How to distinguish different users on shared SSH accounts
Situation
Sometimes more than one user has gained legitimate access to an account on a computer via SSH (to be more precise: OpenSSH). But these users may have different opinions and preferences regarding the environment. How can the environment be adjusted to a special user when all users share the same configuration files? How can it be avoided to set up the environment manually each time a user logs in? This situation requires a switch which can be triggered during the login process. We assume a Debian GNU/Linux style system close to default settings with bash as login shell and public key authentication (password authentication is prone to cyber attacks). The users must be cooperative and not change configuration sections which affects other users. This is the social part of the solution(s). In the configuration examples below there are some ANSI escape codes with \[\033
for demonstration purposes. These codes create colored output for a nice optical effect.
Solution I
The switch is implemented in ${HOME}/.bashrc
.
Copy to clipboard
if [ "${LC_REALUSER}" = "alice" ] ; then
PS1="\[\033[32;40m\] alice ${PS1}"
elseif [ "${LC_REALUSER}" = "bob" ] ; then
PS1="\[\033[36;40m\] bob ${PS1}"
fi
If the variable is not supposed to begin with LC_
we have to adjust the line with AcceptEnv
in the sshd config file /etc/ssh/sshd_config
to our needs.
Trigger I
The ssh login command must be adjusted in the following ways:
Copy to clipboard
# alice
LC_REALUSER="alice" ssh -o SendEnv=LC_REALUSER -p "${sshport}" -l "${sshloginname}" "${machine_ip_or_domain}"
# bob
LC_REALUSER="bob" ssh -o SendEnv=LC_REALUSER -p "${sshport}" -l "${sshloginname}" "${machine_ip_or_domain}"
Solution II
Again the switch is implemented in ${HOME}/.bashrc
. We choose a different variable name thus both methods can be combined to test what is happening.
Copy to clipboard
if [ "${LC_AUTHUSER}" = "alice" ] ; then
PS1="\[\033[30;42m\] alice ${PS1}"
elseif [ "${LC_AUTHUSER}" = "bob" ] ; then
PS1="\[\033[30;46m\] bob ${PS1}"
fi
Trigger II
We need a line
Copy to clipboard
PermitUserEnvironment yes
in the sshd config file /etc/ssh/sshd_config
. In ${HOME}/.ssh/authorized_keys
there are lines with the public keys of Alice and Bob. The structure is something like
Copy to clipboard
ssh-rsa AAAA[...] alice@example.net
ssh-ed25519 AAAA[...] bob@example.org
These must be changed in the following way:
Copy to clipboard
environment="LC_AUTHUSER=alice" ssh-rsa AAAA[...] alice@example.net
environment="LC_AUTHUSER=bob" ssh-ed25519 AAAA[...] bob@example.org
Client Distinction
The second solution is applicable to distinguish between different client machines with different ssh keys. Sometimes a user needs this kind of configuration for redundancy or other reasons.
Thanks
This solution was inspired by a conversation in the LUGA online meeting with contributions from DLUG.