How do I find out the username of the user who initiated an ssh connection?
Let's say I ssh from userA@machine1 to userB@machine2. Now that I'm on machine2, how do I find out the username of userA? I have access (but not always root access) to both machines. Ideally this would not require any special setup on machine1, but if that's not possible then I'm open to any solution.
Assuming Linux on both sides:
Run netstat -nt on machine2 and look for the connection from machine1. It will look something like this:
tcp 0 48 10.243.18.22:22 10.48.209.120:54875 ESTABLISHED
The first ip:port is the address and port on the local machine (i.e., machine2), and the second is the address and port on the remote machine (in this example, machine1).
Log into machine1. Run (as root) netstat -tpn | grep 54875 (where 54875 is the port you found in the previous step). This will show you the PID of the originating ssh process, from which you can trivially determine the user using the ps command.
You can avoid a lot of this work if you're running an ident daemon on the originating system, but (a) not many people do that, because it exposes information about your users, and (b) it's nice to know how to do it.
Do you need to know or want to know? I mean that in a technical sense, because without root access on the remote machine ("machine1" in your setup), there's no way to know authoritatively. However, you may be able to make reasonable guesses. That helps if it's informational, but is no good for security.
The ident daemon was the old-fashioned way of running that, but since in the current world there's no sense in just handing out user information for free to untrusted sites, modern identd implementations usually give an encrypted result. This can be decrypted using a secret kept on the system itself. But even more often now, people just don't run an ident daemon at all.
If you have root on machine1, you can run identd with encryption and use the secret on machine2 to find your answer. Or you can do the netstat stuff larsks suggests. But if you don't have root, you can look at processes not-as-root and make educated guesses based on timing.
Alternately, you can approach the question from a different angle. If identity assurance is your concern, some type of time- or counter-based cryptographic OTP solution might make it so you can be reasonably sure the remote users connecting are the ones they're supposed to be, no matter what they connect to.
This is handled by an ident daemon running on the auth port (authd, oidentd, pidentd, etc.).
Couldn't you simply run ps -aux on the machine2?
I SSH into Machine2 from Machine1 and here is the output. I even did a su to root and I can see the original UID I connected with.
root 31519 0.1 0.1 6512 1940 ? Ss 10:56 0:00 sshd: eric [priv]
eric 31521 0.0 0.1 6512 1224 ? S 10:56 0:00 sshd: eric@pts/0
