We’ve often run into the problem of how to deal with multiple users sharing one account, since I don’t really want to deploy LDAP auth for external servers – pam_ldap is notoriously unstable and a PITA to debug, and I don’t particularly like the idea of making those servers dependant on auth servers which may or may not crash and/or run into other problems.
Thankfully, SSH’s key authentication allows you to launch a custom command on login. Thus, I wrote some small wrapper script:
#! /bin/bash
if [ $# -lt 3 ]; then
echo "Usage: shmux 'Full User Name' shell vimmode commandstring"
echo " With vimmode being 'full' or 'minimal' and 'commandstring' being a string to be fed into SHELL -c."
exit
fi
export TRUEUSER="$1"
user=`echo $TRUEUSER | tr '[:upper:]' '[:lower:]'`
export TRUEMAIL="${user// /.}@tao.at"
export GIT_COMMITTER_NAME=$TRUEUSER
export GIT_AUTHOR_NAME=$TRUEUSER
export GIT_COMMITTER_EMAIL=$TRUEMAIL
export GIT_AUTHOR_EMAIL=$TRUEMAIL
SH="$2"
export VIMMODE="$3"
#Ensure compatibility with SCP/SFTP/SSH custom commands
if [ $# -eq 4 ]; then
$SH -c "$4"
else
echo "[shmux] Authenticated as $TRUEUSER"
$SH -l
fi
…which multiplexes the accounts into multiple ones. The $TRUEUSER variable can be used for further customization (e.g.: source /etc/profile.d/$TRUEUSER.sh for user-specific commands). The VIMMODE variable seen in the code is used with another multiplexer aliased to vim:
#! /bin/sh
case $VIMMODE in
minimal)
vim -u /etc/vimrc.minimal "$@"
;;
*)
vim "$@"
;;
esac
This allows having different vimrcs depending on the user preferences (or abilities). This could again be expanded to load user-specific settings (or launch emacs, if you really want to ruin someone’s day).
The actual user settings are then configured in the authorized_keys of the to-be-multiplexed account (which is distributed over our internal package repository):
[…]
command="/usr/bin/shmux 'Sven Schwedas' zsh full ${SSH_ORIGINAL_COMMAND:-}" ssh-rsa …
command="/usr/bin/shmux 'Foobar Foo' tcsh minimal ${SSH_ORIGINAL_COMMAND:-}" ssh-rsa …
[…]
The only downside compared to LDAP is that it takes some minutes to distribute the updated authorized_keys file to all hosts, but apart from that it’s been working fine for some months on our servers.