Update lock script, add unlock script, minor updates in other scripts

Make sure that lock script reejcts core users (root/ec2-user/admin/ubuntu) Unlock script works reverse with also optional check in user_list.txt for ssh allow/foward group type Internal: rename all $user to $username
2022-12-02 09:23:35 +09:00
parent ebddac7f67
commit 1f4e295e9f
5 changed files with 221 additions and 56 deletions
--- a/Readme.md
+++ b/Readme.md
@@ -199,6 +199,31 @@ The public key part can be extracted from the SSH PEM key with

 *[PEM]* is the placeholder for the filename

+## Lock and unlock uses
+
+If a user should be stopped from logging in via ssh the user needs to be removed from the sshallow or sshforward groups. Note that the sshforward group only exists on jump hosts and can normally be ignored.
+
+Default 100% ignored users are 'root', 'ec2-user', 'admin', 'ubuntu'
+
+### Lock users
+
+`bin/lock_users.sh -t <user 1> <user 2> ...`
+
+The `-t` flag is for test run.
+
+If the user is not in the sshallow or sshreject group the change will be skipped.
+Locked users will be moved to the sshreject group
+
+### Unlock users
+
+If a user exists in the sshreject group the user can be unlocked
+
+`bin/unlock_uses.sh -t -s <allow|forward> <user 1> <user 2> ...`
+
+Like the lock user script it will only work on users in the sshreject group. But here the target allow / forward group must be selected.
+
+If not set it defaults to allow, if a user_list.txt file with this user exist it will try to extract this data if the `-s` option is not set
+
 ## Last login check scripts

 There are two scripts that can be user to check if and when the user has logged in the last time.