1

I am using ForceCommand to run the following script when a user connects to the server using ssh:

#!/bin/bash

echo "$USER logged in" > /home/testuser/ssh_info

/bin/bash

Now I am trying to login with ssh testuser:20@<ip> then entering the password for testuser and logging in. The SSH connection is getting established successfully but $USER is testuser and not testuser:20!

How do I get the information that it was testuser:20 and not just testuser? I want to open different shells based on which integer was passed.

I know this is possible because Cisco SSH server has similar feature: Integer after username in OpenSSH client separated by colon

lucifer
  • 113
  • 5
  • This USER:NUMBER@foobar thing is a cisco feature only - you aren't going to have this work on other platforms. If you have a `testuser:20` then that's what you'll get, but if that's not the username they won't be able to connect. – Mr R Mar 15 '21 at 20:28
  • But I am able to connect. The SSH connection gets established for `testuser`. Just that when my script runs, $USER is `testuser` and not `testuser:20` which I need. – lucifer Mar 16 '21 at 04:58
  • Have you actually tried `ssh testuser:20@` for the non-CISCO IP? OR are you going to simulate the CISCO scenario with users testuser:1, testuser:2, etc. who all have same UID, home, but different shell? – Mr R Mar 16 '21 at 05:08
  • I created a normal ubuntu VM with root user and ran ssh server allowing password login. I tried `ssh root:20@IP` `ssh root:10@IP` with the IP of the VM and I was able to succesfully login to the VM. – lucifer Mar 16 '21 at 05:58
  • Also, the script that i wanted to run for every ssh login ran. I got $USER to be `root`. So, somehow either the ssh server is ignoring the :integer part or there is a way to utilize it... – lucifer Mar 16 '21 at 05:59
  • I'm pretty sure it's not going to do what you want (being different users)... I tried and can repeat what you have seen (however what ends up in the logs is that testuser connected not testuser:15).. Historically it makes sense (see this article f https://unix.stackexchange.com/questions/287077/why-cant-linux-usernames-begin-with-numbers) - I imagine the ':' case is allowed for backwards compatibility with Cisco - because try test/20@ .. – Mr R Mar 16 '21 at 06:33
  • hmm. Thanks. I'll try to look at other approaches to achieve this goal. – lucifer Mar 16 '21 at 06:47

2 Answers2

2

If you run ssh testuser:20@<ip>, then the "ssh" program--which I'll assume is the OpenSSH version--will transmit "testuser:20" to the remote SSH server as the login name for the connection.

An SSH server is free to interpret the login name however it wants to. The OpenSSH server logs the full login name received from the client, and then discards a colon and any text following it from the login name:

if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 ||
    (r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
    (r = sshpkt_get_cstring(ssh, &method, NULL)) != 0)
    goto out;
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);

if ((style = strchr(user, ':')) != NULL)   <-- Check for a colon
    *style++ = 0;                          <-- Discard it

So the name including the colon and the following text isn't available during the remainder of the session.

It seems the only way to change this behavior with the OpenSSH server would be to change the source code of the ssh server program and use the altered version. OpenSSH is open source, so that's an option if the feature is important enough to you.

Alternately, you could look at alternative ssh servers--most or all of which will be commercial products--to see if one of them offers this feature.

Kenster
  • 3,025
  • 2
  • 13
  • 19
  • Thanks. This is what I was looking for. I was surprised why the login works but the username is not available. – lucifer Mar 18 '21 at 08:59
  • IMO it's related to SKEY issue on OpenBSD. See how SKEY worked https://www.openbsd.org/faq/faq10.html#SKey. IMO it was solved by a batch diff, which removed ':' from OpenSSH as a solution to remove SKEY support. This way OpenSSH changes login username. Maybe worth to report to the project? – Jiri B Mar 18 '21 at 12:23
0

Such username is generally not supported on usual Linux distros, see https://unix.stackexchange.com/a/157431/330987

Jiri B
  • 511
  • 1
  • 7
  • 16