diff --git a/fas/client/fas.conf b/fas/client/fas.conf
index b54001e..58e06a6 100644
--- a/fas/client/fas.conf
+++ b/fas/client/fas.conf
@@ -26,7 +26,7 @@ restricted_groups = sysadmin
 ; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
 ; need to disable password based logins in order for this value to have any
 ; security meaning
-ssh_restricted_groups = 
+ssh_restricted_groups = sysadmin-web
 
 [users]
 ; default shell given to people in [host] groups
@@ -39,5 +39,20 @@ home = /home/fedora
 ; deleted this location should be tmpwatched
 home_backup_dir = /tmp/fedora
 
-ssh_restricted_app = 
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine. 
+; setting this value to "/usr/bin/cvs server" would do this.
+ssh_restricted_app = /usr/local/bin/restricted-shell
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
 restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the 
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
diff --git a/fas/client/fasClient.py b/fas/client/fasClient.py
index 830fb15..cf93537 100755
--- a/fas/client/fasClient.py
+++ b/fas/client/fasClient.py
@@ -140,17 +140,54 @@ class MakeShellAccounts(BaseClient):
     def ssh_key(self, person):
         ''' determine what ssh key a user should have '''
         for group in config.get('host', 'groups').split(','):
-            if person['username'] in self.group_mapping[group]:
-                return person['ssh_key']
-
+            try:
+                if person['username'] in self.group_mapping[group]:
+                    return person['ssh_key']
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "groups"!' % group
+                continue
+        for group in config.get('host', 'restricted_groups').split(','):
+            try:
+                if person['username'] in self.group_mapping[group]:
+                    return person['ssh_key']
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+        for group in config.get('host', 'ssh_restricted_groups').split(','):
+            try:
+                if person['username'] in self.group_mapping[group]:
+                    command = config.get('users', 'ssh_restricted_app')
+                    options = config.get('users', 'ssh_key_options')
+                    key = 'command="%s",%s %s' % (command, options, person['ssh_key'])
+                    return key
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "ssh_restricted_groups"!' % group
+                continue
+        return 'INVALID\n'
     def shell(self, username):
         ''' Determine what shell username should have '''
         for group in config.get('host', 'groups').split(','):
-            if username in self.group_mapping[group]:
-                return config.get('users', 'shell')
-        for group in config.get('host', 'restricted_groups'):
-            if username in self.group_mapping[group]:
-                return config.get('users', 'restricted_shell')
+            try:
+                if username in self.group_mapping[group]:
+                    return config.get('users', 'shell')
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "groups"!' % group
+                continue
+        for group in config.get('host', 'restricted_groups').split(','):
+            try:
+                if username in self.group_mapping[group]:
+                    return config.get('users', 'restricted_shell')
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+        for group in config.get('host', 'ssh_restricted_groups').split(','):
+            try:
+                if username in self.group_mapping[group]:
+                    return config.get('users', 'ssh_restricted_shell')
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+
         print >> sys.stderr, 'Could not determine shell for %s.  Defaulting to /sbin/nologin' % username
         return '/sbin/nologin'