = ffn[5:]
-        prefix=('command="%s",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
-            % ('%s %s' % (wrappercommand, keyname)))
         p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
             stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         newkey = p.communicate()[0]
@@ -42,7 +50,7 @@
                 kf.close()
         for l in klines:
             if len(l):
-                akeys.write("%s %s\n" % (prefix, l))
+                akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
 
 akeys.close()