2

I have a remote CentOS server, lets pretend it's called hostname.com

hostname.com has several user accounts, and I want to ssh into this server as any one of these users (using ssh keys rather than password).

It seems everyone recommends just changing my local ssh config, add an alias the server for each remote user, and then providing a different IdentityFile for each alias.

So then I have to ssh bob@aliased_hostname1 and ssh alice@aliased_hostname2

Are there any other solutions? Id rather not be ssh'ing into aliased hostnames

Ideally I want to just ssh bob@hostname.com or ssh alice@hostname.com and automatically choose the correct ssh keyfile, based on the remote username i'm trying to log in as.

carpii
  • 541
  • 2
  • 4
  • 12
  • 1
    How did you end up with several different ssh keys? Fix that problem. – Michael Hampton Aug 08 '20 at 23:44
  • 2
    Is it a 'problem' though? Why is it a bad idea to want different ssh keys for different remote users? – carpii Aug 09 '20 at 00:05
  • 1
    The facility that ssh-client provides is hostname aliases, and for some inexplicable reason that's exactly the thing you're not willing to do. I suppose you can make a shell alias too: `alias ssh1='ssh bob@hostname.com -i /path/to/identity.key'` – Wesley Aug 09 '20 at 00:08
  • 3
    The ssh key is meant to identify _you_ to the remote system, so you generally only need one. – Michael Hampton Aug 09 '20 at 00:11
  • Well I'm an idiot. Something about this scenario wouldn't let my mind have peace this evening. I've been around SSH long enough to know that there are exceedingly few edge cases that it hasn't been developed to handle, so I hunted around in the man pages and grabbed on to a few honed Google searches and I proved myself wrong. Answer below. – Wesley Aug 09 '20 at 05:04
  • While Wesley came up with a great answer, I'm curious why you don't like host aliases. (By the way you don't need the `@hostname.com` part; you can just have alice and bob, or call it `aliceh` and `bobh` or whatever). I ask because I've been using host aliases forever, and am curious if there is something wrong about it that I missed. –  Aug 09 '20 at 13:40
  • @sitaram - it's not that there's anything wrong with it from a technical viewpoint, but with quite a lot of servers (each having 2 or 3 relevant user accounts), I was finding it difficult to manage all the aliases, and remember what they actually are each time. This Match solution is great because its entirely transparent and I can continue to ssh into each servers exact hostname – carpii Aug 09 '20 at 18:13
  • 1
    @carpii -- I get it; I was not thinking in terms of scale. Thanks for the explanation. –  Aug 10 '20 at 06:52

1 Answers1

5

Check out the Match keyword in your SSH config on the client machine. Specifically, the user and host criteria. The ssh_config(5) man page states (emphasis mine):

Match conditions are specified using one or more criteria or the single token all which always matches.

So in your case you'd be looking at something like:

Match user bob host "hostname.com"
  IdentityFile /path/to/bob.key

Match user alice host "hostname.com"
  IdentityFile /path/to/alice.key

There's one SuperUser and one Unix & Linux Q/A that helped tie it all together, so you should probably go upvote those participants as well.

Wesley
  • 32,690
  • 9
  • 82
  • 117