How can I, in my sshd_config, force a user to become another user after they authenticate as themselves?
For example consider two users:
reader
admin
And also two groups:
reader-access
admin-access
Now four public facing users; Alice, Bob, Dale, and Sarah. Each have their own distinct public key or password.
I want Alice and Bob to have the same permissions as admin.
I want Dale and Sarah to have the same permissions as reader.
I also want to expand this configuration to any number of users without changing my sshd config again.
Here is what I want:
All of the public facing users have no actual permissions on their own but if they authenticate over ssh, they are logged in as either reader or admin.
Also, reader is setup in sshd to be forced into sftp. So in effect, Dale and Sarah should authenticate as themselves but be dropped into a sftp session as reader. Dale and Sarah shouldn’t be able to enter ssh.
- Alice and Bob are in the admin-access group.
- Dale and Sarah are in the reader-access group.
How do I do this with groups?
Flow:
Alice or Bob login via ssh -> sshd converts them to the admin user -> sshd applies rules to the admin user -> Alice or Bob is now dropped into admin shell
Dale or Sarah login via sftp -> sshd converts them to reader user -> sshd applies rules to the reader user -> Dale or Sarah is now dropped into the sftp shell for reader
Dale or Sarah login via ssh -> sshd converts them to reader user -> sshd applies rules to the reader user -> sshd rejects their login because they must be connecting over an sftp client
To clarify:
I want to be able to enforce sshd restrictions of reader onto Dale and Sarah (such as forcing sftp or forced chroot, neither of which could be done as far as I can tell using, say, ForceCommand su reader)