SSH with Personal Environment

A colleague, Eric Grehm, raised an interesting challenge:

How to maintain his personal work environment (VIM settings, .bashrc ...) on all servers?

The first thought was putting this somehow into our software distribution, but we quickly realized that this would trigger needless updates on hundreds of servers. The benefit would be that the personal work environment is already on every server upon first access.

The next idea is to switch from a pre-installed personal environment to an on-demand solution where the personal environment is transferred each time a remote connection (over SSH) is established.

A simple implementation would just to a scp before the ssh, but that entails two connections which takes more time and might also bother the user with a double password request.

Side-channel data transfer

An alternative is to piggyback the file transfer onto the regular SSH connection so that the personal environment is transferred in a side channel:
  1. On the client create a directory with the files of the personal environment that need to be distributed:
    $ tree -a personal_environment
    ├── .bashrc
    └── .vimrc
  2. On the client create a TAR.GZ archive with files that need to be transferred and store this archive base64-encoded in an environment variable (can take till about 127 kB):
    $ export USERHOME_DATA=$(tar -C ~/personal_environment -cz .| base64)

    I put this into a function in my .bash_profile to load on each login.
  3. Configure the SSH client to transmit this environment variable (SendEnv):
    $ cat .ssh/config
    Host dev*
            SendEnv USERHOME_DATA
  4. Configure the SSH server to accept this environment variable (AcceptEnv):
    $ sudo grep USERHOME /etc/ssh/sshd_config
  5. Create an sshrc script on the server that unpacks the archive from the environment variable upon login:

    (Only the last part is relevant to this topic, but if an sshrc script is provided it must also take care of xauth).


This approach has several benefits:
  • True on-demand solution, personal environment is updated on each connection.
  • No extra connection required to transfer data.
  • sshrc is executed before the login shell so that also .bashrc can be transferred.
  • Scales well with an arbitrary amount of users.
  • Scales well with high amount of changes to the personal work environment.
The disadvantages are that the SSH configuration must be extended and that the amount of transferable data is limited to 127 kB compressed & encoded, which I actually see as a benefit because it prevents abuse.

For me the benefits by far outweigh the problems and I don't need to transfer so many files. This solution fulfills all my needs without putting an extra load on the servers or on our deployment infrastructure.


Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

The Demise of KaiOS - Alcatel 3088X

A Login Security Architecture Without Passwords