Account multiplexing (ab-)using SSH key authentication

We’ve often run into the problem of how to deal with multiple users sharing one account, since I don’t really want to deploy LDAP auth for external servers – pam_ldap is notoriously unstable and a PITA to debug, and I don’t particularly like the idea of making those servers dependant on auth servers which may or may not crash and/or run into other problems.

Thankfully, SSH’s key authentication allows you to launch a custom command on login. Thus, I wrote some small wrapper script:

#! /bin/bash

if [ $# -lt 3 ]; then
        echo "Usage: shmux 'Full User Name' shell vimmode commandstring"
        echo "  With vimmode being 'full' or 'minimal' and 'commandstring' being a string to be fed into SHELL -c."
        exit
fi

export TRUEUSER="$1"

user=`echo $TRUEUSER | tr '[:upper:]' '[:lower:]'`
export TRUEMAIL="${user// /.}@tao.at"

export GIT_COMMITTER_NAME=$TRUEUSER
export GIT_AUTHOR_NAME=$TRUEUSER
export GIT_COMMITTER_EMAIL=$TRUEMAIL
export GIT_AUTHOR_EMAIL=$TRUEMAIL

SH="$2"

export VIMMODE="$3"

#Ensure compatibility with SCP/SFTP/SSH custom commands
if [ $# -eq 4 ]; then
                $SH -c "$4"
        else
                echo "[shmux] Authenticated as $TRUEUSER"
                $SH -l
fi

…which multiplexes the accounts into multiple ones. The $TRUEUSER variable can be used for further customization (e.g.: source /etc/profile.d/$TRUEUSER.sh for user-specific commands). The VIMMODE variable seen in the code is used with another multiplexer aliased to vim:

#! /bin/sh

case $VIMMODE in
        minimal)
                vim -u /etc/vimrc.minimal "$@"
                ;;
        *)
                vim "$@"
                ;;
esac

This allows having different vimrcs depending on the user preferences (or abilities). This could again be expanded to load user-specific settings (or launch emacs, if you really want to ruin someone’s day).

The actual user settings are then configured in the authorized_keys of the to-be-multiplexed account (which is distributed over our internal package repository):

[…]
command="/usr/bin/shmux 'Sven Schwedas' zsh full ${SSH_ORIGINAL_COMMAND:-}" ssh-rsa …
command="/usr/bin/shmux 'Foobar Foo' tcsh minimal ${SSH_ORIGINAL_COMMAND:-}" ssh-rsa …
[…]

The only downside compared to LDAP is that it takes some minutes to distribute the updated authorized_keys file to all hosts, but apart from that it’s been working fine for some months on our servers.