Determine remote machine`s account name of the user logged in over SSH

2

At the company where I work we have a certain shared accounts that anyone can use over SSH to perform specific tasks. At this point, we have too many users and each of them has their own usability perks such as shell aliases etc.

What I am trying to do is allow users to have different shell settings through the ~/.bash_profile depending on who actually logged in. For example, when Jonathan logs in, I want shell to additionally execute ~/.Jonathan_profile, and for Bob, I want the shell to source ~/.Bob profile.

I am not sure, however, if there is a way to tell the account name on the remote machine of a user logged in using SSH.

Any hints are greatly appreciated.

user49531

Posted 2013-10-03T12:54:43.260

Reputation:

if there is a way to tell, I would call that a security flaw in the ssh client or protocol. you should not be able to do as you suggest. – Frank Thomas – 2013-10-03T12:59:23.140

@FrankThomas: That's what I though, too. Any ideas as to possible ways to achieve what I want? – None – 2013-10-03T13:02:27.687

2Don't use shared accounts? other than that, you can run some kind of script on login to solicit the info and load a new shell, or try to use some other intermediary (shared database, hostname mapping, etc) but that will require you to roll-your-own solution. – Frank Thomas – 2013-10-03T13:11:39.303

The most used solution for this is to give each user their own account (and thus their own profile with their own aliases etc etc. Then give them the right to do specific tasks from that account. – Hennes – 2013-10-03T14:22:44.580

Consider requiring use of sudosh to gain access to user accounts other than one's own. – Daniel Beck – 2013-10-04T08:16:39.300

Answers

2

You can't tell what account the client is using, because the client does not tell you. But there are these things you can do:

  1. Create separate accounts and give the users access to the shared account using sudo. This is really preferred option that gives you best auditing (it is always logged who does what) and the users can put whatever utilities they want in their accounts. It is however also most work.

  2. Use public key authentication only and set environment variable from there using the syntax:

    environment="END_USER=whoever" ssh-rsa asdfasdfr...

    in .ssh/authorized_keys. Than you look at $END_USER in .profile. Obviously you have to set it for each public key used to login.

  3. Tell everyone to set the environment variable from the client using the SendEnv option (the server must have corresponding AcceptEnv set). Again you check the variable in .profile.

  4. Get the source IP and port from the SSH_CONNECTION variable and use ident to get the actual source user; but identd would have to be running on the clients and it rarely is these days, because it's not very useful, but is useful for potential attacker to get some information about your system.

  5. For more complicated customization within single account, it's always possible to write a custom shell wrapper and use it with the command attribute in authorized keys. It's also quite a bit of work, but it can be used to implement almost any restrictions and auditing without having to create separate accounts.

Note: I would certainly recommend only using public keys and disabling password. That way if you want to cancel somebody's access, you just remove their key.

Jan Hudec

Posted 2013-10-03T12:54:43.260

Reputation: 885

We are using ssh keys. I will try to incorporate environment. Thank you very much! – None – 2013-10-03T16:31:07.957

Asked: 2013-10-03T12:54:43.260

Viewed: 99 times

Active: 2013-10-04T07:32:52.093