SSH users authentication depending on their public key.

[Thomas Martin]

2013/5/21 Ángel González <keisial at gmail.com>:
> It may be simpler to use /usr/bin/env SSH_KEY_USER=thomas
> ${SSH_ORIGINAL_COMMAND:-} ssh-rsa ...
>

This solution will work with non-interactive sessions but not with
shells as SSH will execute env as a login shell when I try to login:

Authorized_keys:
command="/usr/bin/env SSH_KEY_USER=maxime ${SSH_ORIGINAL_COMMAND:-}"
ssh-rsa blablabla

Tests:
$ ssh server1 -l root "uptime"
 13:15:06 up 19 days,  1:45,  4 users,  load average: 1.93, 1.20, 0.89

$ ssh server1 -l root
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=10.1.0.206 54241 22
SSH_TTY=/dev/pts/4
USER=root
blablabla

> I guess you alreadu know this is just oportunistic logging, and any user
> could impersonate another one or even avoid that it gets registered.

Indeed I'm aware of this, but you are right I should precise this.
Actually I trust my end-users, I would like to add the username in the
bash history only to know faster who did the change which breaks the
production by mistake (I mean that kind of stuff).

>
> It's strange that you can't afford one account per user (even if they then
> eg. sudo to run the commands under the shared account).

Technically this is possible but that will make us change all of our
process (so this is not a solution until a while).