ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update lock script, add unlock script, minor updates in other scripts

Browse Source 
Make sure that lock script reejcts core users
(root/ec2-user/admin/ubuntu)

Unlock script works reverse with also optional check in user_list.txt
for ssh allow/foward group type

Internal:
rename all $user to $username
This commit is contained in:
Clemens Schwaighofer
2022-12-02 09:23:35 +09:00
parent ebddac7f67
commit 1f4e295e9f
5 changed files with 221 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
bin/check_last_login.sh
View File

@@ -5,6 +5,7 @@
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
input_file='user_list.txt';
# which groups holds the ssh allowed login users (outside of admin users)
ssh_groups=('sshforward' 'sshallow');
ssh_reject_group='sshreject';
@@ -41,21 +42,26 @@ echo "Max age no login : ${max_age_create} days";
for ssh_group in ${ssh_groups[@]}; do
echo "--------------------->"
echo "Checking Group : ${ssh_group}";
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
for username in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
# check that user exists in passwd
if ! id "${username}" &>/dev/null; then
echo "[!] User $username does not exists in /etc/passwd file";
continue;
fi;
account_age=0;
delete_user=0;
out_string="";
#echo "* Checking user ${user}";
#echo "* Checking user ${username}";
# check user create time, if we have set it in comment
user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
user_create_date=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
# if empty try last password set time
if [ -z "${user_create_date}" ]; then
# user L 11/09/2020 0 99999 7 -1
user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
user_create_date=$(passwd -S ${username} | cut -d " " -f 3);
fi;
# last try is user home .bash_logout
if [ -z "${user_create_date}" ]; then
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
user_create_date=$(stat -c %Z "${home_dir}");
fi;
@@ -63,15 +69,15 @@ echo "Checking Group : ${ssh_group}";
# users. Use the collect script from systemd-logind or /var/log/secure
# Username Port From Latest
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
last_login_string=$(lastlog -u ${user} | sed 1d);
last_login_string=$(lastlog -u ${username} | sed 1d);
search="Never logged in";
found="";
# problem with running rep check in if
if [ -f "${AUTH_LOG}" ]; then
found=$(grep "${user};" "${AUTH_LOG}");
found=$(grep "${username};" "${AUTH_LOG}");
fi;
if [ ! -z "${found}" ]; then
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
last_login_date=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ ${last_login} -gt ${max_age_login} ]; then
out_string="[!] last ssh log in ${last_login} days ago";
@@ -109,15 +115,15 @@ echo "Checking Group : ${ssh_group}";
fi;
# build delete output
if [ ${delete_user} = 1 ]; then
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_group}" "${username}" "${ssh_reject_group}")$'\n';
fi;
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
printf "* Checking user %-20s: %s\n" "${username}" "${out_string}";
done;
done;
echo "--------------------->"
echo "Showing current SSH Reject users:"
for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
echo "${user}";
echo "${username}";
done;
if [ ! -z "${delete_accounts}" ]; then
echo "--------------------->"

57
bin/create_user.sh
View File

@@ -43,7 +43,9 @@ timestamp=$(date +%Y%m%d-%H%M%S)
# character to set getween info blocks
separator="#";
# base folder for all data
root_folder=$(pwd)'/';
# root_folder=$(pwd)'/';
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
root_folder="${BASE_FOLDER}";
input_file='user_list.txt';
output_file="user_password.${timestamp}.txt";
output_zip_folder='zip/';
@@ -108,7 +110,7 @@ while read i; do
continue;
fi;
# make lower case, remove spaces
user=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
group=$(echo "${_group}" | cut -d "," -f 1);
sub_group="";
@@ -119,7 +121,7 @@ while read i; do
ssh_access_type="allow";
fi;
if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
echo "[!!!] sshforward group does not exsts, cannot set user ${user}";
echo "[!!!] sshforward group does not exsts, cannot set user ${username}";
break;
fi;
ssh_group="ssh${ssh_access_type}";
@@ -145,13 +147,13 @@ while read i; do
#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
fi;
# user & group not set
if [ -z "${user}" ] || [ -z "${_group}" ]; then
echo "[!!!!!] Missing user or group entry for ${user}/${_group}";
if [ -z "${username}" ] || [ -z "${_group}" ]; then
echo "[!!!!!] Missing user or group entry for ${username}/${_group}";
echo "[*** ABORT RUN ***]"
break;
fi;
# SSH file name part without folder
ssh_keygen_id="${hostname}${separator}${group}${separator}${user}${separator}${ssh_keytype}.pem";
ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
# the full file including folder name
ssh_keyfile="${root_folder}${ssh_keygen_folder}${ssh_keygen_id}";
# publ file if new
@@ -161,8 +163,8 @@ while read i; do
if [ ${INFO} -eq 1 ]; then
# test if pub file exists or not, test if user exists
echo -n "User: '${user}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
if getent passwd ${user} > /dev/null 2>&1; then
echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
if getent passwd ${username} > /dev/null 2>&1; then
echo -n ", User exists";
fi;
if [ -f "${ssh_keyfile_check_pub}" ]; then
@@ -182,15 +184,16 @@ while read i; do
fi;
done;
# check if user is not already created
if getent passwd ${user} > /dev/null 2>&1; then
echo "-- Skip '${user}:${group}(${sub_group})'";
# if getent passwd ${username} > /dev/null 2>&1; then
if id "${username}" &>/dev/null; then
echo "-- Skip '${username}:${group}(${sub_group})'";
else
echo "++ Create '${user}:${group}(${sub_group})'";
echo "++ Create '${username}:${group}(${sub_group})'";
if [ ${TEST} -eq 0 ]; then
# comment is user create time
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
else
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
fi;
fi;
skip_ssh=0;
@@ -210,13 +213,13 @@ while read i; do
ssh-keygen \
-t ${ssh_keytype} \
-f "${ssh_keyfile}" \
-C "${hostname}: ${user}@${group}" \
-C "${hostname}: ${username}@${group}" \
-a 100 -N "${password}"
else
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${user}@${group} -a 100 -N ${password}";
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
fi;
else
found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${user}/.ssh/authorized_keys);
found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${username}/.ssh/authorized_keys);
if [ ! -z "${found}" ]; then
skip_ssh=1;
# override previously set with stored one
@@ -235,29 +238,29 @@ while read i; do
else
create_output_file="${root_folder}${output_file}.TEST";
fi;
echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password}";"${ssh_allow_type} >> ${create_output_file};
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
# create the SSH foler and authorized access file with correct permissions
echo " > Create .ssh folder";
if [ ${TEST} -eq 0 ]; then
mkdir /home/${user}/.ssh/;
mkdir /home/${username}/.ssh/;
else
echo "$> mkdir /home/${user}/.ssh/";
echo "$> mkdir /home/${username}/.ssh/";
fi;
echo " > Add public into authorized_keys";
if [ ${TEST} -eq 0 ]; then
cat "${ssh_keyfile_pub}" > /home/${user}/.ssh/authorized_keys;
cat "${ssh_keyfile_pub}" > /home/${username}/.ssh/authorized_keys;
else
echo "$> cat ${ssh_keyfile_pub} > /home/${user}/.ssh/authorized_keys";
echo "$> cat ${ssh_keyfile_pub} > /home/${username}/.ssh/authorized_keys";
fi;
echo " > Secure folder .ssh and authorized_keys file";
if [ ${TEST} -eq 0 ]; then
chown -R ${user}:${group} /home/${user}/.ssh/;
chmod 700 /home/${user}/.ssh/;
chmod 600 /home/${user}/.ssh/authorized_keys;
chown -R ${username}:${group} /home/${username}/.ssh/;
chmod 700 /home/${username}/.ssh/;
chmod 600 /home/${username}/.ssh/authorized_keys;
else
echo "$> chown -R ${user}:${group} /home/${user}/.ssh/";
echo "$> chmod 700 /home/${user}/.ssh/";
echo "$> chmod 600 /home/${user}/.ssh/authorized_keys";
echo "$> chown -R ${username}:${group} /home/${username}/.ssh/";
echo "$> chmod 700 /home/${username}/.ssh/";
echo "$> chmod 600 /home/${username}/.ssh/authorized_keys";
fi;
fi;
done;

54
bin/lock_user.sh
View File

@@ -2,26 +2,36 @@
# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
# if the -t is not in the first position it will be ignored
# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no creation except ssh keys
INFO=0; # no creation of anything, just print info strings
while getopts ":ti" opt; do
TEST=0; # no delete, just print
while getopts ":t" opt; do
case "${opt}" in
t|test)
TEST=1;
;;
i|info)
INFO=1;
;;
esac;
done;
shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then
if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user";
exit;
else
echo "!!!! Script must be run as root user !!!!";
fi;
fi;
if [ $# -eq 0 ]; then
echo "Must give at least one user name";
exit;
fi;
# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group
ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
@@ -30,20 +40,29 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshfoward";
delete_accounts="";
user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
echo "--------------------->"
# $1 ... $n
for username in "$@"; do
# skip if there is an option hidden
if [[ ${_arg:0:1} = "-" ]]; then
continue;
fi;
# skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
echo "[!] User $username is in the ignore user list";
continue;
fi;
# check that user exists in passwd
if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
if ! id "${username}" &>/dev/null; then
echo "[!] User $username does not exists in /etc/passwd file";
continue;
fi;
# if not check if in reject list
if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
echo "[.] User $username already in the ${ssh_reject} list";
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
echo "[.] User $username already in the ${ssh_reject_group} list";
continue;
fi;
# check if user is in sshallow/forward list
@@ -62,17 +81,16 @@ for username in "$@"; do
if [ ! -z "${ssh_remove_group}" ]; then
# remove user from ssh group and add to reject groups
echo "[*] User $username will be removed from ${ssh_remove_group}";
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
if [ ${TEST} -eq 1 ]; then
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
else
gpasswd -d "${username}" "${ssh_remove_group}";
gpasswd -a "${username}" "${ssh_reject_group}";
fi;
else
# skip not ssh user
echo "[?] User $username not in any ssh allow/foward groups";
fi;
done;
if [ ! -z "${delete_accounts}" ]; then
echo "--------------------->"
echo "% Run list below to move users to reject ssh group";
echo "";
echo "${delete_accounts}";
fi;
# __END__

113
bin/unlock_user.sh Executable file
View File

@@ -0,0 +1,113 @@
#!/usr/bin/env bash
# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
# if the -t is not in the first position it will be ignored
# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no delete, just print
SSH_GROUP_ADD='';
while getopts ":ts:" opt; do
case "${opt}" in
t|test)
TEST=1;
;;
s|sshgroup)
if [ -z "${SSH_GROUP_ADD}" ]; then
SSH_GROUP_ADD=${OPTARG};
fi;
;;
esac;
done;
shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then
if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user";
exit;
else
echo "!!!! Script must be run as root user !!!!";
fi;
fi;
if [ $# -eq 0 ]; then
echo "Must give at least one user name";
exit;
fi;
if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
echo "sshgroup option can only be 'allow' or 'forward'";
exit;
fi;
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group
ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
echo "Missing ssh reject group: ${ssh_reject_group}";
exit;
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshfoward";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
echo "--------------------->"
# $1 ... $n
for username in "$@"; do
# skip if there is an option hidden
if [[ ${_arg:0:1} = "-" ]]; then
continue;
fi;
# skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
echo "[!] User $username is in the ignore user list";
continue;
fi;
# check that user exists in passwd
if ! id "${username}" &>/dev/null; then
echo "[!] User $username does not exists in /etc/passwd file";
continue;
fi;
# check if already in OK groups
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
echo "[.] User $username already in the ${ssh_allow_group} list";
continue;
fi;
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
echo "[.] User $username already in the ${ssh_forward_group} list";
continue;
fi;
# try to find user in user_list.txt and get the allow/forward flag from there,
# else try to set from option
# if not valid use allow
ssh_add_group="${SSH_GROUP_ADD}";
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${BASE_FOLDER}${input_file}" ]; then
ssh_add_group=$(grep "${username}" "${BASE_FOLDER}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
fi;
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
ssh_add_group="allow";
fi;
ssh_add_group="ssh${ssh_add_group}";
# check if user is in reject group remove
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
# remove user from ssh group and add to reject groups
echo "[*] User $username will be added to ${ssh_add_group}";
if [ ${TEST} -eq 1 ]; then
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
else
#gpasswd -d "${username}" "${ssh_reject_group}";
#gpasswd -a "${username}" "${ssh_add_group}";
echo "NOOP";
fi;
else
# skip not ssh user
echo "[?] User $username not in the ssh reject group";
fi;
done;
# __END__