Thomas Martin
2013-May-21 08:25 UTC
SSH users authentication depending on their public key.
Hi everyone.
I'm looking for a way to identify my SSH's users according to their
public key; I mean I would like to have their name logged in my bash
session (in a shared unix account).
I put this in my .profile:
export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S - $SSH_USER] "
So now I'm trying to make OpenSSH fill the "SSH_USER" variable.
First I have to exclude the PermitUserEnvironment possibility for
securities reasons as said in the manual (and so I can't use the
"environment" directive in authorized_keys).
I saw the AcceptEnv and SendEnv directives but I don't want to depend
on clients settings.
So I did some tries with the "command" directive in authorized_keys
and I'm able to manage interactive or non-interactive sessions but I
don't know how to deal with sshfs/sftp use.
Also according to me this is not an elegant solution but I wasn't able
to find on other way until then.
Here is my authorized_keys:
command="sh -c 'SSH_KEY_USER=thomas /tmp/test.sh
${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa publickey thomas at host.domain
Here is the /tmp/test.sh script:
#!/bin/bash
#
set -e
#
if [ ! -z $SSH_TTY ]; then
/bin/bash -l
elif [ ! -z $1 ]; then
$*
fi
exit 0
Do you have any other solutions? Am I missing something ?
Unfortunately I can't create one unix account by ssh key... Unix
accounts are shared by two or more users; this is why I would love to
know who did futures mistakes ;)
Thanks in advance.
Thanks.
Damien Miller
2013-May-21 09:43 UTC
SSH users authentication depending on their public key.
On Tue, 21 May 2013, Thomas Martin wrote:> Hi everyone. > > I'm looking for a way to identify my SSH's users according to their > public key; I mean I would like to have their name logged in my bash > session (in a shared unix account). > I put this in my .profile: > export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S - $SSH_USER] " > > So now I'm trying to make OpenSSH fill the "SSH_USER" variable.Where SSH_USER is what, exactly? There are proposals to expose the key (or fingerprint thereof) used to authenticate a user under SSH_AUTH_KEY, but there are some corner cases to do with multiple authentication to be worked out.> First I have to exclude the PermitUserEnvironment possibility for > securities reasons as said in the manual (and so I can't use the > "environment" directive in authorized_keys).I think PermitUserEnvironment is safe if the users' shell is statically linked and it clears LD_* before doing anything else. Maybe we should make it a pattern-list of variables to accept though. I.e. PermitUserEnvironment BLAH*,LC_* Would allow any environment variable matching the wildcards. Alternately (and this is easier to do). You could move the AuthorizedKeysFile to be root-controlled (root-owned file and directory), comment out the parts of session.c that load ~/.ssh/environment and then turn PermitUserEnvironment back on. The user would have no way of setting arbitrary environment variables (assuming they don't have root) and you could use environment=... options in authorized_keys as much as you like. -d
Ángel González
2013-May-21 10:27 UTC
SSH users authentication depending on their public key.
On 21/05/13 10:25, Thomas Martin wrote:> Hi everyone. > > I'm looking for a way to identify my SSH's users according to their > public key; I mean I would like to have their name logged in my bash > session (in a shared unix account). > I put this in my .profile: > export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S - $SSH_USER] " > > So now I'm trying to make OpenSSH fill the "SSH_USER" variable. > (...) > Here is my authorized_keys: > command="sh -c 'SSH_KEY_USER=thomas /tmp/test.sh > ${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa publickey thomas at host.domainIt may be simpler to use /usr/bin/env SSH_KEY_USER=thomas ${SSH_ORIGINAL_COMMAND:-} ssh-rsa ...> Do you have any other solutions? Am I missing something ? > Unfortunately I can't create one unix account by ssh key... Unix > accounts are shared by two or more users; this is why I would love to > know who did futures mistakes ;)I guess you alreadu know this is just oportunistic logging, and any user could impersonate another one or even avoid that it gets registered. It's strange that you can't afford one account per user (even if they then eg. sudo to run the commands under the shared account).