SSH users authentication depending on their public key.
Thomas Martin
tmartincpp at gmail.com
Tue May 21 21:29:09 EST 2013
2013/5/21 Ángel González <keisial at gmail.com>:
> It may be simpler to use /usr/bin/env SSH_KEY_USER=thomas
> ${SSH_ORIGINAL_COMMAND:-} ssh-rsa ...
>
This solution will work with non-interactive sessions but not with
shells as SSH will execute env as a login shell when I try to login:
Authorized_keys:
command="/usr/bin/env SSH_KEY_USER=maxime ${SSH_ORIGINAL_COMMAND:-}"
ssh-rsa blablabla
Tests:
$ ssh server1 -l root "uptime"
13:15:06 up 19 days, 1:45, 4 users, load average: 1.93, 1.20, 0.89
$ ssh server1 -l root
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=10.1.0.206 54241 22
SSH_TTY=/dev/pts/4
USER=root
blablabla
> I guess you alreadu know this is just oportunistic logging, and any user
> could impersonate another one or even avoid that it gets registered.
Indeed I'm aware of this, but you are right I should precise this.
Actually I trust my end-users, I would like to add the username in the
bash history only to know faster who did the change which breaks the
production by mistake (I mean that kind of stuff).
>
> It's strange that you can't afford one account per user (even if they then
> eg. sudo to run the commands under the shared account).
Technically this is possible but that will make us change all of our
process (so this is not a solution until a while).
More information about the openssh-unix-dev
mailing list