Support PermitUserRC

[russjones]

Problem

In some situations it's beneficial to run commands before starting the user's shell or running a command. A common use of this is customizing the creation of a user sessions. Another example is creating and populating a users home directory if it does not exist (in this situation an external identity provider would be used to authenticate).

At the moment Teleport only support reading custom environment variables #1020 not reading a RC file. This makes using an external identity provider difficult in the above mentioned situations.

Proposed Solution

OpenSSH supports executing commands before starting a user's shell, from man sshd:

SSHRC
     If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
     files but before starting the user's shell or command.  It must not pro‐
     duce any output on stdout; stderr must be used instead.  If X11 forward‐
     ing is in use, it will receive the "proto cookie" pair in its standard
     input (and DISPLAY in its environment).  The script must call xauth(1)
     because sshd will not run xauth automatically to add X11 cookies.

     The primary purpose of this file is to run any initialization routines
     which may be needed before the user's home directory becomes accessible;
     AFS is a particular example of such an environment.

     This file will probably contain some initialization code followed by
     something similar to:

        if read proto cookie && [ -n "$DISPLAY" ]; then
                if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                        # X11UseLocalhost=yes
                        echo add unix:`echo $DISPLAY |
                            cut -c11-` $proto $cookie
                else
                        # X11UseLocalhost=no
                        echo add $DISPLAY $proto $cookie
                fi | xauth -q -
        fi

     If this file does not exist, /etc/ssh/sshrc is run, and if that does not
     exist either, xauth is used to add the cookie.

This file is run after reading in the users environment as in #1020, the full OpenSSH login process from man sshd:

LOGIN PROCESS
     When a user successfully logs in, sshd does the following:

           1.   If the login is on a tty, and no command has been specified,
                prints last login time and /etc/motd (unless prevented in the
                configuration file or by ~/.hushlogin; see the FILES section).

           2.   If the login is on a tty, records login time.

           3.   Checks /etc/nologin; if it exists, prints contents and quits
                (unless root).

           4.   Changes to run with normal user privileges.

           5.   Sets up basic environment.

           6.   Reads the file ~/.ssh/environment, if it exists, and users are
                allowed to change their environment.  See the
                PermitUserEnvironment option in sshd_config(5).

           7.   Changes to user's home directory.

           8.   If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option
                is set, runs it; else if /etc/ssh/sshrc exists, runs it; oth‐
                erwise runs xauth.  The “rc” files are given the X11 authenti‐
                cation protocol and cookie in standard input.  See SSHRC,
                below.

           9.   Runs user's shell or command.  All commands are run under the
                user's login shell as specified in the system password data‐
                base.

We should add a --permit-user-rc flag to Teleport and if set then read in and execute ~/.ssh/rc or /etc/ssh/sshrc like OpenSSH does.

[klizhentas]

Sounds reasonable, please proceed with the implementation.