How to distinguish different users on shared SSH accounts
Situation
Sometimes more than one user has gained legitimate access to an account on a computer via SSH (to be more precise: OpenSSH). But these users may have different opinions and preferences regarding the environment. How can the environment be adjusted to a special user when all users share the same configuration files? How can it be avoided to set up the environment manually each time a user logs in? This situation requires a switch which can be triggered during the login process. We assume a Debian GNU/Linux style system close to default settings with bash as login shell and public key authentication (password authentication is prone to cyber attacks). The users must be cooperative and not change configuration sections which affects other users. This is the social part of the solution(s). In the configuration examples below there are some ANSI escape codes with \[\033 for demonstration purposes. These codes create colored output for a nice optical effect.
Solution I
The switch is implemented in ${HOME}/.bashrc.
if [ "${LC_REALUSER}" = "alice" ] ; then PS1="\[\033[32;40m\] alice ${PS1}" elseif [ "${LC_REALUSER}" = "bob" ] ; then PS1="\[\033[36;40m\] bob ${PS1}" fi
If the variable is not supposed to begin with LC_ we have to adjust the line with AcceptEnv in the sshd config file /etc/ssh/sshd_config to our needs.
Trigger I
The ssh login command must be adjusted in the following ways:
# alice LC_REALUSER="alice" ssh -o SendEnv=LC_REALUSER -p "${sshport}" -l "${sshloginname}" "${machine_ip_or_domain}" # bob LC_REALUSER="bob" ssh -o SendEnv=LC_REALUSER -p "${sshport}" -l "${sshloginname}" "${machine_ip_or_domain}"
Solution II
Again the switch is implemented in ${HOME}/.bashrc. We choose a different variable name thus both methods can be combined to test what is happening.
if [ "${LC_AUTHUSER}" = "alice" ] ; then PS1="\[\033[30;42m\] alice ${PS1}" elseif [ "${LC_AUTHUSER}" = "bob" ] ; then PS1="\[\033[30;46m\] bob ${PS1}" fi
Trigger II
We need a line
PermitUserEnvironment yes
in the sshd config file /etc/ssh/sshd_config. In ${HOME}/.ssh/authorized_keys there are lines with the public keys of Alice and Bob. The structure is something like
ssh-rsa AAAA[...] alice@example.net ssh-ed25519 AAAA[...] bob@example.org
These must be changed in the following way:
environment="LC_AUTHUSER=alice" ssh-rsa AAAA[...] alice@example.net environment="LC_AUTHUSER=bob" ssh-ed25519 AAAA[...] bob@example.org
Client Distinction
The second solution is applicable to distinguish between different client machines with different ssh keys. Sometimes a user needs this kind of configuration for redundancy or other reasons.
Thanks
This solution was inspired by a conversation in the LUGA online meeting with contributions from DLUG.