unique stamp per SSH login
Best choice:
- Set
PermitRootLogin noin/etc/ssh/sshd_config(on modern systems, this is the default setting value) - Create for each employer personal account
- Configure
sudoto allow employers to run the needed commands with elevated privileges.
UPD. If you need to manage user accounts on multiple computers at enterprise - then you should look aside Identity management solutions.
First of all I agree with Slipeer about individual accounts really is the preferred solution. Yet, we do live in an imperfect world, and sometimes one is not in a position to implement the Right solution right away.
The most reliable option to identify different people using the same account is to look at the ssh key used to login. If you are using a recent enough OpenSSH that information will be provided by the default INFO LogLevel.
sshd[2425]: Accepted publickey for vagrant from 10.0.2.2 port 54576 ssh2: RSA SHA256:5cH1LgeZ+m/OuxpPeFc9bIql3pMaQl/mtym0mGmecNc
In case of an older OpenSSH that information is only available by way of the VERBOSE LogLevel.
sshd[2023]: Found matching RSA key: 3b:7f:2d:8f:3a:82:ae:69:02:4f:00:2c:71:5e:e0:6a
sshd[2023]: Accepted publickey for vagrant from 10.0.2.2 port 36164 ssh2
And yes, having a record of the ssh key used for login is also a good thing when it comes to individual accounts.